This month the Lockbit ransomware gang announced their first Bug Bounty program as part of their evolution into Lockbit 3.0.  A first sample of the new version was published by Arda Büyükkaya. According to their new ransomware wallpaper that appears after encryption, this specific version has been named ‘Lockbit Black’, which interestingly follows their new execution method which is pretty similar to the BlackCat ransomware execution method. There are actually even more similarities between the two ransomwares. 

Lockbit Black – Execution 

 The new Lockbit ransomware requires a “pass” to be supplied as a parameter upon execution, Similar to BlackCat with requires an “access-token”. The “pass” for the published sample was also provided by Arda Büyükkaya: 

 

 

Figure 1 – The execution command 

Lockbit Black – Packer and dynamic imports 

Lockbit Black is well packed, and its imports table is almost empty. Most API functions calls are resolved dynamically by calling a trampoline function which decrypts the API function using XOR encryption: 

Figure 2 – Trampoline function performing XOR encryption 

Lockbit Black – UAC bypass 

When executing without Admin privileges, Lockbit Black (much like its previous versions) performs a CMSTPLUA COM UAC bypass. 

Lockbit Black – Service Delete and Process Termination 

Lockbit Black enumerates services and processes against a pre-defined “Blacklist”. The new version however has a much shorter list than its predecessors. The list is effectively a “Blacklist”, and all services that appear in the list are designated to be either deleted. The service list of the new version seems like a combined and shorter version of the services that were previously deleted by Lockbit and BlackCat together and contains: 

  1. vss 
  2. sql 
  3. svc$ 
  4. memtas 
  5. mepocs 
  6. msexchange 
  7. sophos 
  8. veeam 
  9. backup 
  10. GxVss 
  11. GxBlr 
  12. GxFWD 
  13. GxCVD 
  14. GxCIMgr 

Figure 3 – Service deletion by Lockbit Black 

The new Lockbit also uses the same method to terminate a number of processes if they are found to be running on victim’s PC: 

  1. sql 
  2. oracle 
  3. ocssd 
  4. dbsnmp 
  5. synctime 
  6. agntsvc 
  7. isqlplussvc 
  8. xfssvccon 
  9. mydesktopservice 
  10. ocautoupds 
  11. ncsvc 
  12. firefox 
  13. tbirdconfig 
  14. mydesktopqos 
  15. ocomm 
  16. dbeng50 
  17. sqbcoreservice 
  18. excel 
  19. infopath 
  20. msaccess 
  21. mspub 
  22. onenote 
  23. outlook 
  24. powerpnt 
  25. steam 
  26. thebat 
  27. thunderbird 
  28. visio 
  29. winword 
  30. wordpad 
  31. notepad 

Lockbit Black – Default language check 

Previous versions of the Lockbit ransomware performed a default language check on the system and the current user through the Windows API calls GetSystemDefaultUILanguage and GetUserDefaultUILanguage. If the language code identifier matched the one specified, the program shuts down. The new version seems to extend the country list to also include Syria: 

 

New Version 
419 – Russian 
422 – Ukrainian 
423 – Belarusian 
428 – Tajik 
42B – Armenian 
42C – Azerbaijani (Latin) 
437 – Georgian  
43F – Kazakh 
440 – Kyrgyz  
442 – Turkmen  
443 – Uzbek (Latin) 
444 – Tatar 
818 – Romanian (Moldova) 
819 – Russian (Moldova) 
82C – Azerbaijani (Cyrillic) 
843 – Uzbek (Cyrillic) 
2801 – Arabic (Syria) 

Lockbit Black – Mutex 

Lockbit Black creates a “2cae82bd1366f4e0fdc7a9a7c12e2a6b” mutex. 

 

Lockbit Black – New icon, wallpaper and ransom note 

 Lockbit’s Black’s icon, wallpaper and ransom note were updated in the new version: 

 Figure 5 – Lockbit Black icon 

 

Figure 6 – Lockbit Black wallpaper 

 

Figure 7 – Part of the new ransom note 

 

The new ransom note comes in the form of a text file and contains a reference to Elon Musk’s Twitter (Ilon Musk), but with a link to a more generic #lockbit hashtag page on Twitter. 

 There are several chat list URLs added to the link which lead to several Lockbit Darknet websites. 

 

Lockbit Black – hiding threads from the debugger 

Hiding threads from the debugger is not a new behavior for Lockbit but is has increased usage in the new version. The thread hiding is performed by calling the NtSetInformationThread API with the undocumented value THREAD_INFORMATION_CLASS::ThreadHideFromDebugger (0x11): 

 

Figure 8 – hiding thread from the debugger 

 

Lockbit Black –Windows Defender Log tampering 

In order to disable Windows Defender logs, Lockbit Black sets ‘HKLMSoftware\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational\Enabled’ to ‘0’ as well changing the ‘ChannelAccess’ to ‘(O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA)’. 

 

Figure 9 – Windows Defender Log Disabled 

 

As in most ransomware cases the encryption is performed by several threads for faster and efficient work. 

 

Minerva Lockbit 3.0 Prevention of the UAC bypass 

Minerva customers don’t need to worry, as many of Minerva Armor’s Ransomware Protection modules block Lockbit Black in its earliest stages, including the UAC Bypass stage, shutting it down completely before the encryption stage even begins.

 

Figure 10 – UAC bypass prevention by Minerva