LockBit 3.0 TTP Report
Analysis of TTPs used by LockBit 3.0 ransomware.
In this blog post, we will take a look at TTP(Tactics, Techniques and Procedures) from MITRE ATT&CK Framework that is utilized by the LockBit 3.0 ransomware to compromise a victim's machine
Note -
All the resources are mentioned in the resources section. All the references to the resources will be denoted by the number i.e example[x] in the below research.
Different LockBit Ransomware operators use a variety of techniques to infect. In this report, I’ve mentioned only those that are most used according to researchers.
This report is a non-technical report that only includes TTP used by the ransomware. Not the actual reverse engineering of the code.
Here is the structure of the entire report for better understanding. Colour associated with heading number.
Heading 1 - Main Topic
Heading 2 - Important sub-topic
Heading 3 - Different techniques related to sub-topic
LockBit 3.0 Executive Summary
LockBit first emerged as the ABCD ransomware(formerly known) on September 2019, which was improved to become one of the most prolific ransomware families today[1].
LockBit 3.0 ransomware (aka LockBit Black) is an evolution of the prolific LockBit ransomware-as-a-service (RaaS) family, which has roots that extend back to BlackMatter and related entities. After critical bugs were discovered in LockBit 2.0 in March 2022, the authors began work on updating their encryption routines and adding several new features designed to thwart researchers. In June 2022, LockBit 3 caught the interest of the media as the ransomware operators announced they were offering a bug bounty to researchers[2].
Another side of LockBit’s operations is its recruitment of and marketing to affiliates. It has been known to hire network access brokers, cooperate with other criminal groups (such as the now-defunct Maze), recruit company insiders, and sponsor underground technical writing contests to recruit talented hackers. Using such tactics, the LockBit group has built itself into one of the most professional organized criminal gangs in the criminal underground.
In today’s era, ransomware gangs like LockBit operate more disciplined and fast-paced than an average tech firm.
Below is the timeline of the LockBit
Initial Attack TTP Analysis
In this section, we are going to take a look at TTP(Tactics, Techniques and Procedure) the LockBit 3.0 ransomware implements before order to infect a host machine. To guide us, we will be taking references from the MITRE ATT&CK framework, especially the Enterprise technique section.
Note - Some of the techniques mentioned can possibly be malicious and can be risky while simulating in an environment. So we will mark them as safe/unsafe as per requirements.
Initial Access
The threat actor first gets an initial foothold via different techniques mentioned below
Phishing - T1566
Threat actors can use phishing in order to evade firewall, EDR etc and can get direct access to the victim's host machine
Valid Accounts - T1078
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.
Stolen RDP Access - T1021.001
Most of the LockBit 3.0 operator leverage this technique to gain access via RDP credentials that are already compromised by other third-party threat actors which are available on sale on various dark net market sites.
Safety Report
All the techniques are safe to simulate. To prevent those techniques proper employee training for anti-phishing and periodic credential rotation is the best possible way.
First Stage Exploitation
After getting an initial foothold on a victim machine. The attacker will first follow these steps.
SocGholish - T1189
The initial delivery of the LockBit ransomware payload is typically handled by third-party frameworks like SocGholish[5] which is an initial access threat that leverages drive-by-downloads masquerading as software updates.
PowerShell commands were also executed by the SocGholish malware to gather system and domain information
Once executed, the download for Cobalt Strike Beacon will begin.
Cobalt Strike Beacons - S0154, T1059
After leveraging the SocGholish. The Cobalt Strike beacons are side-loaded to the system through a malicious DLL that decrypts the payload onto the user’s system.
Which can be leveraged to execute commands and load ransomware payloads.
Safety Report
The above-mentioned techniques are malicious. They can be marked as safe during simulation if proper wiping of the malicious file is taken care of after the engagement. Downloading proper and updated AV will prevent downloading these malicious files in the first place.
Persistence
Now after this the first stage of malware, in this case, SocGholish will establish persistence to prevent losing access to the victim machines.
Boot or Logon Autostart Execution - T1547.001
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.
The SocGholish uses the startup folder of the infected user to ensure execution at user logon. The shortcut file C:\Users\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\VGAuthService.lnk
was created and configured to execute the following command which will run the Cobalt Strike beacon deployed to the host
Safety Report
The persistence techniques are malicious. They can be marked as safe during simulation if proper wiping of the malicious file is taken care of after the engagement. If procedures are not implemented properly this will let the attacker gain access again after kicking them out and can punish us hard.
Defence Evasion - T1562.001, T1562.002
To evade the defence mechanism there will be a deployment of a bat script via PsExec.
The script possessed the capabilities to uninstall Sophos, disable Windows Defender and terminate running services where the service name contained specific strings.
The ransomware binary used also clears or disables key Windows event log files including Application, System and Security. It also prevents any further events from being written by targeting the EventLog service.
Safety Report
Disabling defences on an endpoint is not ideal, it can leave the victim machine vulnerable to other attack vectors. We will be marking these techniques as unsafe.
Further Enumeration - T1082, S0521, T1558.003
Now the threat actor will move toward gathering information about the target’s environment
Bloodhound will be executed after the initial SocGholish infection on the victim machines to gather information about the victim’s domain environment. The output file will be created in C:\ProgramData\
There might be an attempt to steal or forge TGS to target SPNs to perform attacks like Kerberoasting.
