Free Phone Consultation For New Clients | CONTACT NOW

LockBit 3.0 Update | Unpicking the Ransomware's Latest Anti-Analysis and Evasion Techniques

LockBit 3.0 is the latest generation of the notorious LockBit ransomware, and its latest anti-analysis and evasion features are designed to evade security researchers and evade detection and detection.

This article unpacks the anti-analysis and evasion techniques used in LockBit 3.0.

LockBit 3.0 ransomware uses AES encryption with a 256-bit key size and uses True 256-bit AES encryption algorithm.

After encryption, it will move all the encrypted files to a hidden folder in the %systemroot% folder.

This article will first take a look at the changes made in LockBit 3.0, and then we’ll open the code to find out what Lockbit 3.0 is doing. Finally we’ll take a look at some of its anti-analysis features and evasion techniques.

LockBit 3.0 Changes

The same old LockBit ransomware has been updated to version 3.0. To see the list of changes, I downloaded the latest version from here:

LockBit 3.0 will now add one more folder named %appdata_local% to its encryption routine, so it can install and run a browser application that can steal your banking credentials without you knowing about it.

The malware will decrypt files using the following process: When LockBit 3.

0 encrypts the files it will use the current date as a key, so you may see something like this: “_2017-11-15_00001.xxls”.

It uses the %systemroot% directory to store all the encrypted files, then reorganizes the registry files to launch LockBit 3.0 during Windows startup:

In addition, LockBit 3.0 adds a random Registry value named “random” in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ (if it exists), which is very important for its persistence mechanism and execution of browser applications:

LockBit 3.0 is designed to launch a browser application that can steal your banking credentials using the current date as a key. This feature may give it a huge threat.

To achieve persistence, the malware adds Registry value name “random”, which enables URLDownloadToFile function in HKLM\Software\Microsoft\Windows\CurrentVersion\Run, so that the browser application can be started at Windows startup:

Unpacking LockBit 3.0 Ransomware

Ransomware rarely uses packing or obfuscation methods to protect its code because it’s designed to conceal itself to avoid detection and analysis by malwares reverse engineers.

After unpacking the application, it opens with IDA Pro. The usage pf encryption routines in its code was observed to determine how it works.

After comparing the original LockBit code and LockBit 3.0 code, it was found that LockBit uses AES encryption with a key size of 256 bits (it was using AES 256 bit encryption in version 2.0) and True 256 bit AES algorithm. The malware also adds a random key to prevent research experts from reverse engineering it.

Source: LockBit 3.0 Update | Unpicking the Ransomware's Latest Anti-Analysis and Evasion Techniques - AlienVault - Open Threat Exchange

Need secure managed IT services in the Greenville, SC, area?