LockBit Ransomware Uses Automation Tools to Pick TargetsSophos: Malware Excels at Evading Detection and Picking Specific Victims
The operators behind the LockBit ransomware strain use several automation tools and techniques that help the crypto-locking malware spread quickly through a compromised network and assist in picking specific targets, according to a new analysis by security firm Sophos.
LockBit is one of several ransomware variants used for not only encrypting victims' data but also for exfiltrating that data to extort targets into paying the ransom to avoid having the data released. Security researchers have noted that other cybercriminal groups, such as Maze, will cross-reference LockBit victims on their darknet "leak" websites that describe various attacks and give names of victims (see: More Ransomware Gangs Threaten Victims With Data Leaking).
LockBit avoids detection by many security tools, and it leaves few forensic traces, Sophos reports. The researchers, who looked at eight ransomware incidents targeting smaller firms, were able to piece together more details about how LockBit works.
"It's not clear what the initial compromise was across these organizations, as we had no visibility into the event," Sean Gallagher, senior threat researcher at Sophos, notes in the report. "But it appears all of the activity in the attacks we analyzed here were initiated from a single compromised server within the network used as the 'mothership' for the LockBit attack."
Use of PowerShell
Researchers found the LockBit attacks use several PowerShell scripts that helped with the automation process. The scripts also enable the operators to target specific business application processes, such as tax accounting and point-of-sale software, which helps the criminal gang pick a victim, according to the report.
The use of these PowerShell scripts also helps the malware spread quickly through a network, locking files and then leaving few clues after the attacks are complete, Gallagher notes.
"We’ve seen ransomware shut down business applications upon execution, but this is the first time we’ve seen attackers looking for certain types of applications in an automated approach to score potential targets," he says.
While the Sophos researchers were not able to determine how the LockBit attacks start, they found extensive use of PowerShell scripts in the later stages of the ransomware deployment, according to the report.
The report notes the operators of LockBit appeared to use a malicious version of PowerShell Empire - a penetration testing post-exploitation tool - as part of the reconnaissance process and to set the stage for the final ransomware deployment.
"Using a series of heavily obfuscated scripts controlled by a remote backend, the PowerShell scripts collect valuable intelligence about targeted networks before unleashing the LockBit ransomware, checking for signs of malware protection, firewalls and forensic sandboxes," Gallagher reports.
LockBit also uses a PowerShell script to attempt to connect to a Google Docs spreadsheet that is heavily obfuscated and then tries to call down another PowerShell script hidden in the document and uses Base64 encryption to avoid detection, according to the report.
The purpose of this PowerShell script is to connect to a command-and-control server, which then attempts to install a backdoor within the compromised device. This backdoor then runs VBScript, which proceeds to install a second backdoor, giving the attacks another avenue of persistence within the network, according to the report.
The use of all these various PowerShell scripts can help bypass security features in Windows operating systems, the researchers say.
"The attack scripts also attempt to bypass Windows 10's built-in anti-malware interface, directly applying patches to it in memory," Gallagher notes.
Once the backdoors are established, they allow the operators to gather further intelligence about devices and the network and will look for certain keywords that can then determine if the target is big enough to attack, according to the report.
If the backdoors find the right combination of keywords and business processes located in the compromised network, the ransomware attack will then begin, the researchers say.
"In the attacks we analyzed, the PowerShell backdoor was used to launch the Windows Management Interface Provider Host (WmiPrvSE.exe)," Gallagher notes. "Firewall rules were configured to allow WMI commands to be passed to the system from a server - the initially compromised system - by creating a crafted Windows service."
The gang then deployed the ransomware through the Windows Management Interface. The malicious code runs within the device's memory, making it easier to avoid security tools and leaving little or no trace once the attack is done, the report notes.
"All of the targets were hit within five minutes over [Windows Management Interface]," Gallagher notes. "The server-side file used to distribute the ransomware, along with most of the event logs on the targeted systems and the server itself, were wiped in the course of the ransomware deployment."