LOCKBIT 3.0 Ransomware – Complete Malware Analysis Report

LockBit 3.0 is a sophisticated ransomware identified as a significant threat to organizations worldwide.

This ransomware variant is designed to encrypt files on infected systems, rendering them inaccessible until a ransom is paid.

LockBit” is a ransomware-as-a-service (RaaS) group active since September 2018. LockBit has developed several variants: LockBit 1.0, LockBit 2.0, LockBit 3.0, and LockBit Green.

Lockbit 3.0, also known as Lockbit Black, was detected for the first time in 2018. Due to its complex architecture and encryption methods, it evades traditional scan engines.

Are you From Malware analysis, SOC, or Incident Response team? Now, you can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox, and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.

LockBit 3.0 is known for its advanced encryption techniques, which make it difficult to decrypt files without the decryption key.

Ransomware is typically distributed through phishing emails or malicious websites, and once it infects a system, it spreads rapidly through the network, encrypting files on all connected devices.

LockBit 3.0 can also evade detection by traditional antivirus software, making it a dangerous threat.

According to Yusuf Amr, a security researcher, Performing an initial inspection of the sample shows signs of malicious activity. The entry point is found within the ‘.itext’ section, which is highly suspicious.

Utilizing a set of APIs for reconnaissance purposes.

Several library imports and strings appear to be suspicious.

The sample is packed as shown below:

After the detonation of the malware sample, a ‘WerFault.exe’ process briefly appears under the ransomware process for a few seconds before disappearing.

By abusing the Windows Problem Reporting (WerFault.exe) error reporting tool, the ransomware is able to stealthily infect devices without raising any alarms on the breached system. This is achieved by launching the malware through a legitimate Windows executable.

Buffer overflow exceptions were encountered during the process of reading file attributes:

Typical ransomware behavior includes accessing system registers, such as those related to Desktop settings and shell folders.

After analyzing the network traffic using Wireshark, it shows that the ransomware sample initiated a port scanning activity on the infected host

Additionally, there are no external connections to any public IP addresses or DNS queries to a command-and-control (C2C) server,  which confirms the static analysis we conducted earlier, indicating that the first stage of the malware is focused on surveillance.

The malware employs a debugger evasion technique known as ‘Exception Flooding.’ The sample contains a significant number of function calls designed to cause a denial of service (DoS) on a debugger.

This issue can be mitigated by setting the exception code C0000005 in the debugger’s exception filter. For x64dbg specifically, if the exception code is not known in advance, the ‘Ignore Last’ feature can be utilized to add the most recent exception to the filter automatically.

Alternatively, this issue can be addressed by performing a patch of the file during analysis to replace these instructions with NOP (No Operation) bytes.

As you can see exception for illegal instruction, so we can bypass that by doing the nop.

The do_encoding function is a member function of the std::codecvt class of C++. It is used to perform encoding and decoding operations on character sequences.

The do_unshift function is also a member function of the std::codecvt class. It is used to perform unshifting operations on character sequences.

Overall, the ransomware is designed to evade detection by security software and prevent its discovery.

This includes employing obfuscation techniques to hide its presence on the victim’s computer and initiating a survey as the first stage of its operation.

Is your network under attack?: You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, that are incredibly harmful, can wreak havoc, and damage your network with Perimeter81 malware protection.