In this article, we will analyze LockBit 3.0 ransomware attack cases to show you how attacks similar to these cases can be prevented.

What is LockBit 3.0 Ransomware?

LockBit 3.0 (also known as LockBit Black) is ransomware created by the cybercrime syndicate LockBit. The first attack occurred in September 2019, and with the upgraded LockBit 2.0, it remained active until the end of July 2021.  The group has caused tremendous damage to companies worldwide and reappeared in early July 2022 with a version upgrade to LockBit 3.0. When a device is infected with the LockBit 3.0 program, all the files on an infected device are encrypted, and the program demands a ransom from the victim to recover the encrypted data and prevent leaks.

In addition, according to the Bleeping Computer article, the builder source code of LockBit 3.0 was recently leaked online. As the fact spreads widely, other attackers or ransomware groups that exploit the LockBit 3.0 builder to carry out their attacks are expected to increase. This is a serious security issue that we expect to see more organizations hit by ransomware in the future.

Source : Bleeping Computer ( https://www.bleepingcomputer.com/news/security/lockbit-ransomware-builder-leaked-online-by-angry-developer-/ )

LockBit 3.0 Ransomware Email Disguised as a Resume

On September 14, 2022, a corporate mailbox received the following resume email. An email titled “Regarding Job” and the contents of the email indicated that this was intended as a job application. The email below, forged as a resume, is an attack email disguised as a resume to distribute the LockBit 3.0 ransomware. The CIP team analyzed this fraudulent email’s details and the attached ransomware.

A LockBit 3.0 ransomware spam mail disguised as a job application

There was no separate attachment, and the link to download the file was embedded in the text “VIEW FILES.” Clicking the link will lead the user to download a compressed file named “Resume4.7z,” and “Resume5.exe” will be extracted from that file. The icon for the “Resume5.exe” file looks like a Word file at first glance, but upon closer inspection, it’s a fake icon to make it look like a Word file. Also, the file extension is “.exe,” which is an executable program extension, not “.doc,” which is used for word files.

We ran the “Resume5.exe” program in a controlled, risk-free virtual environment to make sure there was no damage in the event of an attack.

Desktop icons before running the exe file (left) and after (right) running LockBit 3.0 ransomware program disguised as resume word files

After a while, the desktop background image also changed to an image with a message from the LockBit group.

A Desktop affected by LockBit 3.0 ransomware. All files are encrypted, and the instructions direct users to run a txt file.

Tor websites listed on LockBit 3.0 txt files

The following content is from the README.txt file generated by the LockBit ransomware.

~~~ LockBit 3.0 the world’s fastest and most stable ransomware from 2019~~~

>>>>> Your data is stolen and encrypted.
If you don’t pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data appears on our leak site, it could be bought by your competitors at any second, so don’t hesitate for a long time. The sooner you pay the ransom, the sooner your company will be safe.

Tor Browser Links:
hxxp://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead[.]onion
hxxp://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd[.]onion
hxxp://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd[.]onion
hxxp://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd[.]onion
hxxp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd[.]onion
hxxp://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd[.]onion
hxxp://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid[.]onion
hxxp://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd[.]onion
hxxp://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd[.]onion

Links for normal browser:
hxxp://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead[.]onion[.]ly
hxxp://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd[.]onion[.]ly
hxxp://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd[.]onion[.]ly
hxxp://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd[.]onion[.]ly
hxxp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd[.]onion[.]ly
hxxp://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd[.]onion[.]ly
hxxp://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid[.]onion[.]ly
hxxp://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd[.]onion[.]ly
hxxp://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd[.]onion[.]ly

These links lead to a LockBit owned Tor website, laden with threats to leak sensitive data if the ransom is not paid. This serves as both a guide and a threat to victims, urging them to pay the ransom.

The image below results from inputting one of the LockBit 3.0 links in Criminal IP’s Domain Search.

https://www.criminalip.io/domain/report?scan_id=2173185&query=http%3A%2F%2Flockbit7z2og4jlsmdy7dzty3g42eu3gh2sx2b6ywtvhrjtss7li4fyd.onion.ly

Criminal IP Domain Search results for LockBit 3.0's Tor website

When we checked the Probability of Phishing URL in the LockBit 3.0 website search results, it was identified as a malicious phishing domain with a high probability of 99.74%. The final score was 80%, recognizing the URL as malicious.

Screenshot of the actual LockBit 3.0 tor website

The screenshot shows the logo, text of what appears to be LockBit 3.0’s website, and decryption timeouts for several infected sites.

Victims of the LockBit 3.0 attack are directed to a website where they can either pay the ransom or lose all data stored on their devices without paying. Additionally, there will be times when files containing sensitive information are leaked to the dark web.

Malicious LockBit 3.0 File Analysis Results

The team analyzed the attack behavior of the exe file used in LockBit 3.0 ransomware attacks.

LockBit 3.0 Malware Analysis With VirusTotal

The results of uploading Resum5.exe to VirusTotal to understand its properties are as follows:

Results of analyzing the exe executable file of LockBit 3.0 with VirusTotal

We can see that 44 out of 71 antiviruses detected the file “Resume5.exe” as a virus, and the IP address “13.107.4.52” was associated with it five times.

In addition, when running Resume5.exe, a file named 96F1.tmp is stored and executed, which was also detected by 56 out of 71 antiviruses.

With that knowledge in mind, the team used VirusTotal to analyze the 96F1.tmp file.

VirusTotal analysis results for 96F1.tmp file. Presence of Execution Parents identified

VirusTotal analysis results for 96F1.tmp file show the presence of Execution Parents.

We can conclude that the LockBit 3.0 ransomware attacks are executed with the “Resume5.exe” file, which acts as a Dropper (which downloads and executes a specific file without the user’s knowledge). This ransomware operates through the 96F1.tmp file.

96F1.tmp also has the same 13.107.4.52 IP address associated with it as “Resume5.exe,” and it appears that the same IP is associated with both files. Therefore, we can infer that the IP address is C2 (Command & Control server), an infected zombie server used by the attacker.

Analysis by Criminal IP Asset Search

We searched for an IP address presumed to be a C&C server identified as a result of LockBit 3.0 ransomware analysis with Criminal IP Asset Search.

https://www.criminalip.io/asset/report/13.107.4.52

IP Intelligence Results for Estimated IP Addresses as C2 Servers Used in LockBit 3.0 Attack

The results of IP intelligence analysis show that this address is critical and is blacklisted by MISP etc. This IP address also impersonated Microsoft Azure in its AS and Organization name for the Whois information section.

Corporate security personnel should always follow the checklist below to prevent LockBit attacks from taking place.

  1. Blacklist the IP addresses associated with LockBit 3.0 ransomware malware on your security system
  2. Check for suspicious content in emails such as resumes and do not open suspicious files
  3. Use Criminal IP Domain Search to safely identify domain status if running unknown attachments and URLs are necessary
  4. Use VirusTotal to verify suspicious files and to see if they are safe

The leaked LockBit 3.0 builder’s source code is proving to be a serious concern. Many are seriously concerned that new ransomware groups and hackers will try to carry out similar attacks. Therefore, company security officers must use threat intelligence to check for suspicious links and items, and for malicious domains as well. Please refer to our DDoS attack case study to know more about responding to such attacks.

Source : Criminal IP (https://www.criminalip.io)

Related Article(s) :

DDoS Attack Case Study: 20 Hours of Unprovoked Aggression