Rewterz Threat Alert – Lockbit Ransomware – Active IOCs

Severity

High

Analysis Summary

LockBit was discovered for the first time in September 2019. Due to the .abcd file extension that early versions of the ransomware would attach to encrypted files, it was formerly known as ABCD ransomware. The file extension was changed to in subsequent versions. LockBit ransomware prevents users from accessing their computers in return for a ransom payment. LockBit automatically scans a network for lucrative targets, propagates the virus, and encrypts all computers that are accessible. 

LockBit attackers have created a name by threatening businesses with operational interruption, extortion for the hacker’s financial benefit, and data theft and unlawful disclosure as blackmail if the victim does not cooperate. Although LockBit isn’t as well-known as some other types of ransomware, people who use it have profited from ransom payments made in Bitcoin. LockBit mostly targets businesses and government agencies, rather than people. 

Lockbit has announced that they have attacked the Ministry of Justice of France and stolen their data. The group has given a deadline of 14 days to the French government for paying the ransom. The Tor leak site has been fixed on 10 Feb, 2022 11:20:00.

“I think we are in phase 3 leaks for failed negotiations. States will not pay by following the guidelines provided by Europol (nomoreransom.org).” states the expert. “The general advice is not to pay the ransom. By sending your money to cybercriminals you’ll only confirm that ransomware works, and there’s no guarantee you’ll get the decryption key you need in return.” recommends the Europol.

La cyberattaque sur le ministère de la Justice m’est confirmée de source interne au ministère. Pas d’avantages d’infos sur son ampleur et ses conséquences. https://t.co/gzsvCQuqYk

— Emile Marzolf (@emile_marzolf) 

January 27, 2022

The victims include companies from France, Italy, the U.K., and Germany. Recently Lockbit has added support for Linux systems in their ransomware suites. This also includes a new version that target VMware’s ESXi virtual machines. This new version uses a combination of elliptic-curve cryptography (ECC) and Advanced Encryption Standard (AES) algorithms for encrypting data. This version is able to gather the following information from the infected systems:

• Processor information
• Volumes in the system
• Virtual machines (VMs) for skipping
• Total files
• Total VMs
• Encrypted files
• Encrypted VMs
• Total encrypted size
• Time spent for encryption

“The release of this variant is in line with how modern ransomware groups have been shifting their efforts to target and encrypt Linux hosts such as ESXi servers. An ESXi server typically hosts multiple VMs, which in turn hold important data or services for an organization. The successful encryption by ransomware of ESXi servers could therefore have a large impact on targeted companies. This trend was spearheaded by ransomware families like REvil and DarkSide.” reads the analysis published by security researchers.

Impact

• Data Theft
• File Encryption
• Financial Loss
• Security Bypass

Indicators of Compromise

Domain Name

• markettrendingcenter[.]com

Filename

• Salary_Lockheed_Martin_job_opportunities_confidential[.]doc

MD5

• 18a352d33c8c01b6a196adce176c5a96
• 9661c01af31a41caef2ccd3b6be06e60
• 3c9e550d41f3de930e678776a6e018ed
• b354eaf3061b4099aecac523eb5466a3

SHA-256

• f3a1576837ed56bcf79ff486aadf36e78d624853e9409ec1823a6f46fd0143ea
• 67df6effa1d1d0690c0a7580598f6d05057c99014fcbfe9c225faae59b9a3224
• ee3e03f4510a1a325a06a17060a89da7ae5f9b805e4fe3a8c78327b9ecae84df
• 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4

SHA-1

• 7e303af8c686a0c98fa87a34de1ffcf08f64a093
• e09dae6d33cffd7f6f38b62b71c484e5b12b4b79
• a118e1e110e285fb82495defe7d1c570d922ee0d
• 774e4e11015b6ff9f3f79aa43770c057d98fbc24

Remediation

• Never open attachments or links received by unknown senders.
• Emails from unknown senders should always be treated with caution.
• Look for IOCs in your surroundings.
• At your respective controls, disable all threat indicators.