LOCKBIT 3.0 Ransomware – Complete Malware Analysis Report


LockBit 3.0 is a sophisticated ransomware identified as a significant threat to organizations worldwide.

This ransomware variant is designed to encrypt files on infected systems, rendering them inaccessible until a ransom is paid.

LockBit” is a ransomware-as-a-service (RaaS) group active since September 2018. LockBit has developed several variants: LockBit 1.0, LockBit 2.0, LockBit 3.0, and LockBit Green.

Lockbit 3.0, also known as Lockbit Black, was detected for the first time in 2018. Due to its complex architecture and encryption methods, it evades traditional scan engines.

Are you From Malware analysis, SOC, or Incident Response team? Now, you can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox, and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.

LockBit 3.0 is known for its advanced encryption techniques, which make it difficult to decrypt files without the decryption key.

Ransomware is typically distributed through phishing emails or malicious websites, and once it infects a system, it spreads rapidly through the network, encrypting files on all connected devices.

LockBit 3.0 can also evade detection by traditional antivirus software, making it a dangerous threat.

LOCKBIT 3.0 Ransomware - Complete Malware Analysis Report

According to Yusuf Amr, a security researcher, Performing an initial inspection of the sample shows signs of malicious activity. The entry point is found within the ‘.itext’ section, which is highly suspicious.

LOCKBIT 3.0 Ransomware - Complete Malware Analysis Report

Utilizing a set of APIs for reconnaissance purposes.

LOCKBIT 3.0 Ransomware - Complete Malware Analysis Report

Several library imports and strings appear to be suspicious.

LOCKBIT 3.0 Ransomware - Complete Malware Analysis Report

The sample is packed as shown below:

LOCKBIT 3.0 Ransomware - Complete Malware Analysis Report

After the detonation of the malware sample, a ‘WerFault.exe’ process briefly appears under the ransomware process for a few seconds before disappearing.

LOCKBIT 3.0 Ransomware - Complete Malware Analysis Report

By abusing the Windows Problem Reporting (WerFault.exe) error reporting tool, the ransomware is able to stealthily infect devices without raising any alarms on the breached system. This is achieved by launching the malware through a legitimate Windows executable.

LOCKBIT 3.0 Ransomware - Complete Malware Analysis Report

LOCKBIT 3.0 Ransomware - Complete Malware Analysis Report

Buffer overflow exceptions were encountered during the process of reading file attributes:

LOCKBIT 3.0 Ransomware - Complete Malware Analysis Report

Typical ransomware behavior includes accessing system registers, such as those related to Desktop settings and shell folders.

LOCKBIT 3.0 Ransomware - Complete Malware Analysis Report

After analyzing the network traffic using Wireshark, it shows that the ransomware sample initiated a port scanning activity on the infected host

LOCKBIT 3.0 Ransomware - Complete Malware Analysis Report

LOCKBIT 3.0 Ransomware - Complete Malware Analysis Report

LOCKBIT 3.0 Ransomware - Complete Malware Analysis Report

Additionally, there are no external connections to any public IP addresses or DNS queries to a command-and-control (C2C) server,  which confirms the static analysis we conducted earlier, indicating that the first stage of the malware is focused on surveillance.

LOCKBIT 3.0 Ransomware - Complete Malware Analysis Report

The malware employs a debugger evasion technique known as ‘Exception Flooding.’ The sample contains a significant number of function calls designed to cause a denial of service (DoS) on a debugger.

LOCKBIT 3.0 Ransomware - Complete Malware Analysis Report

This issue can be mitigated by setting the exception code C0000005 in the debugger’s exception filter. For x64dbg specifically, if the exception code is not known in advance, the ‘Ignore Last’ feature can be utilized to add the most recent exception to the filter automatically.

LOCKBIT 3.0 Ransomware - Complete Malware Analysis Report

Alternatively, this issue can be addressed by performing a patch of the file during analysis to replace these instructions with NOP (No Operation) bytes.

LOCKBIT 3.0 Ransomware - Complete Malware Analysis Report

As you can see exception for illegal instruction, so we can bypass that by doing the nop.

LOCKBIT 3.0 Ransomware - Complete Malware Analysis Report

The do_encoding function is a member function of the std::codecvt class of C++. It is used to perform encoding and decoding operations on character sequences.

LOCKBIT 3.0 Ransomware - Complete Malware Analysis Report

The do_unshift function is also a member function of the std::codecvt class. It is used to perform unshifting operations on character sequences.

LOCKBIT 3.0 Ransomware - Complete Malware Analysis Report

Overall, the ransomware is designed to evade detection by security software and prevent its discovery.

This includes employing obfuscation techniques to hide its presence on the victim’s computer and initiating a survey as the first stage of its operation.

Is your network under attack?: You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, that are incredibly harmful, can wreak havoc, and damage your network with Perimeter81 malware protection.



Source link