LockBit3.0: A Threat that Persists

By Trellix · November 17, 2022
This blog was written by Alexandre Mundo

LockBit is a very well-known family of ransomware that has created havoc worldwide over the last few years. In March 2022, a new variant of the ransomware was discovered. The LockBit3.0 variant presented with a mix of previous code from the LockBit family and code from the now defunct nefarious Black Matter ransomware.

This updated version is built to spread chaos and encrypt all files in the infected system, just as previous versions of LockBit, but now has new layers of protection and tricks to make analysis and detection more difficult.

In this blog, we will provide technical analysis into a sample with the hash ed555f0162ea6ec5b8b8bada743cfc628d376274

Technical details

This sample is a Win32 application that can run in older operating systems as well. It has a first layer of protection that may look like a new technique, but is actually an old trick used in other types of malware.

All malware is encrypted with an unknown packer/layer that requires a special key and argument to decrypt the real malware and execute it.

In this case, the malware is executed following the “-pass” argument and later the key to decrypt it.

This type of protection is enough to avoid researchers without the key analyzing the sample. Nevertheless, if a protected system has any type of logging mechanism that can capture the command line of the application, this special key can be captured in the log.

After this layer of protection, the malware has strong obfuscation using tricks borrowed from Black Matter.

After the first layer, the malware begins loading the modules needed and the APIs required.

Like Black Matter, the LockBit3.0 code uses a technique to try obfuscating the APIs using a Stack Obfuscation running 32 bit values as hashes.

With this technique, it is impossible to know which APIs and modules are used, but they can be determined with a debugger or using tools like Hash DB.

Black Matter ransomware typically obfuscates APIs using a special stub that is made in runtime. This is done through the following process:

• Reserve memory
• The malware will choose a random number and based in the result will prepare a special code that will try to obfuscate the calls to the APIs. LockBit3.0 has five types of code it can make. This is done to make detection more difficult.
• The malware will acquire the API memory address and obfuscate the address that the stub will decrypt and jump later. The malware will obfuscate the final entry point to the API that will later call in this new code to make harder the analysis.

Just as with Black Matter, prior to making the stub, it will check to see if a debugger is attached and if so, the stub will stop functioning. In this case, the malware will crash in the moment it calls any API.

The debugger check is done with a trick to check if the memory has the values 0xABABABAB.

LockBit3.0 has another protection mechanism built in and uses the API “SetThreadInformation” to see if the thread escapes from the debugger. If found, the malware will run but any debugger will be stopped from debugging it.

Following these steps the malware will use the API “DbgUiRemoteBreaking” to ensure a debugger stops working. This closely aligns with the work of Black Matter malware developers to make their samples hard to analyze.

LockBit3.0 has an internal configuration that is encrypted and compressed with different blocks that can be encrypted too and encoded in base64. We see this in Black Matter as well, except while Black Matter will have 10 flags, LockBit3.0 has 24 to expand the options available to malware operators.

By focusing on the flags and other important parts in the configuration, we have this structure:

Similar to Black Matter, LockBit3.0 requires a lot of work to extract and prepare the configuration fields:

It’s interesting to note that the malware decrypts in memory along with the ransom note template, creation of the victim ID and writing of the ransom note, before encrypting again in memory for later use.

By encrypting the ransom note in memory, the user can avoid detection by security products that can detect this pattern.

Like other ransomware, LockBit3.0 will check the flag to compare the language of the victim machine with a hardcoded list of blacklisted languages. If this flag is enabled, it will check the language using two APIS “ZwQueryInstallUILanguage” and “ZwQueryDefaultUILanguage”.

With these two functions, it checks the normal use language and the install language of the Windows system. The checks are done against a list of hardcoded values in code but obfuscated to try avoiding detection in disk and make analysis that much more difficult.

Some of the languages that are voided with LockBit3.0 are:

• Russian from Russia
• Ukrainian from Ukraine
• Romanian from Moldova
• Belarusian
• Tatar
• Georgian from Georgia

If the malware detects one of these languages, it will stop the execution and refrain from hurting the system in any way.

Like we see with Black Matter, LockBit3.0 will also try different tricks to elevate privileges and escalate:

• Duplicate token from SVCHOST.EXE and other processes as EXPLORER.EXE
• Using PEB, it will launch different shellcodes if the operating system is 32 or 64 bits. In the case of 32 bits it’ll be used only once, but in the case of 64 bits, it will be used twice which causes an argument the second one

Later, the malware will make the new extension for the encrypted files, the icon of the encrypted files and the ransom note.

Unlike Black Matter, which reads the “MachineGUID” from the registry, this new version of LockBit uses the RSA Public Key block and calculate a MD5 hash from it.

This change is done for two reasons:

• First, to avoid Anti-Virus protections that check to see if “MachineGUID” is manipulated to avoid that the malware executing. If this happens with Black Matter, the malware stops without any real damage in the victim machine.
• Second, to make it easier to track the extension files to one malware operator and victims.

This string makes the ransom note name file and calculates a hash to check the integrity of the file name later.

The malware then creates a special icon file that is hardcoded in the binary in the %appdata% folder in the victim system with the same name as the ransom note but with the extension “.ico”.

Later in the registry, the LockBit3.0 writes file associated with the encrypted files and the new extension so the user will only have encrypted files shown with this new icon to warn the user.

These changes are applied in the system using the API “SHChangeNotify” which forces the system to update all changes the moment it is called.

LockBit3.0 has 24 flags that can change its behavior. Some of these flags are:

The encryption process is remarkably like Black Matter.

Conclusion

LockBit3.0 is a new variant of the LockBit family that adds code from Black Matter to increase protections against detection and slow its analysis. By increasing the number of flags to have more behaviors, malware operators have more flexibility to leverage the malware in different scenarios. Notably, the malware has been used in attacks, like the attack to “Entrust” on June 18, 2022.

This malware is serious threat that should be watched and controlled through patching systems against vulnerabilities, closing RDP connections that are not needed, phishing education to employees, and taking measures to protect servers and critical stations.

IOC

ED555F0162EA6EC5B8B8BADA743CFC628D376274