Lockbit Ransomware, Why You No Spread?

RDP brute forcing continues to be a favorite entry point for ransomware actors. In this past month we saw activity from the Lockbit ransomware family.

Initial Access:

RDP login from 165.231.142.36. Threat actor logged in, then switched accounts to a DA 15 minutes later.

Action on Objectives:

Unlike other actors we’ve seen in the lab or in other reports take meticulous inventory and thoroughly enumerate a victim environment this actor moved straight into final phase activity.

They used a tool to disable the security defenses of the host they had access to with a program masquerading in the user Appdata location.

%APPDATA%\svchost.exe

Which issued the following commands.

 

netsh firewall set opmode disable
net stop security center
net stop WinDefend
The malware then kept a communication stream open to an Ukrainian FTP server even after ransomware deployment.

 

 
 
svchost is seen sending key logs to the following FTP server using Hakops15 which occurred once per day after infection.
 
 

 

 
Then they moved straight into the ransom deployment. With 2 tools apparently selected, screensaver.exe and 9689A16B72D48DAB.exe deployed right on the desktop.

 

The screensaver executable doesn’t appear to have been used in attack and allows one to lock out access to the desktop.
 
 
Instead they ran the random number named executable which is of the Lockbit ransomware variety.
 
As expected we see the standard set of ransomware commands:
\"C:\\Windows\\System32\\cmd.exe\" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete &; bcdedit /set {default} bootstatuspolicy ignoreallfailures &; bcdedit /set {default} recoveryenabled no &; wbadmin delete catalog -quiet
vssadmin delete shadows /all /quiet
wmic shadowcopy delete
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet

Afterwards we saw the executable ping the entire /16 and then make SMB connections to alive hosts, but no actual infection was spread. We don’t understand why the ransomware did not spread as authentication was successful and shares were enumerated.

At this point, the malware completed its ransom of the one system leaving the following note below.

Lockbit created the following reg keys:

Lockbit Support Page:

This ransomware family uses a website and live chat functionality as opposed to previous families we investigated which have mostly relied on email contact.

The lockbit actors initially stated that recovery would cost 5500 USD but eventually they dropped it to 3k based on negotiation.

 

IOCs:

All IOCs in MISPPriv 68116/5edce867-5e68-497a-b0f0-4192950d210f

185.86.76.30 – key log exfil

165.231.142.36 – RDP login source

svchost.exe
27772574d00fef60de5251b2438db57b3a2645bd70e4aab13c84894844ba173f
ce4614fe2e01c8e4feaf7c79c6a1c70697d89cd3
50f8f376d4b53027920f2a6fa5845efb


Dropped executable file C:\Users\admin\AppData\Roaming\svchost.exe

https://app.any.run/tasks/b4b9f9ac-64e9-43ad-8521-482f25bfb681/

 

9689A16B72D48DAB.exe
f173904cf7d15c9c52f22813cb846814f9292227f4321d497cbf14adc05151f4
51b88dbb3d241709c25943928fefc1b1909768df
5b741c6abf44d2eecd853addeafdcf24

https://app.any.run/tasks/e52865be-167e-4b51-b5f8-8cf9e9415e22/

 

screensaver.exe
c3ec60b8052e31db149c35080afea5b57b1e8a034386555d12035eb5edefdd68
d378ce237e83314c9844b4e6ce4867e2783737db
f9073cc6566ba11318b425a761f1ce17

https://app.any.run/tasks/5ee821d9-d8c0-418c-ba14-d47567e9a0a0

YARA

/*
YARA Rule Set
Author: DFIR Report
Date: 2020-06-10
Identifier: Lockbit
Reference: https://thedfirreport.com/2020/06/10/lockbit-ransomware-why-you-no-spread/
*/

/* Rule Set ----------------------------------------------------------------- */

import "pe"

rule screensaver_desktop_locker {
meta:
description = "exe - file screensaver.exe"
author = "DFIR Report"
reference = "https://thedfirreport.com/2020/06/10/lockbit-ransomware-why-you-no-spread/"
date = "2020-06-10"
hash1 = "c3ec60b8052e31db149c35080afea5b57b1e8a034386555d12035eb5edefdd68"
strings:
$x1 = "<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" language=\"*\" processorArchitec" ascii
$s2 = "<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" language=\"*\" processorArchitec" ascii
$s3 = "Desktop_Locker.exe" fullword wide
$s4 = "KeyEx~+" fullword ascii
$s5 = "xkernel32" fullword ascii
$s6 = "re=\"*\" publicKeyToken=\"6595b64144ccf1df\"></assemblyIdentity>" fullword ascii
$s7 = "_logb'yn=d" fullword ascii
$s8 = "ComplPe " fullword ascii
$s9 = "tNhitmP" fullword ascii
$s10 = "RUNpKI;" fullword ascii
$s11 = ".UserObjectInform1Wf;" fullword ascii
$s12 = "QUNICOD" fullword ascii
$s13 = "LPTX999" fullword ascii
$s14 = "allsig" fullword ascii
$s15 = "xaqfwd" fullword ascii
$s16 = "Gpm* YN" fullword ascii
$s17 = "6VVhU\\ " fullword ascii
$s18 = "#G3;\\0ANIi7j\\" fullword ascii
$s19 = "UnkJwn excz`>o" fullword ascii
$s20 = "dfgxA v" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 800KB and
( pe.imphash() == "3fdb0650e8607422d0624242575f61f2" or ( 1 of ($x*) or 4 of them ) )
}

