Lockbit v3 (also known as Lockbit Black), surfaced in June 2022. However, September 2022 saw the leakage of its builder, enabling the creation of custom ransomware versions. The builder’s availability empowered any individual to tailor the ransomware, leading to the emergence of diverse variants.

image

@protonleaks and @ali_qushji, X users who were both banned, disseminated the necessary files to fabricate distinct Lockbit Black ransomware strains, as indicated by Kaspersky researchers in an updatet analysis.

image

In fact, the builder was previously analyzed also by Sophos and VMWare.

Analysis of timestamps highlighted disparities in the leaked binary builder.exe. The version from protonleaks indicated a compilation date of 2022/09/09, while the ali_qushji version was compiled on 2022/09/13. A comparable timestamp variance was identified in the malware’s template binaries, preliminary forms used to construct the final distributed variant. Kaspersky’s analysis elaborates on this discrepancy.

Shortly following the builder’s leak, Kaspersky experts identified a Lockbit 3 ransomware variant in an incident response. Unlike the Lockbit group’s established negotiation platform, this variant employed an alternate ransom note strategy.

image

The ransom note provided payment details for decryption keys and directed communications towards a Tox service and email. This specific variant attributed its actions to a previously unknown entity, NATIONAL HAZARD AGENCY.

Kaspersky’s comprehensive analysis covered 396 samples of Lockbit Black. The majority, 312 samples, were a result of the leaked builder’s exploitation. Additionally, researchers detected samples generated by other unidentified builders in June and July 2022. Researchers noted that numerous detected parameters aligned with the builder’s default settings. However, only a subset displayed minor adjustments. This observation indicated that certain samples were possibly created urgently or by less diligent threat actors.

image

The encryption behaviour of most samples encompassed local disks and network shares, with avoidance of hidden folders. Moreover, the system shutdown option was deliberately disabled.

In terms of deployment methods, 90% of the samples were configured for network deployment through PSEXEC, while 72% were set up for deployment via GPO. A limited subset of samples allowed communication to a C2 (command and control) entity.


Indicators of Compromise

HASH Description
c2bc344f6dde0573ea9acdfb6698bf4c MD5 Builder File
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77 SHA1 Builder File
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db SHA256 Builder File
71c3b2f765b04d0b7ea0328f6ce0c4e2 MD5 keygen File
bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4 SHA1 keygen file
ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37 SHA256 keygen file
4d388f95a81f810195f6a8dfe86be755 MD5 Resource 100
cb6fdb25a15b7797890fadc2b823984f93da5368 SHA1 Resource 100
cc3d006c2b963b6b34a90886f758b7b1c3575f263977a72f7c0d1922b7feab92 SHA256 Resource 100
87308ec0a44e79100db9dbec588260ec MD5 Resource 101
939ff7e5eeaccb0c2f4ee080a8e403e532b6317a SHA1 Resource 101
03b8472df4beb797f7674c5bc30c5ab74e8e889729d644eb3e6841b0f488ea95 SHA256 Resource 101
4655a7ac60ed48df9b57648db2f567ef MD5 Resource 103
02ea524429ba2aefac63fed27e924ab3659f8c00 SHA1 Resource 103
a0db5cff42d0ee0de4d31cff5656ed1acaa6b0afab07d19f9f296d2f72595a56 SHA256 Resource 103
23a30838502f5fadc97e81f5000c4190 MD5 Resource 106
9c1142122370c9b28b13aa147c6e126b3be50845 SHA1 Resource 106
ae993930cb5d97caa5a95b714bb04ac817bcacbbf8f7655ec43e8d54074e0bd7 SHA256 Resource 106

MITRE ATT&CK

Tactic ID Name Description
Execution TA0002 T1559.001 Component Object Model Used for deleting volume shadow copies
  T1106 Native API Copious use of Windows Native API calls
  T1047 WMI Used for deleting volume shadow copies
Persistence TA0003 T1547.001 Registry Run Keys If started in safe mode, sets registry to start on next normal boot.
Privilege Escalation TA0004 T1134.001 Token Impersonation Starts processes with known token with the purpose of duplicating tokens.
Defense Evasion TA0005 T1562.001 Disable or Modify Tool Stops and deletes Windows Security Services
  T1562.002 Disable Windows Event Logging Stops and deletes service responsible for event logging
  T1562.004 Disable system firewall Stops and deletes service for Windows Firewall.
  T1562.009 Safe Mode Boot Changes behavior if booted in safe mode.
  T1078.001 Default Accounts Attempts to login with default admin credentials
Discovery TA0007 T1083 File and Directory Discovery Traverses mounted disks and file system
  T1135 Network Share Discovery Traverses all shared network resources
  T1120 Peripheral Device Discovery Locates removable storage devices
  T1057 Process Discovery Looks for specific processes to stop
  T1018 Remote System Discovery Locates domain controller and DNS server
  T1082 System Information Discovery Gets specific information about the operating system
Lateral Movement TA0008 T1021.002 Windows Admin Shares User of valid accounts to interact with remote network shares
Command and Control TA0011 T1071.001 Web Protocols Uses HTTP to communicate with C2
  T1573 Encrypted channel TLS 1.2
Exfiltration TA0010 T1041 Exfiltration Over C2 Channel Sends basic system information in POST request
Impact TA0040 T1485 Data Destruction Recycle bin and shadow copies are deleted
  T1486 Data Encrypted for Impact Ransomware
  T1491.001 Internal Defacement Desktop changed