Ransom.Win32.LOCKBIT.EOD

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware injects codes into the following process(es):

• explorer.exe
• notepad.exe

Autostart Technique

This Ransomware drops the following files:

• %ProgramData%\Ck8GvVQ9E.ico
  

Other System Modifications

This Ransomware adds the following registry entries as part of its installation routine:

HKEY_LOCALMACHINE\SOFTWARE\Classes\
Ck8GvVQ9E\DefaultIcon
(Default) = %ProgramData%Ck8GvVQ9E.ico

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.Ck8GvVQ9E
(Default) = Ck8GvVQ9E

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer
GlobalAssocChangedCounter = 0x00000027(39)

It adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.Ck8GvVQ9E

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Ck8GvVQ9E

HKEY_LOCALMACHINE\SOFTWARE\Classes\
Ck8GvVQ9E\DefaultIcon

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• agntsvc
• calc
• dbeng50
• dbsnmp
• encsvc
• excel
• firefox
• infopath
• isqlplussvc
• msaccess
• mspub
• mydesktopqos
• mydesktopservice
• notepad
• ocautoupds
• ocomm
• ocssd
• onedrive
• onenote
• oracle
• outlook
• powerpnt
• sqbcoreservice
• sql
• steam
• synctime
• tbirdconfig
• thebat
• thunderbird
• visio
• winword
• wordpad
• wuauclt
• xfssvccon

Other Details

This Ransomware requires the following additional components to properly run:

• LBB.bin → Encrypted Lockbit Ransomware

It does the following:

• If not executed with admin rights, it will attempt relaunch itself as admin by elevating its privileges via bypassing UAC.
• It encrypts fixed, removable and network drives
• It deletes files in recycle bin folder for removable and fixed drives
• It uses WQL to delete shadow copies
• It terminates if the machine has the following system language:
  • Arabic (Syria)
  • Armenian
  • Azerbaijani (Cyrillic)
  • Azerbaijani (Latin)
  • Belarusian
  • Georgian
  • Kazakh
  • Kyrgyz (Cyrillic)
  • Romanian (Moldova)
  • Russian
  • Russian (Moldova)
  • Tajik
  • Tatar
  • Turkmen
  • Ukrainian
  • Uzbek (Cyrillic)
  • Uzbek (Latin)
• It deletes services with the following strings:
  • backup
  • GxBlr
  • GxCIMgr
  • GxCVD
  • GxFWD
  • GxVss
  • memtas
  • mepocs
  • msexchange
  • sophos
  • sql
  • svc$
  • veeam
  • vss
• It deletes the following services:
  • WdBoot
  • WdFilter
  • WdNisDrv
  • WdNisSvc
  • WinDefend
  • wscsvc
  • sppsvc
  • Sense
  • SecurityHealthService
• Change the icon of encrypted file with %ProgramData%\Ck8GvVQ9E.ico

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

It accepts the following parameters:

• -psex →Performs lateral movement via admin shares
• -gspd →Performs group policy modification for lateral movement
• -pass{value} →Uses the first 32 characters of the value as a key to decrypt the main routine (This is required for the ransomware to execute properly.)
• -safe →Reboots in SafeBoot

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• autorun.inf
• boot.ini
• bootfont.bin
• bootsect.bak
• d3d9caps.dat
• desktop.ini
• GDIPFONTCACHEV1.DAT
• iconcache.db
• ntldr
• ntuser.dat
• ntuser.dat.log
• ntuser.ini
• thumbs.db

It avoids encrypting files found in the following folders:

• $recycle.bin
• $windows.~bt
• $windows.~ws
• all users
• boot
• config.msi
• default
• intel
• microsoft
• msocache
• perflogs
• program files
• program files (x86)
• programdata
• public
• system volume information
• tor browser
• windows
• windows.old
• x64dbg

It renames encrypted files using the following names:

• {Random Characters}.Ck8GvVQ9E

It drops the following file(s) as ransom note:

• {Encrypted Directory}\Ck8GvVQ9E.README.txt
  

It avoids encrypting files with the following file extensions:

• 386
• .adv
• .ani
• .bat
• .bin
• .cab
• .cmd
• .com
• .cpl
• .cur
• .deskthemepack
• .diagcab
• .diagcfg
• .diagpkg
• .dll
• .drv
• .exe
• .hlp
• .hta
• .icl
• .icns
• .ico
• .ics
• .idx
• .key
• .ldf
• .lnk
• .lock
• .mod
• .mpa
• .msc
• .msi
• .msp
• .msstyles
• .msu
• .nls
• .nomedia
• .ocx
• .pdb
• .prf
• .ps1
• .rom
• .rtp
• .scr
• .search-ms
• .shs
• .spl
• .sys
• .theme
• .themepack
• .wpx