rule HAKOPS_keylogger_15 {
meta:
description = "HAKOPSA keylogger 15 exe - file svchost.exe"
author = "DFIR Report"
reference = "https://thedfirreport.com/2020/06/10/lockbit-ransomware-why-you-no-spread/"
date = "2020-06-10"
hash1 = "27772574d00fef60de5251b2438db57b3a2645bd70e4aab13c84894844ba173f"
strings:
$x1 = "A*\\AF:\\Projelerim\\HAKOPS Keylogger\\v15\\Server\\hk15sw.vbp" fullword wide
$s2 = "FC:\\Program Files (x86)\\Microsoft Visual Studio\\VB98\\VBA6.dll" fullword ascii
$s3 = "HAKOPS Keylogger 15 - KAYITLAR - [" fullword wide
$s4 = "HAKOPS Keylogger 15 - SERVER AKTIF EDILDI - [" fullword wide
$s5 = "C:\\Windows\\SysWOW64\\msvbvm60.dll\\3" fullword ascii
$s6 = "<td><span style=\"color:#3C87AF;\">HAKOPS Keylogger 15</span></td>" fullword ascii
$s7 = "00\">HAKOPS Keylogger</p></td>" fullword ascii
$s8 = "<title>HAKOPS Keylogger 15</title>" fullword ascii
$s9 = "http://schemas.microsoft.com/cdo/" fullword wide
$s10 = "<!-- Identify the application security requirements: Vista and above -->" fullword ascii
$s11 = "\\TeamViewer\\Connections.txt" fullword wide
$s12 = "o en el password " fullword wide
$s13 = "C:\\Program Files (x86)\\Microsoft Visual Studio\\VB98\\VB6.OLB" fullword ascii
$s14 = "<td><p style=\"color:#ffffff;font-family:Arial,Helvetica,sans-serif;font-size:18px;margin-left:30px;font-weight:700\">HAKOPS Key" ascii
$s15 = "\\TeamViewer Baglanti Listesi.txt" fullword wide
$s16 = "configuration/smtpauthenticate" fullword wide
$s17 = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName" fullword wide
$s18 = "regread" fullword wide
$s19 = "ScreenShot.jpg" fullword wide
$s20 = " <b><font color='DarkGreen'>" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 400KB and
( pe.imphash() == "692042adb1ddf54508674aa2ffb4c50b" or ( 1 of ($x*) or 4 of them ) )
}

rule sig_9689A16B72D48DAB_lockbit_ransomware {
meta:
description = "exe - file 9689A16B72D48DAB.exe"
author = "DFIR Report"
reference = "https://thedfirreport.com/2020/06/10/lockbit-ransomware-why-you-no-spread/"
date = "2020-06-10"
hash1 = "f173904cf7d15c9c52f22813cb846814f9292227f4321d497cbf14adc05151f4"
strings:
$s1 = "y /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 \"%s\" & Del /f /q \"%s\"" fullword wide
$s2 = "# lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site" fullword ascii
$s3 = "| 1. Open link http://lockbit-decryptor.com/?" fullword ascii
$s4 = "| 1. Download Tor browser - https://www.torproject.org/ and install it." fullword ascii
$s5 = "BackupExecDiveciMediaService" fullword ascii
$s6 = "BackupExecRPCService" fullword ascii
$s7 = "BackupExecManagementService" fullword ascii
$s8 = "Killed process: %s [pid: %ld]" fullword ascii
$s9 = "# Tor Browser user manual https://tb-manual.torproject.org/about" fullword ascii
$s10 = "BackupExecAgentBrowser" fullword ascii
$s11 = "BackupExecAgentAccelerator" fullword ascii
$s12 = "BackupExecVSSProvider" fullword ascii
$s13 = "BackupExecJobEngine" fullword ascii
$s14 = "Debug Privilege: OK" fullword ascii
$s15 = "2) Through a Tor Browser - recommended" fullword ascii
$s16 = "Getting session keys from registry" fullword ascii
$s17 = "Process created with limited rights" fullword ascii
$s18 = "| 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?" fullword ascii
$s19 = "# Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VP" ascii
$s20 = "Simply.SystemTrayIcon" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 400KB and
( pe.imphash() == "11966c50203457b60a57ef0419cb4ef9" or 8 of them )
}