Lockbit3.0 leak: an introduction about what we've seen
A bit of context
Lockbit3.0, also known as Lockbit Black is a strain of ransomware from the Lockbit ransomware family, first discovered in September 2019, after the first wave of attacks took place.
LockBit's operators have targeted organizations around the world since its first use, including the UK, US, Ukraine, and France. This family of malicious programs uses a Ransomware-as-a-Service model, wherein users can pay the operators to have access to a given type of ransomware. This often involves some form of subscription.
On 21st of September 2022, the builder of Lockbit3.0 has leaked on Twitter.
The Leak
During our daily OSINT watch, we came across a tweet from user @ali_qushji who claims to have hacked several Lockbit servers with his team and found the Lockbit3.0 Builder. He attached a link to download the builder zip with his password.
Afterwards we found out that another twitter user, @protonleaks1, also leaked the Builder but with different metadata:
The leaks have different date of last modifications and different hashes on all files except the Builder.bat, which is the main script to run the ransomware builder, and the config.json, the file containing all parameters to activate different features of the ransomware.
Before both twitter accounts of the leakers were taken down, github user 3xp0rt created a repository where he stored both leaks. The repository has now been taken down most probably by github.
According to Lockbit’s operators, their servers were have not been hacked but the leak was internal, due to one of their developers who was suffering from mental health issues and worried about the current geopolitical climate.
Lockbit3.0’s Builder
The Builder zip file contained many files:
The Builder.exe is the executable that, when called with specific parameters, generates different files such as the decryptor or the ransomware executable.
The Build.bat is a DOS batch file used to execute commands with the Windows Command Prompt, it calls the Builder.exe with the correct parameters in order to generate all ransomware files.
The Keygen.exe is a simple RSA key generator that creates a private and public key.
The config.json contains all the features we want to activate in the generated ransomware. It reveals us that the ransomware contains several interesting features like Language Check, hosts white lists, kill processes, kill services, Self-destruct, kill defender, Psexec netspread, GPO netspread, Delete event logs and many more.
领英推荐
The builder uses the config.json to create those files:
LB3.exe is the executable that launches the ransomware on the victim's machine. The DLL are locked behind a password present in the password_dll.txt.
The builder is simple to use which make it dangerous in the wrong hands. According to the cybersecurity researcher Vladislav Radetskiy, “Bloody” Ransomware gang started using a new encryptor which is similar to Lockbit3.0 and Conti, another ransomware. We will see other threat actors soon using the Lockbit3.0 builder in their own attacks or a custom version in the future.
The executable: LB3.exe
Once we got all the files from the leak, we started by unpacking the file and running it in a sandbox environment. Like most of malware nowadays, it didn't run because the malware is equipped with anti-debug/anti-vm so that it doesn't run in a sandbox and thus makes it more difficult for defenders.
Next, we set up a test environment to test this ransomware on a real machine. Here is an overview of the final state of our machine:
We tested many features of the Lockbit3.0 ransomware. For the Language Check, we found out that the executable checks two registries: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE" where it didn’t find anything and "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LANGUAGE" where it checks "INSTALLLANGUAGEFALLBACK" key. It’s probably used as a kill switch in order to protect different countries. According to Avertium, LockBit avoided attacking systems local to Russia or countries within the Commonwealth of Independent States, likely to avoid being prosecuted in those areas.
For the “kill processes” and “kill services” features, if activated, while the ransomware is running, every app you launch during the encryption process will be closed automatically in order to avoid any issue while encrypting files.
The “kill defender” feature like its name suggest, aims at disabling Window Defender on the environment. During our tests, we clearly saw that “kill defender” completely uninstalled Window Defender from our machine:
For the White Hosts functionality, the ransomware checks the registry "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME" where it reads the key "COMPUTERNAME" in order to acquire the name of the name of the workstation. It’s probably used by Lockbit’s operators to whitelist their workstations during the development phase or it can also be used to whitelist the machines of their clients to avoid self-harm manipulations.
Once the ransomware has finished checking the language and name of the machine, it generates a wallpaper with the name of the generated README file where all the instructions regarding the ransom are written. The ransomware starts encrypting all the files on the system except for some essential files like Windows system files that are whitelisted by default. After each file is encrypted, its icon is changed.
When all the files are encrypted, we cannot use the machine anymore except paying the ransom to acquire the decryptor. Since we generated the ransomware with the builder, we were in possession of the decryptor.
After running the decryptor, we were able to access all our files. Window Defender has been completely uninstalled from the machine but apart from that, everything seemed to work.
Conclusion
?Lockbit3.0 is a very complex ransomware which needs more than a simple article. We have made a very simple analysis of this leak but for such a complex ransomware there is still a lot of information that we could elaborate on. We have for example compared its strains against the latest EDR, and began reverse-engineering the builder to understand how the different DLL used by the executable are compiled, and even understand how the different functions of Lockbit3.0 work such as "kill defender" which disables Window Defender.