The world’s most active ransomware has another upgraded variant

The Lockbit Ransomware gang, also known as Bitwise Spider, is the cybercriminal mastermind behind the popular Lockbit Ransomware-as-a-service. They are one of the most active ransomware gangs, often with multiple victims per day, sometimes higher. On March 16, 2022, they started announcing new victims continuously on their darknet site, much faster than any ransomware group.

Recently, the 91 data recovery team received a request from a company whose servers were all poisoned and infected with the .lockbit3.0 ransomware virus, which caused the company’s business to shut down or stagnate. The .lockbit3.0 ransomware virus suddenly escalated and spread this year. This ransomware What is the origin and change of the virus?

If you need to recover data, you can follow “91 Data Recovery” for free testing and consultation to get help related to data recovery. Let’s take a look at this ._locked suffix ransomware virus.

  1. What is Lockbit 3.0 ransomware?

LockBit 3.0 (also known as LockBit Black) is a new variant of the LockBit ransomware. It encrypts files, modifies file names, changes desktop wallpaper, and places a text file (named “[random_string].README.txt”) on the desktop. LockBit 3.0 replaces filenames and their extensions with random dynamic and static strings.

Example of how LockBit 3.0 renames files: it replaces “1.jpg” with “CDtU3Eq.HLJkNskOq”, “2.png” with “PLikeDC.HLJkNskOq”, and “3.exe” with “qwYkH3L.HLJkNskOq” “,and many more.

They started operations as ABCD ransomware in September 2019 and then changed their name to Lockbit. They have changed their name and launched Lockbit 2.0, the better ransomware, in June 2021. We’ve already seen that the Lockbit 2.0 ransomware introduced new features like shadow copying and log file deletion, making it harder for victims to recover. Additionally, Lockbit has the fastest encryption speed among the most popular ransomware gangs, encrypting approximately 25,000 files in one minute.

The virus gang originated in Russia. According to a detailed analysis of Lockbit 2.0, the ransomware checks the default system language and avoids encryption, stopping the attack if the victim system’s language is Russian or the language of one of the neighboring countries.

LockBit 3.0 Ransom Note Overview

The ransom note states that the data is stolen and encrypted. If the victim does not pay the ransom, the data will be published on the dark web. It instructs the attacker to be contacted using the provided website and personal ID. Additionally, the ransom note warns that deleting or modifying encrypted files will lead to decryption problems.

LockBit 3.0 also introduces a bug bounty program

With the release of LockBit 3.0, the operation introduced the first bug bounty program offered by ransomware gangs, requiring security researchers to submit bug reports in exchange for a reward of between $10 million and $1 million.

“We invite all security researchers, ethical and unethical hackers on the planet to participate in our bug bounty program. Remuneration amounts range from $1,000 to $1 million,” reads the LockBit 3.0 bug bounty page.

  1. Analysis of Lockbit3.0 ransomware attack:

The new version of LockBit (Lockbit 3.0 or LockBitBlack) uses a code protection mechanism where the presence of encrypted code sections in the binary hinders malware detection, especially when executed through automated analysis.

To activate the correct execution of the malware, the decryption key must be provided as an argument (-pass) when launching the malicious file, without this key its behavior will only cause the software to crash at the beginning of execution. The decryption key used to analyze the sample is reported as follows:

db66023ab2abcb9957fb01ed50cdfa6a

When the program starts, the first subroutine to be called (sub_41B000) is responsible for performing the decryption of the binary part by retrieving the decryption key from the execution parameters and passing it to the RC4 Key Scheduling Algorithm (KSA) algorithm.

Later, access the part to decrypt by reading the Process Environment Block (PEB)

The anti-analysis mechanism implemented by the malware involves the dynamic loading of Win32 APIs required to perform its malicious behavior.

The subroutine responsible for loading the required API and mapping it to memory can only be analyzed on the decrypted/unpacked version of the malware. The way to parse the API is to call a subroutine (sub_407C5C) that receives as input an obfuscated string XORed with the key 0x4506DFCA in order to decrypt the Win32 API name to parse.

The analysis also revealed other parts of the code that were similar between the Lockbit 3.0 ransomware and the BlackMatter sample, suggesting a possible correlation between the threat groups implementing the two ransomware.

To hinder analysis, the LockBit 3.0 ransomware also uses string obfuscation, which is a simple decryption algorithm (XOR) to decrypt strings. Regarding file encryption, ransomware uses a multi-threaded approach. Files are encrypted using AES, and for large files, not everything is encrypted, but only part of it.

  1. How to recover files from ransomware virus with Lockbit3.0 suffix?

Due to the encryption algorithm of this suffix virus file, each infected computer server file is different. It is necessary to independently detect and analyze the virus characteristics and encryption of the encrypted file to determine the most suitable recovery plan.

Considering the time, cost, risk and other factors required for data recovery, it is recommended that if the data is not too important, it is recommended to directly scan and disinfect the entire disk, format and reinstall the system, and then do a good job of system security protection. If the infected data does have the value and necessity of recovery, you can pay attention to “91 Data Recovery” for free consultation to get help related to data recovery.

  1. Recommendations for system security protection measures:

Prevention is far more important than rescue, so in order to avoid such incidents, it is strongly recommended that you take the following protective measures on a daily basis:

① Patch office terminals and servers in a timely manner to repair vulnerabilities, including patches for operating systems and third-party applications, to prevent attackers from invading the system through vulnerabilities.

②Try to close unnecessary ports, such as 139, 445, 3389 and other ports. If not used, high-risk ports can be directly closed to reduce the risk of being attacked by vulnerabilities.

③ Equipment that does not provide external services should not be exposed on the public network, and systems that provide external services should maintain lower authority.

④Enterprise users should use high-strength and irregular passwords to log in to the office system or server, requiring passwords that include numbers, uppercase and lowercase letters, and symbols, with a length of at least 8 digits, and passwords should be changed regularly.

Data backup protection, back up key data and business systems, such as offline backup, off-site backup, cloud backup, virtual machine backup etc., to avoid business shutdown due to data loss, encryption, etc., or even being forced to compromise with attackers.

⑥Isolation of sensitive data, network isolation of sensitive business and related data. Avoid double ransomware from easily stealing sensitive data after intrusion, posing a major threat to company business and confidential information.

⑦ Try to close unnecessary file sharing.

⑧ Improve the professional quality of security operation and maintenance personnel, and regularly carry out Trojan virus inspection and killing.