Executive Summary
Cluster25 recently reported on Lockbit 3.0, the latest version of Lockbit ransomware. Version 3.0 includes new features and a ransomware bug bounty program.
Key Takeaways
- Lockbit 3.0 is the latest version of Lockbit ransomware.
- Lockbit 3.0 uses a new extortion method, allowing victims to pay for a deadline extension.
- Lockbit 3.0 also includes a new bug bounty program, various anti-detection, and anti-analysis features, and an updated encryption scheme.
- Researchers noted Lockbit 3.0’s code bears similarities to BlackMatter/DarkSide.
In June, Lockbit released the latest version of their ransomware, Lockbit 3.0, also known as LockbitBlack. Lockbit has evolved, with new features added since version 2.0. The new version has multiple updates, including a new extortion method. Previously, Lockbit victims were given a specific time period in which to pay the ransom. In version 3.0, Lockbit gives victims the option to pay a fee to delay the ransom deadline, destroy all data, or download all data.
A second new feature is Lockbit 3.0’s bug bounty program. Bug bounty programs typically reward security researchers for discovering and reporting vulnerabilities. Lockbit 3.0 has taken a different approach, offering rewards for finding vulnerabilities, doxxing managers, and submitting “brilliant ideas” to be used for RaaS.
Another interesting aspect of Lockbit 3.0 is the similarity in code to that of the BlackMatter/DarkSide ransomware families. Industry researchers speculate a possible overlap or collaboration between members of the BlackMatter/DarkSide ransomware gang and the latest membership of the Lockbit gang.
Lockbit 3.0 uses a code protection mechanism not present in previous versions. Lockbit 3.0 has encrypted code sections in the binary in an attempt to thwart analysis, especially automated analysis. In order to execute the malware, a decryption key must be supplied as a parameter (-pass) when the file is launched. Without the decryption key, the software crashes. A subroutine responsible for loading and mapping the Win32 APIs used by Lockbit 3.0 can only be analyzed in a decrypted/unpacked version of the malware. The way the APIs are resolved involves a call to a subroutine that receives an obfuscated string as input. It is XORed with the key 0x4506DFCA to decrypt the Win32 API name to be resolved. This method is similar to the one used by BlackMatter. Lockbit 3.0 uses string obfuscation as another anti-analysis measure.
Lockbit 3.0 uses a multi-thread file encryption approach. It uses AES for encryption and only encrypts sections of particularly large files. Rather than appending an extension to encrypted files, Lockbit 3.0 replaces the file names and their extensions with random dynamic and static strings and changes the file’s icon. A ransom note is placed in each encrypted directory, instructing the victim how to contact the threat actors to pay the ransom and recover their files. The malware is also capable of printing the ransom note on connected printers using WinSpool APIs. Lockbit 3.0 also changes the victim’s wallpaper. The wallpaper message on the sample analyzed said:
LockBit Black
All your important files are stolen and encrypted! You must find HLJkNskOq.README.txt file and follow the instruction!
Finally, Lockbit 3.0 includes an operation to make detection more difficult. It modifies Windows Registry keys related to the Windows Event Log to disable monitoring by Windows Defender.
IOCs
PolySwarm has a sample of Lockbit 3.0.
80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce
391a97a2fe6beb675fe350eb3ca0bc3a995fda43d02a7a6046cd48f042052de5
d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee
You can use the following CLI command to search for all Lockbit 3.0 samples in our portal:
$ polyswarm link list -f Lockbit3
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports
