Australian Government Warn Of Increase in LockBit Ransomware Attacks

LockBit Ransomware is posing a serious threat to Australian and global organizations as of July 2021, according to a new report by the Australian Cyber Security Centre (ACSC). “ACSC has observed an increase in reporting of LockBit ransomware incidents in Australia,” The ACSC said in a report published earlier this month.

According to the ACSC, LockBit Ransomware victims are also reporting threats of having their data stolen during the attacks leaked online. This tactic, known as Double Extortion, is a popular tactic amongst ransomware gangs to force their targets into meeting payment demands.

“The majority of victims known to the ACSC have been reported after July 2021, indicating a sharp and significant increase in domestic victims in comparison to other tracked ransomware variants,” the ACSC added.

“The ACSC has observed LockBit affiliates successfully deploying ransomware on corporate systems in a variety of sectors including professional services, construction, manufacturing, retail, and food.”

The ACSC included a ransomware profile with additional information on the LockBit Ransomware gang, including initial access indicators, targeted sectors, and mitigation measures.

The group pointed out that the LockBit Ransomware gang is opportunistic and could target organizations from any industry sector. This means that just because a sector is not being actively warned of attacks, it doesn’t mean the gang won’t strike.

Since January 2020, the LockBit operators have appeared on Russian-language cybercrime forums. In June 2021, version two of the LockBit RaaS was advertised as ‘LockBit 2.0’ and was allegedly bundled with a built-in information stealing function known as ‘StealBit’.

The ACSC has observed LockBit threat actors actively exploiting existing vulnerabilities in the Fortinet FortiOS and FortiProxy products identified as CVE-2018-13379 in order to gain initial access to specific victim networks.

The LockBit RaaS operators have previously advertised partnership opportunities for threat actors that could provide credential-based accesses to Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) remote access solutions. Additional advertisements sought to recruit threat actors proficient in the use of threat emulation software Cobalt Strike and Metasploit. Threat emulation software is often used in penetration testing environments and by threat actors seeking to gain unauthorized access to or move laterally within target networks.

LockBit Ransomware Analysis

NOTE: This analysis of Lockbit Ransomware was carried out by McAfee

The file found in the investigation of Lockbit Ransomware was a dropper renamed as a .png file. When first opening the .png files we were expecting a real image file, with perhaps some steganography inside, but what we saw instead was the header of a portable executable, so no steganography pictures this time. The PE was compiled in Microsoft Visual C# v7.0 / Basic .NET, .NET executable -> Microsoft.

This encrypted string is decrypted using the key ENCRYPTION29942. The first 32 bytes of the long ExeBuffer string are used as the salt in the encryption scheme, where ENCRYPTION29942 is the passphrase.

The script checks for the existence of vbc.exe on its designated host. Usually, this binary is a digitally signed executable from Microsoft; however, in this case, the malware uses it for process hollowing.

By statically analyzing the file we can spot the usage of:

• NtUnmapViewOfSection
• LockBit Ransomware uses this API in order to unmap the original code in execution
• NtWriteVirtualMemory
• The malware writes the base address of the injected image into the PEB via NtWriteVirtualMemory
• VirtualAllocEx
• To allocate the space before injecting the malicious code
• The VBC utility is the visual basic compiler for Windows and LockBit Ransomware uses it to compile and execute the code on the fly directly in execution. If the vbc utility does not exist on the system, the malware downloads the original vbc.exe file from the same malicious URL as seen before. After executing vbc.exe, the malware replaces the objects in memory with the code for deploying the ransomware (as deduced from the exeBuffer).

The list of services LockBit Ransomware tries to stop are:

• DefWatch (Symantec Antivirus)
• ccEvtMgr (Norton AntiVirus Event Manager)
• ccSetMgr (Common Client Settings Manager Service of Symantec)
• SavRoam (Symantec Antivirus)
• sqlserv
• sqlagent
• sqladhlp
• Culserver
• RTVscan (Symantec Antivirus Program)
• sqlbrowser
• SQLADHLP
• QBIDPService (QuickBooksby Intuit.)
• QuickBoooks.FCS (QuickBooksby Intuit.)
• QBCFMonitorService (QuickBooksby Intuit.)
• sqlwriter
• msmdsrv (Microsoft SQL Server Analysis or Microsoft SQL Server)
• tomcat6 (Apache Tomcat)
• zhundongfangyu (this belongs to the 360 security product from Qihoo company)
• vmware-usbarbitator64
• vmware-converter
• dbsrv12 (Creates, modifies, and deletes SQL Anywhere services.)
• dbeng8 (Sybase’s Adaptive Server Anywhere version 8 database program)
• wrapper (Java Service?)

If one of these services is found by the malware querying the status of it, with the function “QueryServiceStatusEx”, LockBit will get all the depending modules when correct and safe and it will stop the service with the function “ControlService”.

The ransom note is rather compact because the author hardcoded the content right in the code without using any obfuscation or encryption. The text file containing the ransom note is created in every directory after encryption and called Restore-My-Files.txt.