In this article, we will analyze Lockbit 3.0 ransomware cases and determine how attacks similar to these cases can be prevented.

What is LockBit 3.0 Ransomware?

LockBit 3.0 (also known as Lockbit Black) is a ransomware created by the cybercrime syndicate LockBit. September 2019 marked the beginning where this ransomware was used, with the 3.0 version running amok until July of 2021. This group caused tremendous monetary damage to global businesses, and the ransomware responsible for this damage revealed their upgraded 3.0 program on July 2022. When a device is infected with the LockBit 3.0 program, all the files on an infected device are encrypted, and the program demands a ransom from the victim to recover the encrypted data and prevent leaks.

Source : Bleeping Computer ( https://www.bleepingcomputer.com/news/security/lockbit-ransomware-builder-leaked-online-by-angry-developer-/ )

LockBit 3.0 Ransomware Spam Mail Disguised as a Resume

On September 14, 2022, we received an e-mail titled “Regarding Job”, and the contents of the email indicated that this was intended as a job application. The example below shows this resume forgery, which is in reality a malicious email and ransomware attack designed to spread LockBit 3.0. The CIP team analyzed the details of this fradulent email and the ransomware attached.

A LockBit 3.0 ransomware spam mail disguised as a job application

Clicking the link will lead the user to download a compressed file named “Resume4.7z” and “Application5.exe” will be extracted from that file.

We tried running “Resume5.exe” in a controlled, risk-free environment.

Desktop icons before running the exe file (left) and after (right) running LockBit 3.0 ransomware program disguised as resume word files

The desktop background image also changed to an image that contained a message from the LockBit group.

A Desktop affected by LockBit 3.0 ransomware. All files are encrypted, and the instructions direct users to run a txt file.

Tor websites listed on LockBit 3.0 txt files

The following content is from the README.txt file generated by the LockBit ransomware.

~~~ LockBit 3.0 the world’s fastest and most stable ransomware from 2019~~~

>>>>> Your data is stolen and encrypted.
If you don’t pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data appears on our leak site, it could be bought by your competitors at any second, so don’t hesitate for a long time. The sooner you pay the ransom, the sooner your company will be safe.

Tor Browser Links:
hxxp://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead[.]onion
hxxp://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd[.]onion
hxxp://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd[.]onion
hxxp://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd[.]onion
hxxp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd[.]onion
hxxp://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd[.]onion
hxxp://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid[.]onion
hxxp://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd[.]onion
hxxp://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd[.]onion

Links for normal browser:
hxxp://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead[.]onion[.]ly
hxxp://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd[.]onion[.]ly
hxxp://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd[.]onion[.]ly
hxxp://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd[.]onion[.]ly
hxxp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd[.]onion[.]ly
hxxp://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd[.]onion[.]ly
hxxp://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid[.]onion[.]ly
hxxp://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd[.]onion[.]ly
hxxp://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd[.]onion[.]ly

These links lead to a LockBit owned Tor website, laden with threats to leak sensitive data if the ransom is not paid. This serves as both a guide and a threat to victims, urging them to pay the ransom.

The image below is the result inputting one of the LockBit 3.0 links in Criminal IP’s Domain Search.

https://www.criminalip.io/domain/report?scan_id=2173185&query=http%3A%2F%2Flockbit7z2og4jlsmdy7dzty3g42eu3gh2sx2b6ywtvhrjtss7li4fyd.onion.ly

Criminal IP Domain Search results for LockBit 3.0's Tor website
Screenshot of the actual LockBit 3.0 tor website

Malicious LockBit 3.0 File Analysis Results

The team analyzed the attack behavior of the exe file used in LockBit 3.0 ransomware attacks.

Analysis results for VirusTotal LockBit 3.0

The results of uploading Resum5.exe to VirusTotal to understand its properties are as follows:

Results of analyzing the exe executable file of LockBit 3.0 with VirusTotal
Out of a total of 71 Antiviruses, 44 Antiviruses identified “Resume5.exe” file as a virus, and determined that the IP address “13.107.4.52” was associated on 5 separate systems.
 
In addition, when running Resume5.exe, a file named 96F1.tmp is stored and executed, which was detected by 56 out of 71 Antiviruses total.
 
With that knowledge in mind, the team used VirusTotal to analyze the 96F1.tmp file.

VirusTotal analysis results for 96F1.tmp file. Presence of Execution Parents identified

VirusTotal analysis results for 96F1.tmp file show the presence of Execution Parents.

We can conclude that the LockBit 3.0 ransomware attacks are executed with the “Resume5.exe” file, which acts as a Dropper (which downloads and executes a specific file without the user’s knowledge). This ransomware operates through the 96F1.tmp file.

Analysis by Criminal IP Asset Search

We searched for an IP address presumed to be a C&C server identified as a result of LockBit 3.0 ransomware analysis to Criminal IP’s Asset Search.

https://www.criminalip.io/asset/report/13.107.4.52
IP Intelligence Results for Estimated IP Addresses as C2 Servers Used in LockBit 3.0 Attack

The results of IP intelligence analysis show that this address is critical and is blacklisted by MISP etc. This IP address also impersonated Microsoft Azure in its AS and Organization name for the Whois information section.

Corporate security personnel should always follow the checklist below to prevent LockBit attacks from taking place.

  1. Registering IP addresses associated with LockBit 3.0 ransomware malware to the security system’s blacklist
  2. Check for suspicious content in emails such as resumes and do not open suspicious files
  3. Use Criminal IP Domain Search to safely identify domain status if running unknown attachments and URLS are necessary
  4. Use VirusTotal to verify suspicious files and to see if they are safe

The leaked LockBit 3.0 builder’s source code is proving to be a serious concern. Many are seriously concerned that new ransomware groups and hackers will try to carry out similar attacks. Therefore, company security officers must use threat intelligence to check for suspicious links and items, and for malicious domains as well. Refer to our DDOS attack case study to know more about responding to such attacks.

Source : Criminal IP (https://www.criminalip.io)

Related Article(s) :

디도스 공격 사례 분석, IP Intelligence로 대응하는 방법