LockBit, a relatively new Ransomware that was first identified performing targeted attacks by Northwave Security in September 2019 veiled as.ABCD virus. The threat actors behind the ransomware were observed to be leveraging brute-force tactics and evasion-based techniques to infect computers and encrypt files until the victim pays the ransom.
LockBit enables attackers to move around a network after compromising it quickly; it exploits SMB, ARP tables, and PowerShell to proliferate the malware through an infected network.
The developers rely on third parties to spread the malware via any means the third party devises. After successfully infecting the network, the attacker redirects the victim to a payment site operated by them. The victim is then subjected to threats of data leak until the ransom is paid to the attackers.
Modus operandi of the attack
The attackers drop the payload that is hidden under the '.text' sections, evading conventional AV's mechanism from catching the file while running a scan in the disk, the file is compressed by the attackers with a unique format.
Upon being executed, the file runs a scan on the entire LAN network and attempts to establish a connection to the hosts via SMB port (445) to spread the infected file across the entire internal network.
Then in order to bypass the need for User Control, the command "C:WINDOWSSysWOW64DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" is run by an instance of SVCHOST.exe which is running by the process DLLhost.exe.
After that, the 'backup.exe' file executes the payload and encrypts most ..
Support the originator by clicking the read the rest link below.
