LockBit Ransomware Gang Publish 103GB Of Bangkok Air Customer Data After Attack

LockBit Ransomware has breached Bangkok Air, according to a press release by the aviation company last Thursday. The following day, the LockBit Ransomware gang released a countdown clock, threatening to release stolen data unless ransom demands are met. The gang claims to have 103GB worth of files from Bangkok Air, and is promising to release them on Tuesday.

Dark Web intelligence firm, DarkTracer, tweeted a screenshot of a countdown from the LockBit Ransomware gang. At the time of the tweet, the clock showed four and a half days left.

“LockBit ransomware gang has announced Bangkok Airways on the victim list,” DarkTracer tweeted. “It announced that 103GB of compressed files will be released.”

A day before the announcement by the LockBit Ransomware gang, Bangkok Airways publicly acknowledged that it had been blasted with a cyberattack a week ago, on Monday, Aug. 23. It’s still investigating the incident “as a matter of urgency,” the company said in a press release and is working on beefing up its defenses.

“Upon such discovery, the company immediately took action to investigate and contain the event, with the assistance of a cybersecurity team. Currently, the company is investigating, as a matter of urgency, to verify the compromised data and the affected passengers as well as taking relevant measures to strengthen its IT system.” the company said in their press release.

The personal data includes:

• Passenger name
• Family name
• Nationality
• Gender
• Phone number
• Email address
• Other contact information
• Passport information
• Historical travel information
• Partial credit-card information
• Special meal information

The LockBit Ransomware gang allegedly did not succeed in accessing Bangkok Airway’s operational or aeronautical security systems, the company said. The company apologized, saying that “Bangkok Airways Public Company Limited takes the protection of passenger’s data very seriously and the airline is deeply sorry for the worry and inconvenience that this malicious incident has caused.”

Bangkok Air has notified the proper authorities, including the Royal Thai police.

LockBit Ransomware Analysis

NOTE: This analysis of Lockbit Ransomware was carried out by McAfee

The file found in the investigation of Lockbit Ransomware was a dropper renamed as a .png file. When first opening the .png files we were expecting a real image file, with perhaps some steganography inside, but what we saw instead was the header of a portable executable, so no steganography pictures this time. The PE was compiled in Microsoft Visual C# v7.0 / Basic .NET, .NET executable -> Microsoft.

Entropy-wise is tidy too, not showing any stray sections or big spikes in the graph. This behavior indicates that the writer of the Lockbit Ransomware did not use obfuscation.

This file is a .NET launcher. Examining the Main() function in the code shows that an array containing a particularly long AES encrypted base64 string (in the variable named ‘exeBuffer’) carries the executable for the actual ransomware.

This encrypted string is decrypted using the key ENCRYPTION29942. The first 32 bytes of the long ExeBuffer string are used as the salt in the encryption scheme, where ENCRYPTION29942 is the passphrase.

The script checks for the existence of vbc.exe on its designated host. Usually, this binary is a digitally signed executable from Microsoft; however, in this case, the malware uses it for process hollowing.

By statically analyzing the file we can spot the usage of:

• NtUnmapViewOfSection
• LockBit Ransomware uses this API in order to unmap the original code in execution
• NtWriteVirtualMemory
• The malware writes the base address of the injected image into the PEB via NtWriteVirtualMemory
• VirtualAllocEx
• To allocate the space before injecting the malicious code
• The VBC utility is the visual basic compiler for Windows and LockBit Ransomware uses it to compile and execute the code on the fly directly in execution. If the vbc utility does not exist on the system, the malware downloads the original vbc.exe file from the same malicious URL as seen before. After executing vbc.exe, the malware replaces the objects in memory with the code for deploying the ransomware (as deduced from the exeBuffer).

The list of services LockBit Ransomware tries to stop are:

• DefWatch (Symantec Antivirus)
• ccEvtMgr (Norton AntiVirus Event Manager)
• ccSetMgr (Common Client Settings Manager Service of Symantec)
• SavRoam (Symantec Antivirus)
• sqlserv
• sqlagent
• sqladhlp
• Culserver
• RTVscan (Symantec Antivirus Program)
• sqlbrowser
• SQLADHLP
• QBIDPService (QuickBooksby Intuit.)
• QuickBoooks.FCS (QuickBooksby Intuit.)
• QBCFMonitorService (QuickBooksby Intuit.)
• sqlwriter
• msmdsrv (Microsoft SQL Server Analysis or Microsoft SQL Server)
• tomcat6 (Apache Tomcat)
• zhundongfangyu (this belongs to the 360 security product from Qihoo company)
• vmware-usbarbitator64
• vmware-converter
• dbsrv12 (Creates, modifies, and deletes SQL Anywhere services.)
• dbeng8 (Sybase’s Adaptive Server Anywhere version 8 database program)
• wrapper (Java Service?)

If one of these services is found by the malware querying the status of it, with the function “QueryServiceStatusEx”, LockBit will get all the depending modules when correct and safe and it will stop the service with the function “ControlService”.

The ransom note is rather compact because the author hardcoded the content right in the code without using any obfuscation or encryption. The text file containing the ransom note is created in every directory after encryption and called Restore-My-Files.txt.