In this article, we will analyze Lockbit 3.0 ransomware cases and determine how attacks similar to these cases can be prevented.
What is LockBit 3.0 Ransomware?
LockBit 3.0 (also known as Lockbit Black) is a ransomware created by the cybercrime syndicate LockBit. September 2019 marked the beginning where this ransomware was used, with the 3.0 version running amok until July of 2021. This group caused tremendous monetary damage to global businesses, and the ransomware responsible for this damage revealed their upgraded 3.0 program on July 2022. When a device is infected with the LockBit 3.0 program, all the files on an infected device are encrypted, and the program demands a ransom from the victim to recover the encrypted data and prevent leaks.
Source : Bleeping Computer ( https://www.bleepingcomputer.com/news/security/lockbit-ransomware-builder-leaked-online-by-angry-developer-/ )
LockBit 3.0 Ransomware Spam Mail Disguised as a Resume
On September 14, 2022, we received an e-mail titled “Regarding Job”, and the contents of the email indicated that this was intended as a job application. The example below shows this resume forgery, which is in reality a malicious email and ransomware attack designed to spread LockBit 3.0. The CIP team analyzed the details of this fradulent email and the ransomware attached.
Clicking the link will lead the user to download a compressed file named “Resume4.7z” and “Application5.exe” will be extracted from that file.
We tried running “Resume5.exe” in a controlled, risk-free environment.
The desktop background image also changed to an image that contained a message from the LockBit group.
Tor websites listed on LockBit 3.0 txt files
The following content is from the README.txt file generated by the LockBit ransomware.
~~~ LockBit 3.0 the world’s fastest and most stable ransomware from 2019~~~
>>>>> Your data is stolen and encrypted.
If you don’t pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data appears on our leak site, it could be bought by your competitors at any second, so don’t hesitate for a long time. The sooner you pay the ransom, the sooner your company will be safe.Tor Browser Links:
hxxp://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead[.]onion
hxxp://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd[.]onion
hxxp://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd[.]onion
hxxp://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd[.]onion
hxxp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd[.]onion
hxxp://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd[.]onion
hxxp://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid[.]onion
hxxp://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd[.]onion
hxxp://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd[.]onionLinks for normal browser:
hxxp://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead[.]onion[.]ly
hxxp://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd[.]onion[.]ly
hxxp://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd[.]onion[.]ly
hxxp://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd[.]onion[.]ly
hxxp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd[.]onion[.]ly
hxxp://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd[.]onion[.]ly
hxxp://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid[.]onion[.]ly
hxxp://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd[.]onion[.]ly
hxxp://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd[.]onion[.]ly
These links lead to a LockBit owned Tor website, laden with threats to leak sensitive data if the ransom is not paid. This serves as both a guide and a threat to victims, urging them to pay the ransom.
The image below is the result inputting one of the LockBit 3.0 links in Criminal IP’s Domain Search.
Malicious LockBit 3.0 File Analysis Results
The team analyzed the attack behavior of the exe file used in LockBit 3.0 ransomware attacks.
Analysis results for VirusTotal LockBit 3.0
The results of uploading Resum5.exe to VirusTotal to understand its properties are as follows:
VirusTotal analysis results for 96F1.tmp file show the presence of Execution Parents.
We can conclude that the LockBit 3.0 ransomware attacks are executed with the “Resume5.exe” file, which acts as a Dropper (which downloads and executes a specific file without the user’s knowledge). This ransomware operates through the 96F1.tmp file.
Analysis by Criminal IP Asset Search
We searched for an IP address presumed to be a C&C server identified as a result of LockBit 3.0 ransomware analysis to Criminal IP’s Asset Search.
The results of IP intelligence analysis show that this address is critical and is blacklisted by MISP etc. This IP address also impersonated Microsoft Azure in its AS and Organization name for the Whois information section.
Corporate security personnel should always follow the checklist below to prevent LockBit attacks from taking place.
- Registering IP addresses associated with LockBit 3.0 ransomware malware to the security system’s blacklist
- Check for suspicious content in emails such as resumes and do not open suspicious files
- Use Criminal IP Domain Search to safely identify domain status if running unknown attachments and URLS are necessary
- Use VirusTotal to verify suspicious files and to see if they are safe
The leaked LockBit 3.0 builder’s source code is proving to be a serious concern. Many are seriously concerned that new ransomware groups and hackers will try to carry out similar attacks. Therefore, company security officers must use threat intelligence to check for suspicious links and items, and for malicious domains as well. Refer to our DDOS attack case study to know more about responding to such attacks.
Source : Criminal IP (https://www.criminalip.io)
Related Article(s) :
Leave a Reply