LockBit 3.0 Ransomware Analysis

8 minute read

LockBit-Malware-Analysis

LockBit ransomware is currently one of the most popular and active ransomware groups in the wild. This ransomware variant was first detected in September 2019 and used by Threat Actors to target multiple sectors and organizations worldwide. The TAs behind LockBit operate under the Ransomware-as-a-Service (RaaS) business model.

Malware Sample

MD5: 38745539b71cf201bb502437f891d799

SHA256: 80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce

LockBit Execuation

Using the packer identifier utility Detect It Easy, we found that this particular LockBit 3.0 sample is a Win32 .exe file with multiple sections packed with an unknown packer.

According to the malware bazaars comments, the malware uses below command line argument for decryption.

Command line argument - sample.exe -k LocalServiceNetworkRestricted -pass db66023ab2abcb9957fb01ed50cdfa6a

Lockbit sample consists of below 4 steps.
1. In the Unpack Sections phase, the actual sections are decrypted.
2. The Reconstruct Import Address Table.
3. During the Escalate Privilege phase, the sample attempts to evolve by granting itself higher privileges.
4. Most functions are initiated as child threads, and operations corresponding to the decrypted configuration from the Escalate Privilege phase are executed.

Packer and Dynamic Imports

To activate the proper execution of the malware, a decryption key must be provided as a parameter (-pass) when the malicious file is launched.
Lockbit is well packed, and its imports table is almost empty. Most API functions calls are resolved dynamically by calling a trampoline function which decrypts the API function using XOR encryption.
We can see the below snap of PEStudio, Import table is empty.

Check the below snap of Packed Sample.

Below snap shows the unpacked code after passing the command line argument.sample.exe -k LocalServiceNetworkRestricted -pass db66023ab2abcb9957fb01ed50cdfa6a

Below funcation is responsible to perform the decryption of the sections of the binary, by retrieving the decryption key from the execution parameters and by passing it through.

LockBit 3.0 performs API harvesting by hashing the API names of a DLL, and then comparing it to the list of the APIs that the ransomware needs.
To make analysis difficult, LockBit 3.0 also uses string obfuscation, which is done through a simple decryption algorithm (XOR) to decrypt the strings.

Below funcation is responsible to load and map the needed APIs into memory is analyzable only on the decrypted/unpacked version of the malware.
The way APIs are resolved consists in a call to a funcation (sub_407C5C) that receives as input an obfuscated string that is XORed with the key 0x4506DFCA, so to decrypt the Win32 API name to be resolved.

Lockbit 3.0 can load all of the Windows APIs during the execution time, so in order to see the hidden API calls we can execute the sample and see the results under Debugger or we can use HashDB on IDA.

OS Version Check

LockBit checkes the Windows NT version using below funcation.

Mutex and Multiple Thread Creation

After resolving API functions dynamically, it creates a mutex to ensure that only one instance of malware is running on the victim’s system at any given time.

The ransomware creates multiple threads using the CreateThread() API to perform several tasks in parallel for faster file encryption, as shown in Figure 6.
Each thread is responsible for querying system information, getting drive details, ransom note creation, getting file attributes, deleting services, file search, encryption, etc.

Service Deletion

LockBit deletes a few services to encrypt the files successfully. To delete these services, the ransomware calls the OpenSCManagerA()API to get the service control manager database access.

After gaining access, checks for the presence of services and deletes them if they are actively running on the victim’s machine. The below are some services targeted by ransomware.

Services	Services	Services	Services
backup	wordpad	winword	thebat
GxBlr	tbirdconfig	synctime	outlook
GxCIMgr	steam	sqbcoreservice	oracle
GxCVD	registry	powerpnt	ocssd
GxFWD	ocomm	ocautoupds	notepad
GxVss	mydesktopqos	mspub	msaccess
memtas	isqlplussvc	infopath	firefox
mepocs	excel	encsvc	svc$
sophos	dbsnmp	dbeng50	agntsvc

Registry Modification

After deleting the services, the ransomware drops two files named HLJkNskOq.ico and HLJkNskOq.bmp in the c:\programdata location.

The ransomware creates a Default registry key for the extension HLJkNskOq shown in the figure below.This operation changes the icons of the encrypted files, which have the extension HLJkNskOq.

Killing Windows Defender and Tempering Windows Event Log

LockBit changes the registry keys to disable all Windows Event Log Messages and kill the Microsoft Defender Process/Service.

