LockBit operators are riding high on success as they continue to exfiltrate data from high-profile organizations and add their names to its leak site. One of the significant reasons for this is attributed to the tactics and techniques adopted by the gang and one such evasion tradecraft has come to the notice of researchers. Lately, Lockbit was used to bypass the Mark of The Web (MOTW) protection mechanism in a recent campaign.
How the new technique works
Fortinet researchers observed that the LockBit operators used a combination of evasion techniques during a campaign between December and January.
The attack campaign mounted a .img file that contained malicious files, with only one of them being visible to users. Delivery through a .img file container helps attackers to evade the MOTW protection mechanism.
Once the user opened the single visible file, it caused the download of BAT scripts that checked the privilege level on the targeted system.
In some cases, a python script is also executed using the official Python embed package. The only purpose of these scripts is to change the system’s settings and passwords without the knowledge of the user.
The LockBit ransomware resides in a password-protected archive which is also executed via BAT script as the final payload.
Evolution of LockBit’s evasion strategy
In June 2022, the LockBit 3.0 caught the attention of researchers as the operators added new anti-analysis and evasion features to the arsenal. It exhibited similarities with BlackMatter ransomware in this regard and techniques included code packaging, function trampolines, and dynamic resolution of function addresses.
Towards the end of September 2022, the operators suffered a setback when the source code of LockBit 3.0 was allegedly leaked by disgruntled developers. However, this did not affect the attackers and the threat landscape witnessed a new version called the LockBit Green in February.
The new version borrows its code from Conti ransomware and uses reverse engineering analysis. At least five victims are believed to have been targeted using the new LockBit Green variant.
LockBit remained one of the most active ransomware families in successful RaaS and extortion attacks for the second and third quarters of 2022. Data from the leak sites showed that LockBit tallied a total of 436 victim organizations between April and September.
Final words
LockBit is a fast-moving ransomware that has launched several attacks against a large variety of industries including critical infrastructure. By releasing new variants with additional capabilities, experts claim that the attackers will continue to leverage different obscure methodologies to avoid detection.