LockBit Ransomware has breached Bangkok Air, according to a press release by the aviation company last Thursday. The following day, the LockBit Ransomware gang released a countdown clock, threatening to release stolen data unless ransom demands are met. The gang claims to have 103GB worth of files from Bangkok Air, and is promising to release them on Tuesday.
Dark Web intelligence firm, DarkTracer, tweeted a screenshot of a countdown from the LockBit Ransomware gang. At the time of the tweet, the clock showed four and a half days left.
“LockBit ransomware gang has announced Bangkok Airways on the victim list,” DarkTracer tweeted. “It announced that 103GB of compressed files will be released.”
A day before the announcement by the LockBit Ransomware gang, Bangkok Airways publicly acknowledged that it had been blasted with a cyberattack a week ago, on Monday, Aug. 23. It’s still investigating the incident “as a matter of urgency,” the company said in a press release and is working on beefing up its defenses.
“Upon such discovery, the company immediately took action to investigate and contain the event, with the assistance of a cybersecurity team. Currently, the company is investigating, as a matter of urgency, to verify the compromised data and the affected passengers as well as taking relevant measures to strengthen its IT system.” the company said in their press release.
The personal data includes:
- Passenger name
- Family name
- Nationality
- Gender
- Phone number
- Email address
- Other contact information
- Passport information
- Historical travel information
- Partial credit-card information
- Special meal information
The LockBit Ransomware gang allegedly did not succeed in accessing Bangkok Airway’s operational or aeronautical security systems, the company said. The company apologized, saying that “Bangkok Airways Public Company Limited takes the protection of passenger’s data very seriously and the airline is deeply sorry for the worry and inconvenience that this malicious incident has caused.”
Bangkok Air has notified the proper authorities, including the Royal Thai police.
LockBit Ransomware Analysis
NOTE: This analysis of Lockbit Ransomware was carried out by McAfee
The file found in the investigation of Lockbit Ransomware was a dropper renamed as a .png file. When first opening the .png files we were expecting a real image file, with perhaps some steganography inside, but what we saw instead was the header of a portable executable, so no steganography pictures this time. The PE was compiled in Microsoft Visual C# v7.0 / Basic .NET, .NET executable -> Microsoft.
Entropy-wise is tidy too, not showing any stray sections or big spikes in the graph. This behavior indicates that the writer of the Lockbit Ransomware did not use obfuscation.
This file is a .NET launcher. Examining the Main() function in the code shows that an array containing a particularly long AES encrypted base64 string (in the variable named ‘exeBuffer’) carries the executable for the actual ransomware.
This encrypted string is decrypted using the key ENCRYPTION29942. The first 32 bytes of the long ExeBuffer string are used as the salt in the encryption scheme, where ENCRYPTION29942 is the passphrase.
The script checks for the existence of vbc.exe on its designated host. Usually, this binary is a digitally signed executable from Microsoft; however, in this case, the malware uses it for process hollowing.
By statically analyzing the file we can spot the usage of:
- NtUnmapViewOfSection
- LockBit Ransomware uses this API in order to unmap the original code in execution
- NtWriteVirtualMemory
- The malware writes the base address of the injected image into the PEB via NtWriteVirtualMemory
- VirtualAllocEx
- To allocate the space before injecting the malicious code
- The VBC utility is the visual basic compiler for Windows and LockBit Ransomware uses it to compile and execute the code on the fly directly in execution. If the vbc utility does not exist on the system, the malware downloads the original vbc.exe file from the same malicious URL as seen before. After executing vbc.exe, the malware replaces the objects in memory with the code for deploying the ransomware (as deduced from the exeBuffer).
The list of services LockBit Ransomware tries to stop are:
- DefWatch (Symantec Antivirus)
- ccEvtMgr (Norton AntiVirus Event Manager)
- ccSetMgr (Common Client Settings Manager Service of Symantec)
- SavRoam (Symantec Antivirus)
- sqlserv
- sqlagent
- sqladhlp
- Culserver
- RTVscan (Symantec Antivirus Program)
- sqlbrowser
- SQLADHLP
- QBIDPService (QuickBooksby Intuit.)
- QuickBoooks.FCS (QuickBooksby Intuit.)
- QBCFMonitorService (QuickBooksby Intuit.)
- sqlwriter
- msmdsrv (Microsoft SQL Server Analysis or Microsoft SQL Server)
- tomcat6 (Apache Tomcat)
- zhundongfangyu (this belongs to the 360 security product from Qihoo company)
- vmware-usbarbitator64
- vmware-converter
- dbsrv12 (Creates, modifies, and deletes SQL Anywhere services.)
- dbeng8 (Sybase’s Adaptive Server Anywhere version 8 database program)
- wrapper (Java Service?)
If one of these services is found by the malware querying the status of it, with the function “QueryServiceStatusEx”, LockBit will get all the depending modules when correct and safe and it will stop the service with the function “ControlService”.
The ransom note is rather compact because the author hardcoded the content right in the code without using any obfuscation or encryption. The text file containing the ransom note is created in every directory after encryption and called Restore-My-Files.txt.
Protection
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.