Full Report
Community Feature - @cPeterrCurated Intelligence member Chuong Dong has recently shared his findings in a blog after reverse engineering the infamous LockBit ransomware family, version 2.0. Most interestingly of all, Dong says "LockBit is definitely the most sophisticated ransomware I have taken a look at".https://chuongdong.com/reverse%20engineering/2022/03/19/LockbitRansomware/Dong's analysis shows that LockBit uses a hybrid-cryptography scheme of Libsodium’s XSalsa20-Poly1305-Blake2b-Curve25519 and AES-128-CBC to encrypt files. The malware’s configuration is XOR-encrypted and stored in static memory. Like REvil and BlackMatter, LockBit’s child threads use a shared structure to divide the encryption work into multiple states while encrypting a file. With the elaborated multithreading architecture, LockBit’s performance is relatively fast compared to most ransomware in the field.Read Choung Dong's previous Curated Intel features here LockBit's cyber kill chain was covered previously by Curated Intel features hereCurated Intel Community Features are sourced using our Member Content channel on Discord. If you have recently produced a noteworthy piece of writing, a project, a podcast, an infographic or other CTI content let us know!
Analysis Summary
# Tool/Technique: LockBit Ransomware v2.0
## Overview
LockBit v2.0 is an advanced ransomware variant analyzed for its cryptographic scheme, multi-threading architecture, and performance relative to other ransomware families. It is considered by the analyst who reverse-engineered it to be "the most sophisticated ransomware" they have examined.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Not explicitly detailed, but ransomware typically targets Windows systems.
- Capabilities: File encryption using a hybrid cryptographic scheme, high-speed encryption through multithreading.
- First Seen: Analysis published on March 20, 2022.
## MITRE ATT&CK Mapping
*Note: Specific TTPs are inferred based on the nature of ransomware, particularly its encryption and speed.*
- TA0011 - Command and Control
- T1071 - Application Layer Protocol (Implied for necessary initial communication/payload delivery)
- TA0040 - Impact
- T1486 - Data Encrypted for Impact
- (Relevant Ransomware Behavior)
## Functionality
### Core Capabilities
- **Hybrid Cryptography:** Employs a combination of Libsodium’s XSalsa20-Poly1305-Blake2b-Curve25519 and AES-128-CBC for file encryption.
- **Configuration Storage:** The malware's configuration data is stored in static memory and is XOR-encrypted.
### Advanced Features
- **Efficient Multithreading:** Child threads utilize a shared structure to divide the workload of file encryption across multiple states, resulting in relatively fast encryption performance compared to many other ransomware strains.
- **Sophistication:** Described as the "most sophisticated ransomware" analyzed by the source, indicating complex internal workings.
## Indicators of Compromise
- File Hashes: N/A (No specific hashes provided in the context.)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Execution of file encryption routines utilizing high concurrency/multithreading patterns.
## Associated Threat Actors
- Threat actors associated with the LockBit operation (Not specified in detail within this context, but the ransomware family itself is tied to the LockBit group).
## Detection Methods
- Signature-based detection: Specific signatures for the known implementation of the hash functions and encryption libraries used.
- Behavioral detection: Detection of aggressive file system access patterns combined with rapid file modification indicative of high-speed encryption orchestrated across multiple threads.
- YARA rules: N/A
## Mitigation Strategies
- Prevention measures: Should focus on standard ransomware prevention like robust backup strategies (immutable and offline).
- Hardening recommendations: Patch management and network segmentation suitable for preventing initial access and lateral movement often preceding ransomware deployment.
## Related Tools/Techniques
- Similar to techniques used by other sophisticated ransomware families like REvil and BlackMatter in terms of adopting multi-threaded encryption architectures.
- Utilizes cryptographic primitives (XSalsa20-Poly1305, AES-128-CBC) that should be monitored for.