LockBit 2.0 Ransomware Alert

The FBI is currently aware of an concerned regarding activity of a Ransomware-as-a-Service (RaaS) known as LockBit 2.0 which uses a variety fo tactics, techniques, and procedures to create a difficult to handle security threat that targets victims in various sectors.  I'll give a brief technical breakdown, then go into mitigation strategies that are recommended.

LockBit 2.0 is a ransomware application that leverages bitwise operations to decode strings and load required modules to evade detection and protection technologies.  Upon launch, LockBit 2.0 imports the required modules, then determines if the process has administrative privileges, and if they are not it attempts to use privilege escalation to reach the required privileges.  Then it determines the system and user language settings, and only targets those not matching a set list of languages that are Eastern European.  If Eastern European language codes are detected, the program exists without infection.

As infection beings, LockBit 2.0 deletes log files and shadow copies residing on disk, enumerates system information to include hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices.  It then attempts to encrypt any data saved to any local or remote device, but skips files associated with core system functions.  Once completed, it removes itself from disk and creates persistence at startup.

What is more unique about this attack is that it can be preconfigured to search or exfiltrate only specific file types - tailoring the attack to the individual business being targeted.  This allows attackers to target files specific to applications the victim is using, and guarantee that all of the important information contained within that filetype is encrypted and unreachable, before it ransoms the victim and sets a timer on the destruction of the ransomed data.

Indicators of Compromise

  • Language Check: Check the following codes
    • 2029, 1068, 1067, 1059, 1079, 1087, 1088, 2073, 1049, 1064, 1090, 2115, 1091
  • Command Line Activity:
    • cmd.exe /c vssadmin Delete Shadows /All /Quiet
      Description: Deletes Shadow Copies
    • cmd.exe /c bcdedit /set {default} recoveryenabled No
      Description: Disables Win 10 recovery
    • cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
      Description: Ignore boot failures
    • cmd.exe /c wmic SHADOWCOPY /nointeractive
      Description: This command has an invalid syntax and errors out
    • cmd.exe /c wevtutil cl security
      Description: Deletes security log
    • cmd.exe /c wevtutil cl system
      Description: Deletes system log
    • cmd.exe /c wevtutil cl application
      Description: Deletes application log
    • cmd.exe "C:\Windows\System32\cmd.exe" /C ping -n 3 >Nul&fsutil file
      setZeroData offset=0 length=524288 "C:\Users\fred\Desktop\Lsystem-234-bit.exe" & Del /f
      /q "C:\Users\fred\Desktop\Lsystem-234-bit.exe"
      Description: Wipes and deletes itself
    • cmd.exe "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic
      shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set
      {default} recoveryenabled no
      Description: Lockbit 2.0 deletes all shadow copies on disc to prevent data recovery
  • Registry Keys:
    • Created - UAC Bypass
      • Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\ICM\Calibration
      • Value: Display Calibrator
      • Data: Created - LockBit 2.0
    • Wallpaper Change
      • Key: HKEY_CLASSES_ROOT\Lockbit\shell\Open\Command
      • Data: "C:\Windows\system32\mshta.exe" "C:\Users\\Desktop\LockBit_Ransomware.hta"
      • Key: HKEY_CLASSES_ROOT\Lockbit\DefaultIcon
      • Data: C:\Windows\.ico
    • Created - Persistence
      • Key: HKEY_CURENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{GUID}
      • Data: C:\Users\\Desktop\LockBit_Ransomware.hta
    • Created - Encryption
      • Key: HKEY_CURRENT_USER\Software\< LockBit 2.0 ID >\Private
      • Key: HKEY_CURRENT_USER\Software\< LockBit 2.0 ID >\Public Created - LockBit 2.0 Icon Location
      • Key: HKEY_LOCAL_MACHINE\Software\Classes\.lockbit\DefaultIcon
    • Created / Modified - LockBit 2.0 Desktop
      • KEY: HKEY_CURRENT_USER\Control Panel\Desktop
      • String Value: %APPDATA%\Local\Temp\.tmp.bmp
      • String Value: TitleWallpaper=0
      • String Value: WallpaperStyle = 2
  • Files Created
    • C:\Users\\Desktop\LockBit_Ransomware.hta - LockBit 2.0 hta File
    • C:\Windows\SysWOW64\.ico - LockBit 2.0 Icon
    • C:\Users\\AppData\Local\Temp\ .tmp.bmp - LockBit 2.0 Wallpaper

Recommended Mitigation

Many of the Recommendations for this malware are specific to traditional Ransomware mitigation, but here is a general list

  • Require accounts with password logins to have strong, unique passwords.
  • Require Multi-factor authentication
  • Keep all OS and Software up to date
    • Prioritize patching known vulnerabilities
  • Remove unnecessary access to administrative shares

Some more specific recommendations, would be to use security processes that include the following, so ask yourself if you have these processes in place

  • 24/7/365 Coverage
    • Make sure your security technology / analysis covers all hours, with human intervention in the case of a critical security event.  London Security has seen the value of this technology by seeing events stopped in motion, after evading traditional security technologies.  Talk to us about our own 24/7/365 MDR Solution with the ability to lockdown a potentially impacted system before it spreads malware.
  • Security Solutions that have real-time blocking components
    • Knowing a problem happened isn't enough, requiring security solutions that allow the ability to block events as they occur is critical.  This includes security solutions that review activity across networks, and especially on the endpoints themselves.  Designing security around detection without action will set up a company for failure.
  • Generate Regular Security Reports
    • Having a regular security report that informs potential areas of compromise, as well as auditing your security engineers and employees will help prevent events from occurring and being missed, as well as keeping sure your security engineers aren't missing key threats.  With IT staff being very busy and potentially overwhelmed, don't let Cybersecurity fall by the wayside.

London Security would be happy to discuss further on the phone, feel free to contact us directly for more information on this threat, among others.