Rewterz Threat Alert – SNAKE Ransomware – Active IOCs
February 7, 2022Rewterz Threat Alert – Cuba Ransomware – Active IOCs
February 7, 2022
Severity
High
Analysis Summary
LockBit ransomware has found a new victim, PayBito cypro exchange. The group claims that they have stolen data from the cryptocurrency exchange and threatened them via their Tor leak site. PayBito is a cryptocurrency and bitcoin exchange for major cryptocurrencies like Ethereum, Bitcoin, Litecoin, Bitcoin Cash, Ethereum Classic, and HCX. HashCash – a global blockchain and IT services company – operates PayBito.
LockBit was discovered for the first time in September 2019. Due to the .abcd file extension that early versions of the ransomware would attach to encrypted files, it was formerly known as ABCD ransomware. The file extension was changed to in subsequent versions. LockBit ransomware prevents users from accessing their computers in return for a ransom payment. LockBit automatically scans a network for lucrative targets, propagates the virus, and encrypts all computers that are accessible.
LockBit attackers have created a name by threatening businesses with operational interruption, extortion for the hacker’s financial benefit, and data theft and unlawful disclosure as blackmail if the victim does not cooperate. Although LockBit isn’t as well-known as some other types of ransomware, people who use it have profited from ransom payments made in Bitcoin. LockBit mostly targets businesses and government agencies, rather than people.
LockBit has emerged as a highly severe and critical threat in 2022. So much so that the FBI has issues a flash alert warning against the group. The flash alert details the TTPs ( Tactics, Techniques, and Procedures) of the group. The group has been very active globally and is increasing it’s victim list drastically. The most recent victim being the Ministry of Justice of France.
Malware Characteristics
Command Line Activity:
The activity below provides a listing of all observed command line activity during execution:
Recorded Commands
- cmd.exe /c vssadmin Delete Shadows /All /Quiet
- Description: Deletes Shadow Copies
- cmd.exe /c bcdedit /set {default} recoveryenabled No
- Description: Disables Win 10 recovery
- cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
- Description: Ignore boot failures
- cmd.exe /c wmic SHADOWCOPY /nointeractive
- Description: This command has an invalid syntax and errors out
- cmd.exe /c wevtutil cl security
- Description: Deletes security log
- cmd.exe /c wevtutil cl system
- Description: Deletes system log
Recorded Commands
- cmd.exe /c wevtutil cl application
- Description: Deletes application log
- cmd.exe “C:\Windows\System32\cmd.exe” /C ping 127.0.0.7 -n 3 >Nul&fsutil file setZeroData offset=0 length=524288 “C:\Users\fred\Desktop\Lsystem-234-bit.exe” & Del /f/q “C:\Users\fred\Desktop\Lsystem-234-bit.exe”
- Description: Wipes and deletes itself
- cmd.exe “C:\Windows\System32\cmd.exe” /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
- Description: Lockbit 2.0 deletes all shadow copies on disc to prevent data recovery
Registry Keys
Created – UAC Bypass
- Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\ICM\Calibration
- Value: Display Calibrator
- Data: <LockBit 2.0 Ransomware path>
Created – LockBit 2.0 Wallpaper Change
- Key: HKEY_CLASSES_ROOT\Lockbit\shell\Open\Command
- Data: “C:\Windows\system32\mshta.exe”
- “C:\Users\<username>\Desktop\LockBit_Ransomware.hta”
- Key: HKEY_CLASSES_ROOT\Lockbit\DefaultIcon
- Data: C:\Windows\<First 6 characters of LockBit 2.0 Decryption ID>.ico
Created – Persistence
- Key: HKEY_CURENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{GUID}
- Data: C:\Users\<Username>\Desktop\LockBit_Ransomware.hta
- Data: <LockBit 2.0 Ransomware path>
Created – Encryption
- Key: HKEY_CURRENT_USER\Software\< LockBit 2.0 ID >\Private
- Key: HKEY_CURRENT_USER\Software\< LockBit 2.0 ID >\Public
Created – LockBit 2.0 Icon Location
- Key: HKEY_LOCAL_MACHINE\Software\Classes\.lockbit\DefaultIcon
Created / Modified – LockBit 2.0 Desktop
- KEY: HKEY_CURRENT_USER\Control Panel\Desktop
- String Value: %APPDATA%\Local\Temp\<LockBit 2.0 wallpaper>.tmp.bmp
- String Value: TitleWallpaper=0
- String Value: WallpaperStyle = 2
Files Created
- C:\Users\<Username>\Desktop\LockBit_Ransomware.hta – LockBit 2.0 hta File
- C:\Windows\SysWOW64\<First 6 characters of Decryption ID>.ico – LockBit 2.0 Icon
- C:\Users\<username>\AppData\Local\Temp\<LockBit 2.0 wallpaper> .tmp.bmp – LockBit 2.0 Wallpaper
Group Policy Update – Windows Defender Disable
[General]
- Version=%s
- displayName=%s
- [Software\Policies\Microsoft\Windows Defender;DisableAntiSpyware]
- [Software\Policies\Microsoft\Windows Defender\Real-Time
- Protection;DisableRealtimeMonitoring]
- [Software\Policies\Microsoft\Windows Defender\Spynet;SubmitSamplesConsent]
- [Software\Policies\Microsoft\Windows
- Defender\Threats;Threats_ThreatSeverityDefaultAction]
- [Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction]
- [Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction]
- [Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction]
- [Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction]
- [Software\Policies\Microsoft\Windows Defender\UX Configuration;Notification_Suppress]
PowerShell Command – Force GPO Policy
- powershell.exe -Command “Get-ADComputer -filter * -Searchbase ‘%s’ | foreach{ InvokeGPUpdate -computer $_.name -force -RandomDelayInMinutes 0}”
Anti-Recovery Command
- C:\Windows\System32\cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
LockBit 2.0 Extension
- .lockbit
LockBit 2.0 Ransom Note
- Restore-My-Files.txt
Impact
- File Encryption
- Data Exfiltration
- Credential Theft
- Financial Loss
Indicators of Compromise
IP
- 139[.]60[.]160[.]200
- 93[.]190[.]139[.]223
- 45[.]227[.]255[.]190
- 193[.]162[.]143[.]218
- 168[.]100[.]11[.]72
- 93[.]190[.]143[.]101
- 88[.]80[.]147[.]102
- 193[.]38[.]235[.]234
- 174[.]138[.]62[.]35
- 185[.]215[.]113[.]39
- 185[.]182[.]193[.]120
URL
- http[:]//185[.]182[.]193[.]120/06599379103BD9028AB56AE0EBED457D0
Remediation
- Logging – Log your eCommerce environment’s network activity and web server activity.
- Passwords – Implement strong passwords. Enable two-factor authentication.
- Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
- WAF -Set up a Web Application Firewall with rules to block suspicious and malicious requests.
- Patch – Patch and upgrade any platforms and software timely.
- Backups – Maintain Backups and ensure all backup data is encrypted, immutable, and covers the entire organization’s data infrastructure.