Created on 08-24-2021 01:34 AM Edited on 08-29-2022 06:34 AM By Anthony_E
Introduction
LockBit 2.0 is a new LockBit variant that operates as ransomware as a service (RaaS). This LockBit variant has an enhanced propagation component, which has never been seen in this ransomware before, and will automatically distribute itself throughout a domain.
FortiEDR protects against this ransomware variant by preventing it from being executed in prevention mode.
Let's run the FortiEDR in simulation mode to see how the lockbit ransomware behaves and how FortiEDR defends against it.
Execution
The ransomware is dropped and executed onto the victim machine after gaining initial access. When the ransomware is executed, it uses the Windows Command Shell to execute the following command.
o vssadmin delete shadows /all /quiet – vssadmin is used to delete all volume shadow copies on a system.
o wmic shadowcopy delete – windows Management instrumentation service is also used to delete volume shadow copies.
o bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no – bcedit is used to disable automatic windows recovery features by modifying boot configuration data.
The ransomware executes the following command using Windows command shell to maintain a stealthy operation.
The command “fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q” is used to overwrite the file with zeroes before deleting itself. The ping command at the beginning serves as a delay mechanism because the file will be locked while overwriting. This threat actor wants to make sure the malware file is unrecoverable for forensic analysis.
FortiEDR detects and blocks the attempt to overwrite the ransomware file using fsutil.exe in the following event.
When the ransomware is executed on a compromised domain controller, the threat actor is able to deploy group policies to all machines connected to the domain. The newly deployed group policies then disable Windows Defender real time protection and various other alert and reporting mechanisms on the victim machine. The ransomware then perform queries to see which machines are listed, and the ransomware will be copied to all of the machines on the list. The PowerShell command used to update the group policy is shown in the threat hunting telemetry captured by FortiEDR below.
The PowerShell command “Get-ADComputer -filter * -Searchbase 'DC=TESTDOMAIN,DC=LOCAL' | foreach{ Invoke-GPUpdate -computer $_.name -force -RandomDelayInMinutes 0}” is used to push the group policy update to all the machines in the domain.
Defense Evasion
The LockBit ransomware creates the Registry.pol file, which contains the Group Policy settings in Registry format and is loaded when the operating system boots.
The Registry. pol file includes the following registry settings for disabling windows defender, real-time monitoring, and suppression notification.
FortiEDR detects and blocks the attempt to update group policies using PowerShell in the event below.
Persistence
To maintain persistence, the ransomware creates new registry value under “HKCU\Software\Microsoft\Windows\Current\Version\Run” that run with each startup.
FortiEDR prevents the ransomware from modifying OS settings in the following event.
Also, FortiEDR triggers following events for the LockBit ransomware file.
Malicious File Detected
The file was identified as malicious by our machine-learning engine or by other means, based on analysis of the file.
Inhibit System Recovery
The ransomware accesses WMI (Windows Management Instrumentation ) service to delete all volume shadow copies to inhibit System Recovery. The FortiEDR ransomware prevention policy detects service access and prevents the ransomware from deleting the shadow copies.
The vssadmin.exe is a Command Line Interface for Microsoft Volume Shadow Copy Service. The attempt to delete shadow copies with vssadmin.exe is blocked by FortiEDR in the event below.
FortiEDR prevents an attempt to disable automatic recovery using bcdedit.exe (boot configuration data) in the following event.
Lateral Movement
The following event is triggered when LockBit 2.0 ransomware attempts to scan the network for lateral movement.
The LockBit ransomware scanning for ports 135 and 445 is captured by the FortiEDR threat hunting telemetry. Port 135 is used for RPC client-server communication and 445 is used for authentication and file sharing.
Impact
The LockBit ransomware encrypts user files by replacing the plain text with the encrypted content and later renamed the files with the extension .lockbit. The “File Encryptor” rule under ransomware prevention detects and blocks the file encryption in the following event.
After successfully encrypting user files, it drops a ransom note “Restore-My-Files.txt” with instructions on restoring the files.
FortiEDR detects and blocks the creation of ransom note in the event below.
