LockBit ransomware takes just five minutes to develop its routine encryption in systems, once it invades a victim's network. LockBit is driven by automated processes for rapid deployment to victims' networks, locating valuable systems and locking them.
LockBit attacks leave few traces that can later be analyzed by security experts, as the malware is loaded into the system memory, with the archives log and backup files to be removed during execution.
After investigating eight attacks on smaller organizations, its security investigators Sophos were able to connect more components to get a clearer picture of how LockBit works. In particular, in one case they found that the attack started by a compromised Internet Information Server running a remote PowerShell script, calling another script embedded in a remote document Google Sheets. This script connected to a command-and-control server (C&C) to install a PowerShell module, with the aim of adding backdoor and achieving persistence in the target system.
To avoid detection and not being seen in the logs, the attacker renamed the PowerShell copies and the application execution binary Microsoft HTML (mshta.exe). So Sophos named this incident PS Rename attack.
The backdoor is responsible for installing attack modules and executing a VBScript that downloads and executes a second backdoor on reboot systems. Sean Gallagher, head of threats at Sophos, said the attack scripts were also trying to bypass the built-in anti-malware interface of Windows 10 [AMSI], applying patches directly to it in memory.
Objects found in attack systems suggest the use of scripts based on PowerShell Empire post-exploitation framework. The attackers 'goal was to gather information about the victims' network, identify valuable systems, and check for available defense security solutions.
Gallagher added that these scripts used regular expressions to search the Windows registry for "very specific types of business software" used for point-of-sale systems or accounting systems.
Malicious code used the LockBit ransomware only if the targets proved to be of high importance, Gallagher said.
According to BleepingComputer, when it detected valuable targets, the LockBit ransomware ran in memory within five minutes using a Windows Management Instrumentation (WMI) command. In these attacks, the original method of breach remains unknown. In a report released in May by security solutions companies McAfee Labs and Northwave, described in detail how LockBit ransomware gained access to the victims' network, brute-force attacks the logins of an administrator for an old service VPN. Within three hours, the malware encrypted about 25 servers and 225 computer systems.