# A Deep-dive Analysis of LOCKBIT 2.0 **blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/** August 16, 2021 The LOCKBIT 2.0 ransomware group has been highly active in the past few months. The Threat Actors (TAs) linked to this ransomware use a Ransomware-as-a-Service (RaaS) business model. LOCKBIT 2.0 developers customize ransomware variants as per their affiliates’ needs. They also offer various panels and attack statistics to provide victim management capabilities to their affiliates. The malware uses the double extortion technique to compel victims into paying ransoms. Through this technique, attackers exfiltrate the victim’s data, after which they proceed to encrypt the data on the victim’s system. Data encryption is followed by the TAs demand ransom in exchange for a decryptor. If the victim refuses or cannot pay the ransom, the TA threatens to leak the data. This ransomware was previously known as ABCD ransomware as the file extension used for encrypting files was .abcd. Now the extension used by this ransomware is .lockbit. Figure 1 shows the LOCKBIT 2.0 ransomware gang hosting a blog in the TOR network. This blog, in particular, is used by the TA to share the list of victims and screenshots of the sample data exfiltrated by the attackers from affected systems. _Figure 1: LOCKBIT 2.0 Blog_ _displaying Victim companies_ Like other recently emerging RaaS gangs, LOCKBIT 2.0 also has an affiliate program to attract potential affiliates. Figure 2 shows the affiliate program page. ----- _Figure 2: Affiliate Program_ _of LOCKBIT 2.0_ LockBit is trying to position itself as the fastest encryptor compared to its competitor, RaaS gangs. They have listed the time spent on encryption for datasets of 100GB, 10TB, etc. Figure 3 shows the comparison of LOCKBIT 2.0 with other ransomware gangs. _Figure 3: LOCKBIT_ _2.0 Comparing itself with other Ransomware Gangs_ Additionally, this ransomware gang does not function in countries formerly a part of the Soviet Union. This gang also uses tools such as StealBIT, Metasploit Framework, and Cobalt Strike. ----- StealBIT is an information stealer used by the gang for data exfiltration. Metasploit Framework and Cobalt Strike are penetration testing tools used to emulate targeted attacks on sophisticated networks. Figure 4 shows the post in detail. _Figure 4: Additional affiliate details_ _shared by the LOCKBIT 2.0_ ## Technical Analysis Our static analysis of the ransomware shows that the malware file is a Windows x86 architecture Graphical User Interface (GUI) executable compiled on 2021-07-26 13:04:01, as shown in Figure 5. _Figure 5: Static information_ _About LOCKBIT 2.0 Ransomware_ ----- Cyble Research Labs has also found that the malware uses only a few libraries, shown in Figure 6. _Figure 6: Libraries Used by_ _Ransomware_ Furthermore, only a few Application Programming Interfaces (APIs) were present in the ransomware import table, as shown in Figure 7. _Figure 7: Import Table APIs_ _List_ Figure 8 shows that the ransomware has encrypted user document files and appended them with a .lockbit extension while also changing the icon of all encrypted files. Additionally, the ransomware also drops a ransom note in several folders. _Figure 8: Encrypted Files and Ransom_ _Note dropped by ransomware_ Figure 9 shows the content of the ransom note, which instructs the victims on how they can contact the ransomware gang. _Figure 9: Content of ransom_ _note_ ----- The ransomware also changes the desktop background, showing additional ransomware gang information, as shown below. _Figure 10: LOCKBIT 2.0_ _Changing Desktop Background_ To get further insights into the ransomware, we checked which string symbols were present in the malware. Figure 11 shows the details of the initial strings which are present in the malware. These strings indicate that the malware can query connected systems in the Active Directory Domain using the Lightweight Directory Access Protocol (LDAP). In query strings, CN stands for Common Name, OU stands for Organization Unit, and DC stands for Domain Component. This information could be used for discovering other linked networks and systems. _Figure 11: Setting LDAP parameters for_ _Microsoft Active Directory_ As seen in Figure 12, the ransomware could use PowerShell commands to query the DC to get the list of computers. Once the list is received, malware could invoke the GPUpdate command remotely on the listed systems. ----- _Figure 12: PowerShell_ _command for searching computers in the network_ Additionally, the ransomware checks for additional mounted hard drives, network shared drives, shared folders of VMs, and deletes the running process using taskkill.exe shown in Figure 12. Figure 13 depicts the policy updates that ransomware can push in the active directory environment to other connected systems. To evade detection, the ransomware can disable Windows Defender on running systems and remote systems as well. _Figure 13: Windows_ _Defender Policies are changed by the ransomware_ While running the ransomware, we observed that it injects itself in dllhost.exe, as shown in Figure 14. _Figure 14: Ransomware infecting dllhost.exe_ The ransomware adds its execution folder to the Path of the System variables, as shown in Figure 15. ----- _Figure 15: Malware Added_ _its Present Working Directory in System Path_ Figure 16 shows the ransomware looking for various running services like backup services, database-related applications, and other applications shown in Figure 15. If any service is found running in the system, the ransomware kills it. The ransomware uses OpenSCManager and OpenServiceA, as shown in Figure 16. _Figure 16: Ransomware_ _searching for Services_ An additional list of services searched by the ransomware is shown in the table below. DefWatch RTVscan tomcat6 ccEvtMgr sqlbrowser zhudongfangyu SavRoam SQLADHLP vmware-usbarbitator64 Sqlservr QBIDPService vmware-converter sqlagent Intuit.QuickBooks.FCS dbsrv12 sqladhlp QBCFMonitorService dbeng8 Culserver msmdsrv MSSQL$MICROSOFT##WID MSSQL$KAV_CS_ADMIN_KIT MSSQLServerADHelper100 msftesql-Exchange SQLAgent$KAV_CS_ADMIN_KIT MSSQL$SBSMONITORING MSSQL$SHAREPOINT MSSQLFDLauncher$SHAREPOINT SQLAgent$SBSMONITORING SQLAgent$SHAREPOINT MSSQL$VEEAMSQL2012 QBFCService QBVSS SQLAgent$VEEAMSQL2012 YooBackup YooIT SQLBrowser vss SQL SQLWriter svc$ PDVFSService FishbowlMySQL MSSQL memtas MSSQL$MICROSOFT##WID MSSQL$ mepocs MySQL57 sophos veeam ----- MSSQL$MICROSOFT##SSEE backup MSSQLFDLauncher$SBSMONITORING The ransomware creates a shared folder for VMWare to spread to other systems, as shown in Figure 17. _Figure 17: Ransomware_ _creating VMWare shared folder and Dropping Sample_ The encryption operation of the LOCKBIT 2.0 is similar to what we have observed in other ransomware groups. The flow of operation is shown below. _Figure 18: Common_ _Encryption Operation_ ## Conclusion LOCKBIT 2.0 is a highly sophisticated form of ransomware that uses various state-of-the-art techniques to perform ransomware operations. Current and potential LOCKBIT 2.0 victims’ range across multiple domains, from IT, services to banks. Our research indicates that affiliates of the group drop this ransomware inside an already ----- compromised network. ## Our Recommendations We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below: Use strong passwords and enforce multi-factor authentication wherever possible. Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. Use a reputed anti-virus and internet security software package on your connected devices. Refrain from opening untrusted links and email attachments without verifying their authenticity. Conduct regular backup practices and keep those backups offline or in a separate network. ## Indicators of Compromise (IoCs): **Indicators** **Indicator** **type** **Description** 0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049 Hash SHA-256 ## About Us [Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes](https://cyble.com/) and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit [www.cyble.com.](https://cyble.com/) -----