The Ransomware also created NukeOnDelete value to the following registry path, with the registry data set to 0, which disables immediate deletion ( i.e enables usage of RecycleBin for deleted files). It also created MaxCapacity registry value to change the capacity of the recycle bin.
Thus, FortiEDR's advanced real time detection along with FortiCloud services detects and blocks the intrusion at every stage.
Threat Hunting
The following queries can be used in FortiEDR v5 Threat Hunting to identify potential anomalous events associated with this intrusion:
To detect process creation events associated with bcdedit.exe that disable auto recovery:
Type:("Process Creation") AND Target.Process.Name:("bcdedit.exe") and Target.Process.CommandLine:("*recoveryenabled no*")
To detect process creation events associated with vssadmin that delete volume shadow volume copies:
Type:("Process Creation") AND Target.Process.Name:("vssadmin.exe") AND Target.Process.CommandLine:("*delete shadows*")
To detect process creation events associated with wmic that delete shadow volume copies:
Type:("Process Creation") AND Target.Process.Name:("wmic.exe") AND Target.Process.CommandLine:("*shadowcopy delete*")
This query can be used to detect process creation events that call the cmdlet Invoke-GPupdate in the domain controller machine to update the group policy settings:
Type:("Process Creation") AND Target.Process.Name:("powershell.exe") AND Target.Process.CommandLine:("*Invoke-GPUpdate*")
This query will look for PowerShell processes that connect to an external IP address:
Source.Process.Name:("powershell.exe") AND _exists_:RemoteIP
To detect malicious programs (unsigned) that attempt to maintain persistence:
Registry.Path: ("*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run") AND Type: ("Value Created") AND Source.Process.File.Signed:false
MITRE ATT&CK
The following is a summary of the MITRE techniques observed and the mitigation strategies recommended:
Technique ID
|
Technique Description
|
Observed Activity
|
T1059.001
|
Command and scripting interpreter: PowerShell
|
The threat actor used PowerShell script to update the group policies to disable windows defender on the domain user machines
|
Mitigation
|
If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.
|
Technique ID
|
Technique Description
|
Observed Activity
|
T1059.003
|
Command and scripting interpreter: Command Shell
|
The threat actor used windows command shell to execute various commands to delete volume shadow copies and inhibit system recovery.
|
Mitigation
|
Monitor processes and command-line arguments for script execution and subsequent behavior.
|
Technique ID
|
Technique Description
|
Observed Activity
|
T1547.001
|
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
|
The adversary achieved persistence by adding the ransomware file to the registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.
|
Mitigation
|
Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc.
|
TA0005: Defense Evasion
Technique ID
|
Technique Description
|
Observed Activity
|
T1562
|
Impair Defenses
|
The adversary disabled Wndows defender in the victim environment in order to hinder or disable defensive mechanisms.
|
Mitigation
|
Monitor processes and command-line arguments to see if security tools or logging services are killed or stop. running. Monitor Registry edits for modifications to services that correspond to security tools.
|
Technique ID
|
Technique Description
|
Observed Activity
|
T1595.001
|
Active Scanning: Scanning IP Blocks
|
The adversary scanned victim IP blocks to gather information that can be used during lateral movement.
|
Mitigation
|
Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source.
|
TA0040: Impact
Technique ID
|
Technique Description
|
Observed Activity
|
T1490
|
Inhibit System Recovery
|
The native Windows utilities vssadmin.exe, wmic and bcdedit.exe have been used by the threat actor to disable or delete system recovery features.
|
Mitigation
|
Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wmic, and bcdedit.
|
Technique ID
|
Technique Description
|
Observed Activity
|
T1486
|
Data Encrypted for Impact
|
The threat actor encrypted files on the targeted systems using AES encryption algorithm and dropped a ransom note to the user.
|
Mitigation
|
Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories. |
IOC
4bb152c96ba9e25f293bbc03c607918a4452231087053a8cb1a8accb1acc92fd
The FortiGuard Managed Detection and Response (MDR) Service is designed for customers of the FortiEDR advanced endpoint security platform. This team of threat experts monitors, reviews and analyzes every alert, proactively hunts threats, and takes actions on behalf of customers to ensure they are protected according to their risk profile.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.