Kaspersky Lab's technical analysis of Lockbit v3 Builder
Lockbit v3 (also known as Lockbit Black), surfaced in June 2022. However, September 2022 saw the leakage of its builder, enabling the creation of custom ransomware versions. The builder’s availability empowered any individual to tailor the ransomware, leading to the emergence of diverse variants.
@protonleaks and @ali_qushji, X users who were both banned, disseminated the necessary files to fabricate distinct Lockbit Black ransomware strains, as indicated by Kaspersky researchers in an updatet analysis.
In fact, the builder was previously analyzed also by Sophos and VMWare.
Analysis of timestamps highlighted disparities in the leaked binary builder.exe. The version from protonleaks indicated a compilation date of 2022/09/09, while the ali_qushji version was compiled on 2022/09/13. A comparable timestamp variance was identified in the malware’s template binaries, preliminary forms used to construct the final distributed variant. Kaspersky’s analysis elaborates on this discrepancy.
Shortly following the builder’s leak, Kaspersky experts identified a Lockbit 3 ransomware variant in an incident response. Unlike the Lockbit group’s established negotiation platform, this variant employed an alternate ransom note strategy.
The ransom note provided payment details for decryption keys and directed communications towards a Tox service and email. This specific variant attributed its actions to a previously unknown entity, NATIONAL HAZARD AGENCY.
Kaspersky’s comprehensive analysis covered 396 samples of Lockbit Black. The majority, 312 samples, were a result of the leaked builder’s exploitation. Additionally, researchers detected samples generated by other unidentified builders in June and July 2022. Researchers noted that numerous detected parameters aligned with the builder’s default settings. However, only a subset displayed minor adjustments. This observation indicated that certain samples were possibly created urgently or by less diligent threat actors.
The encryption behaviour of most samples encompassed local disks and network shares, with avoidance of hidden folders. Moreover, the system shutdown option was deliberately disabled.
In terms of deployment methods, 90% of the samples were configured for network deployment through PSEXEC, while 72% were set up for deployment via GPO. A limited subset of samples allowed communication to a C2 (command and control) entity.
Indicators of Compromise
| HASH | Description |
|---|---|
| c2bc344f6dde0573ea9acdfb6698bf4c | MD5 Builder File |
| d6ae7dc2462c8c35c4a074b0a62f07cfef873c77 | SHA1 Builder File |
| a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db | SHA256 Builder File |
| 71c3b2f765b04d0b7ea0328f6ce0c4e2 | MD5 keygen File |
| bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4 | SHA1 keygen file |
| ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37 | SHA256 keygen file |
| 4d388f95a81f810195f6a8dfe86be755 | MD5 Resource 100 |
| cb6fdb25a15b7797890fadc2b823984f93da5368 | SHA1 Resource 100 |
| cc3d006c2b963b6b34a90886f758b7b1c3575f263977a72f7c0d1922b7feab92 | SHA256 Resource 100 |
| 87308ec0a44e79100db9dbec588260ec | MD5 Resource 101 |
| 939ff7e5eeaccb0c2f4ee080a8e403e532b6317a | SHA1 Resource 101 |
| 03b8472df4beb797f7674c5bc30c5ab74e8e889729d644eb3e6841b0f488ea95 | SHA256 Resource 101 |
| 4655a7ac60ed48df9b57648db2f567ef | MD5 Resource 103 |
| 02ea524429ba2aefac63fed27e924ab3659f8c00 | SHA1 Resource 103 |
| a0db5cff42d0ee0de4d31cff5656ed1acaa6b0afab07d19f9f296d2f72595a56 | SHA256 Resource 103 |
| 23a30838502f5fadc97e81f5000c4190 | MD5 Resource 106 |
| 9c1142122370c9b28b13aa147c6e126b3be50845 | SHA1 Resource 106 |
| ae993930cb5d97caa5a95b714bb04ac817bcacbbf8f7655ec43e8d54074e0bd7 | SHA256 Resource 106 |
MITRE ATT&CK
| Tactic | ID | Name | Description |
|---|---|---|---|
| Execution TA0002 | T1559.001 | Component Object Model | Used for deleting volume shadow copies |
| T1106 | Native API | Copious use of Windows Native API calls | |
| T1047 | WMI | Used for deleting volume shadow copies | |
| Persistence TA0003 | T1547.001 | Registry Run Keys | If started in safe mode, sets registry to start on next normal boot. |
| Privilege Escalation TA0004 | T1134.001 | Token Impersonation | Starts processes with known token with the purpose of duplicating tokens. |
| Defense Evasion TA0005 | T1562.001 | Disable or Modify Tool | Stops and deletes Windows Security Services |
| T1562.002 | Disable Windows Event Logging | Stops and deletes service responsible for event logging | |
| T1562.004 | Disable system firewall | Stops and deletes service for Windows Firewall. | |
| T1562.009 | Safe Mode Boot | Changes behavior if booted in safe mode. | |
| T1078.001 | Default Accounts | Attempts to login with default admin credentials | |
| Discovery TA0007 | T1083 | File and Directory Discovery | Traverses mounted disks and file system |
| T1135 | Network Share Discovery | Traverses all shared network resources | |
| T1120 | Peripheral Device Discovery | Locates removable storage devices | |
| T1057 | Process Discovery | Looks for specific processes to stop | |
| T1018 | Remote System Discovery | Locates domain controller and DNS server | |
| T1082 | System Information Discovery | Gets specific information about the operating system | |
| Lateral Movement TA0008 | T1021.002 | Windows Admin Shares | User of valid accounts to interact with remote network shares |
| Command and Control TA0011 | T1071.001 | Web Protocols | Uses HTTP to communicate with C2 |
| T1573 | Encrypted channel | TLS 1.2 | |
| Exfiltration TA0010 | T1041 | Exfiltration Over C2 Channel | Sends basic system information in POST request |
| Impact TA0040 | T1485 | Data Destruction | Recycle bin and shadow copies are deleted |
| T1486 | Data Encrypted for Impact | Ransomware | |
| T1491.001 | Internal Defacement | Desktop changed |