Introduction

LockBit 2.0 is a new LockBit variant that operates as ransomware as a service (RaaS). This LockBit variant has an enhanced propagation component, which has never been seen in this ransomware before, and will automatically distribute itself throughout a domain.

 

FortiEDR protects against this ransomware variant by preventing it from being executed in prevention mode.

 

 

Let's run the FortiEDR in simulation mode to see how the lockbit ransomware behaves and how FortiEDR defends against it.

 

Execution

 

The ransomware is dropped and executed onto the victim machine after gaining initial access. When the ransomware is executed, it uses the Windows Command Shell to execute the following command.

 

 

 

o    vssadmin delete shadows /all /quiet – vssadmin is used to delete all volume shadow copies on a system.

 

o    wmic shadowcopy delete – windows Management instrumentation service is also used to delete volume shadow copies.

 

o    bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no – bcedit is used to disable automatic windows recovery features by modifying boot configuration data.

 

 

The ransomware executes the following command using Windows command shell to maintain a stealthy operation.

 

 

 

 

The command “fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q” is used to overwrite the file with zeroes before deleting itself. The ping command at the beginning serves as a delay mechanism because the file will be locked while overwriting. This threat actor wants to make sure the malware file is unrecoverable for forensic analysis.

 

FortiEDR detects and blocks the attempt to overwrite the ransomware file using fsutil.exe in the following event.

 

 

 

 

When the ransomware is executed on a compromised domain controller, the threat actor is able to deploy group policies to all machines connected to the domain. The newly deployed group policies then disable Windows Defender real time protection and various other alert and reporting mechanisms on the victim machine. The ransomware then perform queries to see which machines are listed, and the ransomware will be copied to all of the machines on the list. The PowerShell command used to update the group policy is shown in the threat hunting telemetry captured by FortiEDR below.

 

 

 

The PowerShell command “Get-ADComputer -filter * -Searchbase 'DC=TESTDOMAIN,DC=LOCAL' | foreach{ Invoke-GPUpdate -computer $_.name -force -RandomDelayInMinutes 0}”  is used to push the group policy update to all the machines in the domain.

 

Defense Evasion

 

The LockBit ransomware creates the Registry.pol file, which contains the Group Policy settings in Registry format and is loaded when the operating system boots.

 

The Registry. pol file includes the following registry settings for disabling windows defender, real-time monitoring, and suppression notification.

FortiEDR detects and blocks the attempt to update group policies using PowerShell in the event below.

 

 

 

 

 

Persistence

 

To maintain persistence, the ransomware creates new registry value under “HKCU\Software\Microsoft\Windows\Current\Version\Run” that run with each startup.

 

 

 

 

FortiEDR prevents the ransomware from modifying OS settings in the following event.

 

 

Also, FortiEDR triggers following events for the LockBit ransomware file.

 

Invalid Checksum Each executable file in the system has a checksum associated with it. In this case the checksum was incorrect. Invalid checksum rarely occurs on legitimate software that wasn't compiled or updated properly.

 

 

Malicious File Detected

The file was identified as malicious by our machine-learning engine or by other means, based on analysis of the file.

 

Unconfirmed Executable - Executable File Failed Verification Test

Each executable file in the operating system has a well-defined file format. This file format has many fields that the operating system does not enforce, but may be used by malware to complicate its analysis. This rule's severity is Medium because this may also indicate an unwanted program, an application protector or simply an application that was improperly compiled.

 

 

Inhibit System Recovery

 

The ransomware accesses WMI (Windows Management Instrumentation ) service to delete all volume shadow copies to inhibit System Recovery. The FortiEDR ransomware prevention policy detects service access and prevents the ransomware from deleting the shadow copies.

 

 

 

The vssadmin.exe is a Command Line Interface for Microsoft Volume Shadow Copy Service. The attempt to delete shadow copies with vssadmin.exe is blocked by FortiEDR in the event below.

 

 

 

FortiEDR prevents an attempt to disable automatic recovery using bcdedit.exe (boot configuration data) in the following event.

 

 

Lateral Movement

 

The following event is triggered when LockBit 2.0 ransomware attempts to scan the network for lateral movement.

 

 

The LockBit ransomware scanning for ports 135 and 445 is captured by the FortiEDR threat hunting telemetry. Port 135 is used for RPC client-server communication and 445 is used for authentication and file sharing.

 

 

Impact

 

The LockBit ransomware encrypts user files by replacing the plain text with the encrypted content and later renamed the files with the extension .lockbit. The “File Encryptor” rule under ransomware prevention detects and blocks the file encryption in the following event.

                                                        

 

 

After successfully encrypting user files, it drops a ransom note “Restore-My-Files.txt” with instructions on restoring the files.

