Rewterz Threat Alert – Lockbit Ransomware – Active IOCs

January 28, 2022

Severity

High

Analysis Summary

LockBit was discovered for the first time in September 2019. Due to the .abcd file extension that early versions of the ransomware would attach to encrypted files, it was formerly known as ABCD ransomware. The file extension was changed to in subsequent versions. LockBit ransomware prevents users from accessing their computers in return for a ransom payment. LockBit automatically scans a network for lucrative targets, propagates the virus, and encrypts all computers that are accessible.

LockBit attackers have created a name by threatening businesses with operational interruption, extortion for the hacker’s financial benefit, and data theft and unlawful disclosure as blackmail if the victim does not cooperate. Although LockBit isn’t as well-known as some other types of ransomware, people who use it have profited from ransom payments made in Bitcoin. LockBit mostly targets businesses and government agencies, rather than people.

Lockbit has announced that they have attacked the Ministry of Justice of France and stolen their data. The group has given a deadline of 14 days to the French government for paying the ransom. The Tor leak site has been fixed on 10 Feb, 2022 11:20:00.

“I think we are in phase 3 leaks for failed negotiations. States will not pay by following the guidelines provided by Europol (nomoreransom.org).” states the expert. “The general advice is not to pay the ransom. By sending your money to cybercriminals you’ll only confirm that ransomware works, and there’s no guarantee you’ll get the decryption key you need in return.” recommends the Europol.

La cyberattaque sur le ministère de la Justice m’est confirmée de source interne au ministère. Pas d’avantages d’infos sur son ampleur et ses conséquences. https://t.co/gzsvCQuqYk
— Emile Marzolf (@emile_marzolf)
January 27, 2022

The victims include companies from France, Italy, the U.K., and Germany. Recently Lockbit has added support for Linux systems in their ransomware suites. This also includes a new version that target VMware’s ESXi virtual machines. This new version uses a combination of elliptic-curve cryptography (ECC) and Advanced Encryption Standard (AES) algorithms for encrypting data. This version is able to gather the following information from the infected systems:

Processor information
Volumes in the system
Virtual machines (VMs) for skipping
Total files
Total VMs
Encrypted files
Encrypted VMs
Total encrypted size
Time spent for encryption

“The release of this variant is in line with how modern ransomware groups have been shifting their efforts to target and encrypt Linux hosts such as ESXi servers. An ESXi server typically hosts multiple VMs, which in turn hold important data or services for an organization. The successful encryption by ransomware of ESXi servers could therefore have a large impact on targeted companies. This trend was spearheaded by ransomware families like REvil and DarkSide.” reads the analysis published by security researchers.

Impact

Data Theft
File Encryption
Financial Loss
Security Bypass

Indicators of Compromise

Domain Name

markettrendingcenter[.]com

Filename

Salary_Lockheed_Martin_job_opportunities_confidential[.]doc

MD5

18a352d33c8c01b6a196adce176c5a96
9661c01af31a41caef2ccd3b6be06e60
3c9e550d41f3de930e678776a6e018ed
b354eaf3061b4099aecac523eb5466a3

SHA-256

f3a1576837ed56bcf79ff486aadf36e78d624853e9409ec1823a6f46fd0143ea
67df6effa1d1d0690c0a7580598f6d05057c99014fcbfe9c225faae59b9a3224
ee3e03f4510a1a325a06a17060a89da7ae5f9b805e4fe3a8c78327b9ecae84df
038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4

SHA-1

7e303af8c686a0c98fa87a34de1ffcf08f64a093
e09dae6d33cffd7f6f38b62b71c484e5b12b4b79
a118e1e110e285fb82495defe7d1c570d922ee0d
774e4e11015b6ff9f3f79aa43770c057d98fbc24

Remediation

Never open attachments or links received by unknown senders.
Emails from unknown senders should always be treated with caution.
Look for IOCs in your surroundings.
At your respective controls, disable all threat indicators.