# LockBit: Ransomware Puts Servers in the Crosshairs **[symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockbit-targets-servers](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockbit-targets-servers)** Vishal KamblePrincipal Threat Analysis Engineer Lahu KhatalSenior Threat Analysis Engineer ## LockBit affiliates using servers to spread ransomware throughout networks. [Symantec, a division of Broadcom Software, has observed threat actors targeting server](https://software.broadcom.com/) machines in order to spread the LockBit ransomware threat throughout compromised networks. ----- In one attack observed by Symantec, LockBit was seen identifying domain-related information, creating a Group Policy for lateral movement, and executing a "gpupdate /force" command on all systems within the same domain, which forcefully updates group policy. ## LockBit LockBit is a ransomware-as-a-service (RaaS) operated by malicious actors Symantec tracks as Syrphid. Shortly after it first appeared in September 2019, the Syrphid gang expanded its operations, using a network of affiliates to deploy the LockBit ransomware on victim networks. The [ransomware, which has currently reached version 3.0, has evolved over the past few years,](https://www.darkreading.com/threat-intelligence/lockbit-3-debut-bug-bounty-program) [as has its operators who have recently launched a bug bounty program in order to weed out](https://www.bleepingcomputer.com/news/security/lockbit-30-introduces-the-first-ransomware-bug-bounty-program/) weaknesses in the malware’s code and the RaaS operation as a whole. ## Attack chain In one observed instance, before dropping and executing the LockBit ransomware, an attacker had RDP access to the enterprise network for a couple of weeks at least. This access may have been obtained through remote desktop applications such as AnyDesk or Windows RDP, or by exploiting a known vulnerability, etc. LockBit behaves differently on server machines with domain controllers than on Windows 10 machines. When executed on a server, it has the capability to spread through the network using Group Policy. On Windows 10 machines it performs routine ransomware activity and encrypts files. When LockBit is executed on a server machine it carries out the following actions: 1. Debugger check LockBit first checks if the malware process is being debugged. If this is the case, it goes into an infinite loop. ----- Figure 1. If malware process is being debugged, LockBit goes into an infinite loop 2. Language Check It calls GetSystemDefaultUILanguage and GetUserDefaultUILanguage to check the language. If the language matches with the one on the malware’s list then it terminates immediately. LockBit does not target Russia or a selection of nearby countries. ----- Figure 2. LockBit calls GetSystemDefaultUILanguage and GetUserDefaultUILanguage to check the language. 3. End running processes and disable services LockBit ends a list of running processes related to malware analysis and other processes like Process Explorer, Process Monitor, Wireshark, Dumpcap, Process Hacker, cmd.exe, TeamViewer, Notepad, Notepad++, WordPad etc. Disables a list of services related to SQL, backup, and MSExchange etc. 4. Privilege escalation Duplicates the token by calling DuplicateTokenEx and creates a new process using **CreateProcessAsUserW.** After it achieves privilege escalation, LockBit relaunches itself under DLLHost.exe. Once the new process is spawned, the LockBit process ends itself. 5. Bypass UAC LockBit injects code into dllhost.exe with CLSIDs of COM objects, which runs the following command to bypass UAC: A. Exploiting USERENV.dll to bypass UAC ----- B. Bypass method in hfiref0x s UACME C. Exploiting the ICMLuaUtil elevated COM Interface-Object 6. LockBit creates a copy of itself under the SYSVOL directory “c:\windows\sysvol\domain\scripts\< Lockbit executable>” 7. Creating a Group Policy: Once the malware identifies it is running as an admin user and a domain controller is installed on the system, it creates a Group Policy to stop services, end processes, and copy LockBit etc. Under the “C:\Windows\SYSVOL\domain\Policies\” folder, LockBit creates XML files that are required for the Group Policy. Computer configurations: It first creates a policy to turn off Windows Defender, suppress all notifications, disable file submissions, turn off real-time protection etc. It then maps the network drive through Group Policy. Disables services related to SQL server at startup. User Configurations: The malware copied the ransomware from SYSVOL to the Desktop directory. It then creates a scheduled task to end the list of processes previously mentioned. Figure 3.Group Policy XML file used to copy LockBit from the shared SYSVOL location to client’s desktop location. ----- Figure 4. Group Policy created by LockBit can be seen in the Group Policy Management console. ----- Figure 5. Group Policy details to disable Defender and several additional options. Figure 6. Group Policy used to map network drives. ----- Figure 7. Group Policy used to disable SQL services at startup. Figure 8 Group Policy used to copy LockBit from the SYSVOL shared location to the desktop. ----- Figure 9. Group Policy used to end processes using the taskkill command. ----- Figure 10. Group Policy used to execute the LockBit ransomware. 8. Lateral movement: LockBit launches powershell.exe to run the command shown below in order to search through all the computers on the Active Directory. For each host it uses the GPUpdate force command (gpupdate) to apply the newly created Group Policy. 9. Executes gpupdate command on the domain controller where LockBit is running. Also runs gpupdate to run policies from the computer configurations and user configurations. 10. Firewall LockBit reads firewall rules using the Windows Defender Firewall with Advanced Security API's “FwPolicy2” object. The following CLSID COM object is called: 11. Impact ----- LockBit attempts to delete shadow copies using VSSADMIN and WMIC. It also tries to disable recovery using the BCDEdit command. ## Want to comment on this post? -----