After the infamous Conti ransomware group was disbanded, its former members started to target energy and power sectors with a new unknown ransomware payload. The intelligence derived by Quick Heal researchers had already identified the Energy and Power sector as a segment prone to cyberattacks and had increased the vigil on the same. This proactive monitoring proved fruitful soon after we identified one of the recent premium entities attacked in this segment. Our investigation and analysis determined that the new LockBit 3.0 ransomware variant caused the infection. The same has been claiming its dominance over other ransomware groups this year.
Fig. 1 – Ransom Note
The entity that bore the brunt of this ransomware attack had endpoints at multiple locations, connected with each other & the server in a mesh-topology spread across numerous locations. From the logs of multiple systems and telemetry, we observed that Windows Sys-Internal tool PSEXEC was utilized from an unprotected system to execute the ransomware payload (Lock.exe) on all the systems laterally. The noteworthy observation was that only the shared drives were found to be encrypted.
Initial access was obtained via brute forcing techniques where multiple user names were used for lateral movement. The encryption timestamp was in the early morning of 27-June-2022. Anti-forensic activities were also observed, which cleared event logs, killed multiple tasks, and deleted services simultaneously.
The service PSEXESVC was first observed to be installed a week before the encryption, with successful SMB connections surging just before the encryption. Malicious BAT files were executed by the same service only on one endpoint:
- C:\Windows\system32\cmd.exe /c “”openrdp.bat” “
- C:\Windows\system32\cmd.exe /c “”mimon.bat” “
- C:\Windows\system32\cmd.exe /c “”auth.bat” “
- C:\Windows\system32\cmd.exe /c “”turnoff.bat” “
PSEXESVC executed the ransomware payload that must have a valid key passed along with the command-line option ‘-pass’. The encrypted files were appended with .zbzdbs59d extension which suggests that random generation was done with each payload.
Engine and ARW Telemetry show that the ransomware payload (Lock.exe) was detected at multiple locations on the same day. This shows that the payload was dropped in all these systems but was detected by AV.
All the sections on the payload are encrypted, which can only be decrypted bypassing the decryption key as a command-line parameter ‘-pass’. The key obtained for this sample is: 60c14e91dc3375e4523be5067ed3b111
The key is further processed to decrypt specific sections in memory that are obtained by traversing the PEB and later calls the decrypted sections.
Fig. 2 – Decrypting Sections
Being packed and having only a few imports, Win32 APIs are resolved by decrypting the obfuscated string with XOR using the key 0x3A013FD5.
Fig. 3 – Resolving Win32 APIs
When Admin privileges are not present during execution, it uses CMSTPLUA COM for UAC bypass to elevate the privileges with another instance of the ransomware payload, terminating the current process.
Fig. 4 – UAC Bypass
Service Deletion and Process Termination
Process terminated included SecurityHealthSystray.exe and the mutex created during execution was 13fd9a89b0eede26272934728b390e06. Services were enumerated using a pre-defined list and were deleted if found on the machine:
Threads used for file encryption were hidden from the debugger using NtSetInformationThread function with undocumented value (ThreadHideFromDebugger = 0x11) for ThreadInformationClass parameter.
Fig. 5 – NtSetInformationThread technique
Before starting file encryption, the malware associated an icon to encrypted files by creating and writing it into an image file in the C:\ProgramData directory as zbzdbs59d.ico. Files were encrypted by creating multiple threads where each filename was replaced with a random string generated and appending the extension to them.
Fig. 6 – Encrypted Filenames
The ransom note ‘zbzdbs59d.README.txt’ is created inside every directory except the Program Files and the Windows directory, which aren’t encrypted. It contains instructions to install the TOR browser, links for a chat along with the personal ID and ends with the warnings as usual. The victim machine’s wallpaper is modified with the name ‘LockBit Black’ and mentions the instructions to be followed:
Fig. 7 – Modified Wallpaper
As part of wiping out its traces, the ransomware disabled Windows Event Logs by setting multiple registry subkeys to value 0.
- sc stop “Undelete”
- sc delete “LTService”
- sc delete “LTSvcMon”
- sc delete “WSearch”
- sc delete “MsMpEng”
- net stop ShadowProtectSvc
- C:\Windows\system32\net1 stop ShadowProtectSvc
Shadow Volume Copies Deleted
- vssadmin.exe Delete Shadows /All /Quiet
Removal of all Active Network Connections
- net use * /delete /y
Exhaustive List of all the Logs
|reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” /v legalnoticecaption /t REG_SZ /d “ATTENTION to representatives!!!! Read before you log on” /f|
|reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” /v legalnoticetext /t REG_SZ /d “Your system has been tested for security and unfortunately your system was vulnerable. We specialize in file encryption and industrial (economic or corporate) espionage. We don’t care about your files or what you do, nothing personal – it’s just business. We recommend contacting us as your confidential files have been stolen and will be sold to interested parties unless you pay to remove them from our clouds and auction, or decrypt your files. Follow the instructions in your system” /f|
|reg add “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f|
|reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f|
|reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f|
Unprotected systems in the network were brute-forced to run the PSEXEC tool for lateral movement across the systems to execute the ransomware payload. With LockBit 3.0 introducing its bug bounty program and adopting new extortion tactics, it is mandatory to take precautions like downloading applications only from trusted sources, using antivirus for enhanced protection, and avoiding clicking on any links received through email or social media platforms.
Subject Matter Experts
Umar Khan A
Sathwik Ram Prakki