On September 21, 2022, the LockBit 3.0 ransomware builder named “Black” was leaked online by a developer working for the LockBit threat group. On September 22, 2022, security researchers Yang HuiSeong and Jeong Hyunsik released a technical analysis of the code. The leaked code is currently available on GitHub.
Threat Actor Details
LockBit is a Ransomware-as-a-Service (RaaS) operation, meaning the threat group sells the LockBit ransomware tool to other threat actors. The LockBit ransomware was recently upgraded to version 3.0.
The most notable attacks involving the ransomware are:
The June 2022 LockBit Campaign
In this campaign, threat actors sent phishing emails in Chinese with a malicious file disguised as a copyright claim. The emails came from an email account impersonating a legitimate illustrator to make the email seem more legitimate. The name of the malicious file attachment included the password to open the file, which matches the tactics used in the February 2022 LockBit campaign. The malicious attachment is a compressed file containing a second compressed Nullsoft Scriptable Install System (NSIS) file, which includes an executable disguised with a PDF file icon. This executable installs the ransomware on the targeted machine and runs multiple operations for reconnaissance, obfuscation, and persistence.
The February 2022 LockBit Campaign
This campaign also leveraged phishing emails with malicious copyright-themed attachments containing compressed files with passwords. As in the June 2022 campaign, the compressed files are NSIS file types. The executable for this campaign is disguised as a JPEG file, as with the May 2021 Makop campaign. The executable then runs reconnaissance, obfuscation, and persistence operations, nearly identical to the June 2022 campaign.
The May 2021 Makop Campaign
In May 2021, ASEC researchers discovered a phishing campaign delivering the Makop ransomware. Unlike previous Makop phishing efforts that used job applications and resumes as themes, the May 2021 campaign began using claims of copyright infringement as a theme. Phishing emails in this campaign included a malicious compressed file as an attachment. As in the February 2022 campaign delivering LockBit, the May 2022 Makop campaign used an executable disguised as a JPEG file, where upon execution, the Makop ransomware deleted volume shadow copy, encrypted files on the infected computer, and created a ransom note txt file.
The researchers provided information on four files: Build[.]bat, Config[.]json, Builder[.]exe, and Keygen[.]exe.
This file creates an RSA public/private key pair by executing the Keygen[.exe] and Builder[.] exe files that generates the ransomware using the generated key pair.
This file contains the setting values for generating the encryptor and decryptor. Configurations include:
- bot: Configuration about the bot feature stealing information from infected devices (Not used)
- config: Configuration values that determine the behaviors for the LockBit 3.0 ransomware
- white_folders: List of folders to exclude from encryption
- white_files: List of files to exclude from encryption
- white_extens: List of extensions to exclude from encryption
- white_hosts: List of hostnames to exclude from encryption
- kill_processes: List of processes to be terminated before encryption
- kill_services: List of services to be terminated before encryption
- gate_urls: List of URLs to be used as the C2 server
- impers_accounts: List of credentials to be used for logon
- note: Ransom note content
This file generates the encryptor and decryptor. The parameters for execution are:
- enc: Generate Encryptor
- dec: Generate Decryptor
- Configuration file path
-exe, -dll, -ref(reflectiveDLL)
- File type to be created
- When creating an Encryptor, the password required to execute the Encryptor
- Passwords required to execute Encryptor are stored in Password_exe.txt and Password_dll.txt respectively
- Path of the key file to be used when creating Encryptor and Decryptor
- File path to save
This file generates key pairs for encryption. The researchers provided the following details:
-path: Folder path to save generated key pair file
-pubkey: File name to use for Encryptor as public key (256 bytes)
— The first 128 bytes contain e value (fixed at 65537), and the last 128 bytes contain N value
- -privkey: File name to use for Encryptor as private key (256 bytes)
— The first 128 bytes contain d value and the last 128 bytes contain N value
Key generation is performed as follows.
- Keygen[.]exe is written based on MIRACL.
- Generates an RSA-1024 key to encrypt the file encryption key, and the e value is fixed to 65537.
- When generating 512-bit prime numbers p and q, create a 256-byte seed with the rdrand x86 instruction.
- Then, pass the seed to the strong_init function of MIRACL to initialize the CSPRNG, and use the strong_bigdig function to get a 512-bit value.
- The keygen.exe is implemented to use RIPEMD-160 instead of SHA-256 used in the original library.
Afterward, a 16-byte Decryption ID is generated to identify the infected PC and stored in a generated txt file.
HuiSeong and Hyunkik provided the following indicators of compromise (IOCs) Note: these hashes are specifically for the LockBit 3.0 builder. The ransomware delivered to targets would have additional IOCs specific to the victim environment: