EXECUTIVE SUMMARY
LockBit is a relatively new Ransomware that started in September 2019, where the developers use third parties to spread the ransomware through any means the third party decides. Once an environment is infected the victim is sent to a payment site managed by the ransomware developers.
A feature of the LockBit ransomware allows threat actors to breach a corporate network and deploy the ransomware to encrypt hundreds of devices in just a few hours.
LockBit threatens to leak the data of their victims to extort payments.
The ransomware itself also includes several technical improvements that show LockBit’s developers are climbing the ransomware learning curve and have developed an interesting technique to circumvent ‘Windows User Account Control (UAC).
(To learn more how Cynet can automatically detect and respond to lockbit attaks, click here)
Metadata


As we see above, the file poses to be from ‘Microsoft’, pretending to be legitimate and safe.
Another indicator we see is statically high entropy levels that the executable has. We can assume that the payload hides under the ‘.text’ sections. Which tells us that the attacker tries evading traditional AV’s mechanism from detecting this file via file scanning on the disk which is signature-based, by compressing the file with a unique format.

Attack Flow
Once the file is executed, the following flow will take place:

The file scans the entire LAN network and tries to connect to the hosts via SMB port (445) to spread the malicious file all over the internal network.

An instance of SVCHOST.exe is running by the process DLLhost.exe which runs with the following command to bypass the need for User Access Control when doing so:
C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
This method is known as CMSTP:

The ‘backup.exe’ file will execute the payload and encrypt most of the user’s files and change their extensions to ‘lockbit’:

Immediately after, a ransom note called ‘Restore-My-Files.txt’ will be dropped in several folders on the host:


A new instance of CMD is launched to execute the following command:
/c wevtutil cl application
/c wevtutil cl security
These commands are used to clear logs that contain records of login/logout activity or other security-related events specified by the system’s audit policy and applications. The attacker hides their tracks to avoid future forensics on the host by the IT/Security Team.
Persistency Technique
To maintain the persistency of the malicious file on the user’s host, the payload creates a registry key that will execute the file every time the host will startup.
Erasing Backup Copies
While the files are been encrypted and the note is dropped on the user host, an instance of CMD is launching, executing commands to delete the shadow backup copies, and the backup catalog on the user host by using ‘VSSADMIN’ and ‘WMIC.exe’ to prevent system recovery using ‘bcdedit.exe’ to ignore errors if there is a failed boot/failed shutdown and to disable the ‘Windows Automatic Repair’

ThreatFortress Cynet360 VS LockBit
ThreatFortress Cynet360 detects and prevents this attack by using several mechanisms:
Anti-Virus/AI – This alert triggers when Cynet’s AV/AI engine detects a malicious file that was loaded to the memory.

Got Questions?
Schedule a time to speak to your cybersecurity consultant for free to help you understand your options. Or Email [email protected] and our team will respond to your questions.
Schedule a time now:
Gain the Hacker’s View of your Cybersecurity Risk in Seconds with your Free Cybersecurity Assessment!
Discover How Hackers Exploit Your Business… If you had a no cost quick and easy way to check the safety of your business from cyber-attacks, would you do it?
Helping Business Owners start conversations about their cybersecurity culture. Cybersecurity does not have to be like chasing Bigfoot. Quantify your cybersecurity risk and instantly understand your vulnerabilities with ChatFortress Cybersecurity Report Cards.

Discover Your Cybersecurity Risk in Minutes for FREE!
Nothing to Install, Nothing to Download, Anyone Can Do It!
Enter a website URL below to claim your report card instantly!
Your Cybersecurity Report Card will be automatically generated within seconds… tell us your website URL and let us amaze you!
Who is ChatFortress
ChatFortress is a leading cybersecurity company helping business owners protect their assets from cybercriminals. We provide companies with access to the latest technologies, social engineering and human behavioral strategies, and user education to create a proactive cybersecurity culture. Helping you fortify your business against cyberattacks.
Detect and Remove BAD Emails in 3 Seconds!
ChatFortress Email Guardian is the Ultimate Anti-phishing Program as it Detects and Mitgates Email Phishing Attacks in 3 seconds using A.i Real-Time Inbox Scanning for Phishing Prevention!
We support Small Business and have released the Small Business Cybersecurity Scholarship Program.
Providing Small Business with enterprise cybersecurity protection without the enterprise price tag! You can save over $699/month if you qualify for one of our Small Business Scholarships.