 

 

 

 

FortiEDR detects and blocks the creation of ransom note in the event below.  

 

 

The Ransomware also created NukeOnDelete value to the following registry path, with the registry data set to 0, which disables immediate deletion ( i.e enables usage of RecycleBin for deleted files). It also created MaxCapacity registry value to change the capacity of the recycle bin.

 

 

 

Thus, FortiEDR's advanced real time detection along with FortiCloud services detects and blocks the intrusion at every stage. 

 

Threat Hunting

 

 

The following queries can be used in FortiEDR v5 Threat Hunting to identify potential anomalous events associated with this intrusion:

 

To detect process creation events associated with bcdedit.exe that disable auto recovery:

 

Type:("Process Creation") AND Target.Process.Name:("bcdedit.exe") and Target.Process.CommandLine:("*recoveryenabled no*")

 

To detect process creation events associated with vssadmin that delete volume shadow volume copies:

 

Type:("Process Creation") AND Target.Process.Name:("vssadmin.exe") AND Target.Process.CommandLine:("*delete shadows*")

 

To detect process creation events associated with wmic that delete shadow volume copies:

 

Type:("Process Creation") AND Target.Process.Name:("wmic.exe") AND Target.Process.CommandLine:("*shadowcopy delete*")

 

This query can be used to detect process creation events that call the cmdlet Invoke-GPupdate in the domain controller machine to update the group policy settings:

 

Type:("Process Creation") AND Target.Process.Name:("powershell.exe") AND Target.Process.CommandLine:("*Invoke-GPUpdate*")

 

This query will look for PowerShell processes that connect to an external IP address:

 

Source.Process.Name:("powershell.exe") AND _exists_:RemoteIP

 

To detect malicious programs (unsigned) that attempt to maintain persistence:

 

 

Registry.Path: ("*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run") AND Type: ("Value Created") AND Source.Process.File.Signed:false

 

 

MITRE ATT&CK 

 

The following is a summary of the MITRE techniques observed and the mitigation strategies recommended:

 

TA0002: Execution 

 

 

Technique ID	Technique Description	Observed Activity
T1059.001	Command and scripting interpreter: PowerShell	The threat actor used PowerShell script  to update the group policies to disable windows defender on the domain user machines
Mitigation	If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. Look for PowerShell making external connections—this is another indicator of malicious activity. While there can be some administrative actions that perform this behavior, these should be whitelisted through a suitable EDR, such as FortiEDR. Turn on PowerShell logging to get a better understanding of what happens during execution. For more information: Defenses Against PowerShell Attacks.

 

Technique ID	Technique Description	Observed Activity
T1059.003	Command and scripting interpreter: Command Shell	The threat actor used windows command shell to execute various commands to delete volume shadow copies and inhibit system recovery.
Mitigation	Monitor processes and command-line arguments for script execution and subsequent behavior. Scripts are likely to perform actions that result in post-compromise behaviors, and these actions could be used as indicators of detection leading back to the source script.

 

 

TA0003: Persistence

 

 

Technique ID	Technique Description	Observed Activity
T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	The adversary achieved persistence by adding the ransomware file to the registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.
Mitigation	Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc.

 

 

TA0005: Defense Evasion

 

Technique ID	Technique Description	Observed Activity
T1562	Impair Defenses	The adversary disabled Wndows defender in the victim environment in order to hinder or disable defensive mechanisms.
Mitigation	Monitor processes and command-line arguments to see if security tools or logging services are killed or stop. running. Monitor Registry edits for modifications to services that correspond to security tools.

 

 

TA0043: Reconnaissance

 

 

Technique ID	Technique Description	Observed Activity
T1595.001	Active Scanning: Scanning IP Blocks	The adversary scanned victim IP blocks to gather information that can be used during lateral movement.
Mitigation	Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source.

 

 

TA0040: Impact

 

Technique ID	Technique Description	Observed Activity
T1490	Inhibit System Recovery	The native Windows utilities vssadmin.exe, wmic and bcdedit.exe have been used by the threat actor to disable or delete system recovery features.
Mitigation	Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wmic, and bcdedit.

 

Technique ID	Technique Description	Observed Activity
T1486	Data Encrypted for Impact	The threat actor encrypted files on the targeted systems using AES encryption algorithm and dropped a ransom note to the user.
Mitigation	Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories.

 

IOC

 

4bb152c96ba9e25f293bbc03c607918a4452231087053a8cb1a8accb1acc92fd

 

The FortiGuard Managed Detection and Response (MDR) Service is designed for customers of the FortiEDR advanced endpoint security platform. This team of threat experts monitors, reviews and analyzes every alert, proactively hunts threats, and takes actions on behalf of customers to ensure they are protected according to their risk profile.