Exfiltration - TA0010
Before deploying the ransomware to the network, the threat actor will begin to exfiltrate data via various mediums
LockBit 3.0 TTP Analysis
Now that we’ve analyzed the first stage of exploitation to load the ransomware. In this section, we will solely focus on TTP(Tactics, Techniques and Procedures) for LockBit 3.0 ransomware and how it spreads and encrypts files across enterprise networks. To guide us, we will be taking references from the MITRE ATT&CK framework, especially the Enterprise technique section.
Note - Some of the techniques mentioned can possibly be malicious and can be risky while simulating in an environment. So we will mark them as safe/unsafe as per requirements
Execution
After the Cobalt Strikes load the ransomware payloads. It can be run with two techniques.
Command-Line Interface - T0807, T1140
Adversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments.
LockBit 3.0 payloads require a specific passphrase to execute. The passphrase is unique to each sample or campaign and serves to hinder dynamic and sandbox analysis if the passphrase has not been recovered along with the sample. Example command
Encrypted content located in the LockBit 3.0 payload is decrypted at runtime using an XOR mask.
Scheduled Task/Job - T1053
The second method of execution of the ransomware payload is abusing task scheduling functionality to facilitate the initial or recurring execution of malicious code. So that the payloads keep running after bootup.
Safety Reports
Both techniques will be marked as unsafe but important in order to simulate the attack. Extreme caution, a configured sandbox environment and proper backup of data must be taken before execution.
Privilege Escalation
By default, ransomware payloads are designed to execute with administrative privileges. If not then these techniques will be implemented.
Bypass UAC - T1548.002
Adversaries may bypass UAC mechanisms to elevate process privileges on the system. Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. To learn more about UAC bypass refer to the resource[6].
Access Token Manipulation - T1134
Windows uses access tokens to determine the ownership of a running process. Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.
Persistence - T1547.001
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.
For instance, the following Registry keys can be used to set startup folder items for persistence.
Encryption
The encryption phase is extremely rapid, even when spreading to adjacent hosts. The ransomware payloads will be able to fully encrypt our test host in well under a minute. There are two techniques for encryption.
Symmetric Cryptography - T1573.001
Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.
After the encryption, the desktop wallpaper will be changed as below.
The extension appended to newly encrypted files will also differ per campaign or sample. For example, "HLJkNskOq" and "futRjC7nx". Both encrypted files and the ransom notes will be prepended with the campaign-specific string.
After opening the ransom note via notepad, LockBit 3.0 victims are instructed to make contact with their attacker via their TOR-based “support” portal.
Obfuscation - T1027
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is a common behaviour that can be used across different platforms and the network to evade defences.
Lateral Movement - TA0008
After infecting one host, the ransomware moves laterally to the next target after enumeration using techniques like.
SMB Shares - T1021.002
Adversaries use valid account credentials to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
WMI - T1047
Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access to specific hosts.
To learn more about lateral movement inside an enterprise network, refer to the resource[7].
Exfiltration - TA0010, T1567.002
Due to its broad usage, LockBit was seen to upload stolen files via cloud storage tools like MEGA or FreeFileSync.
In some attacks, the StealBit malware was used instead to exfiltrate stolen files[8].
Additional Techniques
Now we will look at additional techniques LockBit 2.0 utilizes to exploit the victim host.
Credential Access
Before leveraging lateral movements and privilege escalation techniques. LockBit 3.0 utilizes the traditional methods of gathering credentials that help gain a foothold on highly privileged users on the same machine or another machine. Here are some tools and techniques to gather credentials.
Mimikatz - S0002
Mimikatz is an excellent tool that helps a threat actor exploit different post-exploitation techniques and dumping credentials. Now we will take a look at different credential dumping techniques.
Dumping Logon Passwords from LSASS - T1003.001
Mimikatz can be used to dump user's credentials and NTLM hashes actively logged on in a machine.
Dumping Security Account Manager(SAM) Hashes - T1003.002
Mimikatz can also be used to dump Security Account Manager(SAM). The SAM is a database file that contains local accounts for the host, typically those found with the “net user” command
Alternatively, the SAM can be extracted from the Registry with these commands.
Debugger Evasion - T1622
To avoid security researchers reverse engineering the ransomware, lockbit 3.0 developers have also implemented anti-debugger techniques for this.
Debugger evasion may include changing behaviours based on the results of the checks for the presence of artifacts indicative of a debugged environment. If the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.
Specific checks on the target involve Native API function calls to like IsDebuggerPresent()
and NtQueryInformationProcess()
, or manually checking the BeingDebugged flag of the Process Environment Block (PEB). Other checks enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping API function called OutputDebugStringW()
Indicators Of Compromise
SHA256
f9b9d45339db9164a3861bf61758b7f41e6bcfb5bc93404e296e2918e52ccc10
a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e
d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee
SHA1
ced1c9fabfe7e187dd809e77c9ca28ea2e165fa8
371353e9564c58ae4722a03205ac84ab34383d8c
c2a321b6078acfab582a195c3eaf3fe05e095ce0
.ONION domains
lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead[.]onion
lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd[.]onion
lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd[.]onion
lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd[.]onion
lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd[.]onion
lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd[.]onion
lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid[.]onion
lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd[.]onion
lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd[.]onion
lockbit7z2jwcskxpbokpemdxmltipntwlkmidcll2qirbu7ykg46eyd[.]onion
lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd[.]onion
lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd[.]onion
lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd[.]onion
lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad[.]onion
lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd[.]onion
lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd[.]onion
lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd[.]onion
lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd[.]onion
lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd[.]onion
Resources
All the references to the resources will be denoted by the number i.e [x] in the above research
Last updated