After the registry key change, Enabled key set to 0 and new Security Descriptor (O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA)) add it to temper the Event Logs.

LockBit clears the event log with ClearEventLogW() API function.

Dropping Ransomware Note

Before initiating the encryption process, the ransomware drops the below ransom note in multiple folders with the file name HLJkNskOq.README.txt
In the dropped ransom note, victims are instructed on how to pay the ransom to decrypt their encrypted files.

Encrypted Files

The ransomware then encrypts the victim’s files, appends the extension “.HLJkNskOq,” and changes the file’s icon as shown below.

Check the below funcations used for File Encryption.

(Image Credit- txone network blog)

Changing Desktop Background

Finally, the ransomware changes the victim’s wallpaper leveraging the file “HLJkNskOq.bmp” using the systemparametersinfoW() API function.

Yara Rule

Refrerance - https://github.com/interprobe/lockbit3.0detect_v2-byInterProbe.yara/blob/main/lockbit3.0detect_v2.yara

rule Lockbit3Detect_via_SectionPatterns {
    meta:
        description = "Detects new Lockbit 3.0 variants"
        author = "InterProbe Malware-Vulnerability Research Team"
        date = "2022-07-04"
    strings:
        $lstr1 = ".xyz" wide ascii
        $lstr2 = ".rdata$zzzdbg" wide ascii
        $lstr3 = ".text$mn" wide ascii
        $entrypoint = { 90 0f 1f 84 00 00 00 00 00 e8 83 fb ff ff 0f 1f 40 00 e8 ce cd fe ff 66 90 e8 77 03 ff ff 0f 1f 44 00 00 e8 e1 da ff ff 0f 1f 84 00 00 00 00 00 6a 00 ff 15 c0 75 42 00 0f 1f 80 00 00 00 00 e8 49 f4 ff ff e8 26 f4 ff ff e8 45 f4 ff ff e8 22 f4 ff ff e8 11 f4 ff ff e8 36 f4 ff ff e8 25 f4 ff ff e8 32 f4 ff ff e8 15 f4 ff ff e8 fe f3 ff ff e8 05 f4 ff ff e8 12 f4 ff ff e8 fb f3 ff ff e8 ae f3 ff ff e8 c1 f3 ff ff e8 ce f3 ff ff e8 ab f3 ff ff e8 ca f3 ff ff e8 b9 f3 ff ff e8 b4 f3 ff ff e8 91 f3 ff ff e8 86 f3 ff ff e8 93 f3 ff ff e8 a6 f3 ff ff e8 95 f3 ff ff e8 6c f3 ff ff e8 09 df ff ff e8 ec de ff ff e8 f3 de ff ff e8 f4 de ff ff e8 e3 de ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
        $sectionitext = { 55 8b ec 81 ec 7c 03 00 00 53 56 57 8d 9d 84 fc ff ff b9 00 c2 eb 0b e2 fe e8 c6 02 00 00 53 50 e8 23 02 00 00 85 c0 74 79 53 8d 45 a0 50 e8 c1 02 00 00 8d 85 8c fe ff ff 50 8d 45 c0 50 8d 45 a0 50 e8 01 03 00 00 89 45 9c e8 85 02 00 00 8b d8 8b 5b 08 8b 73 3c 03 f3 0f b7 7e 06 8d b6 f8 00 00 00 6a 00 8d 06 50 e8 7f 00 00 00 3d 75 80 91 76 74 0e 3d 1b a4 04 00 74 07 3d 9b b4 84 0b 75 18 8b 4e 0c 03 cb ff 75 9c 8d 85 8c fe ff ff 50 ff 76 10 51 e8 82 03 00 00 83 c6 28 4f 85 ff 75 c1 5f 5e 5b 8b e5 5d c3 8d 40 00 55 8b ec 51 52 56 33 c0 8b 55 0c 8b 75 08 b9 61 00 00 00 66 ad 90 66 83 f8 41 72 0b 66 83 f8 5a 77 05 66 83 c8 20 90 02 f1 2a f1 8b c8 d3 ca 03 d0 90 85 c0 75 d8 8b c2 5e 5a 59 5d c2 08 00 90 55 8b ec 51 52 56 33 c0 8b 55 0c 8b 75 08 b9 61 00 00 00 ac }
    condition:
        ((uint16(0) == 0x5a4d) and (filesize < 200KB and filesize > 150KB)) and (all of them)
}

Ranjit Patil