This month the Lockbit ransomware gang announced their first Bug Bounty program as part of their evolution into Lockbit 3.0. A first sample of the new version was published by Arda Büyükkaya. According to their new ransomware wallpaper that appears after encryption, this specific version has been named ‘Lockbit Black’, which interestingly follows their new execution method which is pretty similar to the BlackCat ransomware execution method. There are actually even more similarities between the two ransomwares.
Lockbit Black - Execution
The new Lockbit ransomware requires a “pass” to be supplied as a parameter upon execution, Similar to BlackCat with requires an “access-token”. The “pass” for the published sample was also provided by Arda Büyükkaya:
Figure 1 - The execution command
Lockbit Black – Packer and dynamic imports
Lockbit Black is well packed, and its imports table is almost empty. Most API functions calls are resolved dynamically by calling a trampoline function which decrypts the API function using XOR encryption:
Figure 2 - Trampoline function performing XOR encryption
Lockbit Black – UAC bypass
When executing without Admin privileges, Lockbit Black (much like its previous versions) performs a CMSTPLUA COM UAC bypass.
Lockbit Black – Service Delete and Process Termination
Lockbit Black enumerates services and processes against a pre-defined “Blacklist”. The new version however has a much shorter list than its predecessors. The list is effectively a “Blacklist”, and all services that appear in the list are designated to be either deleted. The service list of the new version seems like a combined and shorter version of the services that were previously deleted by Lockbit and BlackCat together and contains:
Figure 3 - Service deletion by Lockbit Black
The new Lockbit also uses the same method to terminate a number of processes if they are found to be running on victim’s PC:
Figure 4 - Process Termination
Lockbit Black – Default language check
Previous versions of the Lockbit ransomware performed a default language check on the system and the current user through the Windows API calls GetSystemDefaultUILanguage and GetUserDefaultUILanguage. If the language code identifier matched the one specified, the program shuts down. The new version seems to extend the country list to also include Syria:
419 – Russian
422 – Ukrainian
423 – Belarusian
428 – Tajik
42B - Armenian
42C – Azerbaijani (Latin)
437 – Georgian
43F – Kazakh
440 – Kyrgyz
442 – Turkmen
443 – Uzbek (Latin)
444 – Tatar
818 - Romanian (Moldova)
819 - Russian (Moldova)
82C – Azerbaijani (Cyrillic)
843 - Uzbek (Cyrillic)
2801 - Arabic (Syria)
Lockbit Black – Mutex
Lockbit Black creates a “2cae82bd1366f4e0fdc7a9a7c12e2a6b” mutex.
Lockbit Black – New icon, wallpaper and ransom note
Lockbit's Black’s icon, wallpaper and ransom note were updated in the new version:
Figure 5 - Lockbit Black icon
Figure 6 - Lockbit Black wallpaper
Figure 7 - Part of the new ransom note
The new ransom note comes in the form of a text file and contains a reference to Elon Musk’s Twitter (Ilon Musk), but with a link to a more generic #lockbit hashtag page on Twitter.
There are several chat list URLs added to the link which lead to several Lockbit Darknet websites.
Lockbit Black – hiding threads from the debugger
Hiding threads from the debugger is not a new behavior for Lockbit but is has increased usage in the new version. The thread hiding is performed by calling the NtSetInformationThread API with the undocumented value THREAD_INFORMATION_CLASS::ThreadHideFromDebugger (0x11):
Figure 8 - hiding thread from the debugger
Lockbit Black –Windows Defender Log tampering
In order to disable Windows Defender logs, Lockbit Black sets ‘HKLMSoftware\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational\Enabled’ to ‘0’ as well changing the ‘ChannelAccess’ to ‘(O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA)’.
Figure 9 - Windows Defender Log Disabled
As in most ransomware cases the encryption is performed by several threads for faster and efficient work.
Minerva Lockbit 3.0 Prevention of the UAC bypass
Minerva customers don't need to worry, as many of Minerva's modules block Lockbit Black in its earliest stages, including the UAC Bypass stage, shutting it down completely before the encryption stage even begins.
Figure 10 - UAC bypass prevention by Minerva