Ransom.Win32.LOCKBIT.ENU

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %System%\{random}.ico → icon for encrypted files
• {Drive}\{random}.lock → deleted afterwards

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It adds the following processes:

• "%System%\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• {095650E2-0956-73FC-75BA-CE6A6A58CEB8}

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{030CECE2-5656-7371-75BA-756A705801B8} = {Malware Path and Name}.exe

Other System Modifications

This Ransomware adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.lockbit\DefaultIcon
{Default} = %System%\{random}.ico

HKEY_CURRENT_USER\Software\FA0C50E256FCBA
Private = {Generated Session Key}

HKEY_CURRENT_USER\Software\FA0C50E256FCBA
Public = {Generated Session Key}

Process Termination

This Ransomware terminates the following services if found on the affected system:

• AcronisAgent
• AcrSch2Svc
• ARSM
• backup
• BackupExecAgentAccelerator
• BackupExecAgentBrowser
• BackupExecDiveciMediaService
• BackupExecJobEngine
• BackupExecManagementService
• BackupExecRPCService
• BackupExecVSSProvider
• bedbg
• CAARCUpdateSvc
• CASAD2DWebSvc
• ccEvtMgr
• ccSetMgr
• Culserver
• dbeng8
• dbsrv12
• DefWatch
• FCS
• FishbowlMySQL
• Intuit
• memtas
• mepocs
• MSExchange
• MSExchange$
• msftesql-Exchange
• msmdsrv
• MSSQL
• MSSQL$
• MSSQL$KAV_CS_ADMIN_KIT
• MSSQL$MICROSOFT##SSEE
• MSSQL$MICROSOFT##WID
• MSSQL$SBSMONITORING
• MSSQL$SHAREPOINT
• MSSQL$VEEAMSQL2012
• MSSQLFDLauncher$SBSMONITORING
• MSSQLFDLauncher$SHAREPOINT
• MSSQLServerADHelper100
• MVArmor
• MVarmor64
• MySQL57
• PDVFSService
• QBCFMonitorService
• QBFCService
• QBIDPService
• QBVSS
• QuickBooks
• RTVscan
• SavRoam
• sophos
• sql
• sqladhlp
• SQLADHLP
• sqlagent
• SQLAgent$KAV_CS_ADMIN_KIT
• SQLAgent$SBSMONITORING
• SQLAgent$SHAREPOINT
• SQLAgent$VEEAMSQL2012
• sqlbrowser
• SQLBrowser
• Sqlservr
• SQLWriter
• stc_raw_agent
• svc$
• tomcat6
• veeam
• VeeamDeploymentService
• VeeamNFSSvc
• VeeamTransportSvc
• vmware-converter
• vmware-usbarbitator64
• VSNAPVSS
• vss
• wrapper
• WSBExchange
• YooBackup
• YooIT
• zhudongfangyu

It terminates the following processes if found running in the affected system's memory:

• 360doctor
• 360se
• acwebbrowser
• ADExplorer
• ADExplorer64
• ADExplorer64a
• Adobe CEF
• Adobe Desktop Service
• AdobeCollabSync
• AdobeIPCBroker
• agntsvc
• AutodeskDesktopApp
• Autoruns
• Autoruns64
• Autoruns64a
• Autorunsc
• Autorunsc64
• Autorunsc64a
• avz
• axlbridge
• bedbh
• benetns
• bengien
• beserver
• BrCcUxSys
• BrCtrlCntr
• CagService
• CoreSync
• Creative Cloud
• Culture
• dbeng50
• dbsnmp
• Defwatch
• DellSystemDetect
• dumpcap
• encsvc
• EnterpriseClient
• excel
• fbguard
• fbserver
• fdhost
• fdlauncher
• GDscan
• GlassWire
• GWCtlSrv
• Helper
• httpd
• infopath
• InputPersonalization
• isqlplussvc
• j0gnjko1
• java
• koaly-exp-engine-service
• msaccess
• MsDtSrvr
• mspub
• mydesktopqos
• mydesktopservice
• mysqld
• node
• notepad
• notepad++
• ocautoupds
• ocomm
• ocssd
• onenote
• ONENOTEM
• oracle
• outlook
• powerpnt
• ProcessHacker
• Procexp
• Procexp64
• procexp64a
• procmon
• procmon64
• procmon64a
• pvlsvr
• QBDBMgr
• QBDBMgrN
• QBIDPService
• qbupdate
• QBW32
• Raccine
• Raccine_x86
• RaccineElevatedCfg
• RaccineSettings
• RAgui
• raw_agent_svc
• RdrCEF
• RTVscan
• sam
• Simply
• SimplyConnectionManager
• sqbcoreservice
• sqlbrowser
• sqlmangr
• Sqlservr
• Ssms
• steam
• supervise
• sync-taskbar
• synctime
• sync-worker
• Sysmon
• Sysmon64
• SystemExplorer
• SystemExplorerService
• SystemExplorerService64
• SystemTrayIcon
• tbirdconfig
• tcpview
• tcpview64
• tcpview64a
• tdsskiller
• TeamViewer
• TeamViewer_Service
• thebat
• thunderbird
• TitanV
• tomcat6
• Totalcmd
• Totalcmd64
• tv_w32
• tv_x64
• VeeamDeploymentSvc
• visio
• vsnapvss
• vxmon
• wdswfsafe
• winword
• WireShark
• wordpad
• wsa_service
• wxServer
• wxServerView
• xfssvccon
• ZhuDongFangYu

Other Details

This Ransomware adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.lockbit

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.lockbit\DefaultIcon

HKEY_CURRENT_USER\Software\FA0C50E256FCBA

It does the following:

• It has the capability to print the ransom note in infected machines.
• It encrypts files found in the following drive types:
  • Fixed drive
  • Removable drive
  • Network drive
  • RAM Disks

It accepts the following parameters:

• {File Name or File Path to Encrypt} → if unspecified, the malware will infect all files except for the avoided ones.

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• autorun.inf
• bootsect.bak
• iconcache.db
• ntldr
• ntuser.dat.log
• restore-my-files.txt
• thumbs.db

It avoids encrypting files with the following strings in their file path:

• $recycle.bin
• $windows.~bt
• $windows.~ws
• all users
• appdata
• application data
• boot
• common files
• google
• intel
• internet explorer
• microsoft
• microsoft shared
• microsoft.net
• mozilla
• msbuild
• msocache
• opera
• perflog
• system volume information
• tor browser
• windows
• windows defender
• windows journal
• windows media player
• windows nt
• windows photo viewer
• windows security
• windows.old
• windowsapps
• windows powershell

It appends the following extension to the file name of the encrypted files:

• .lockbit

It leaves text files that serve as ransom notes containing the following text:

• {Encrypted Directory}\Restore-My-Files.txt
  

It avoids encrypting files with the following file extensions:

• .386
• .adv
• .ani
• .apk
• .app
• .bat
• .bin
• .cmd
• .com
• .cpl
• .cur
• .dacpac
• .db-shm
• .diagcab
• .diagcfg
• .diagpkg
• .dll
• .dmg
• .dmp
• .drv
• .exe
• .fnt
• .fon
• .gadget
• .hlp
• .hta
• .icns
• .ico
• .ics
• .idx
• .ini
• .ipa
• .iso
• .key
• .lnk
• .lock
• .lockbit
• .mod
• .mp3
• .mp4
• .mpa
• .mrg
• .msc
• .msi
• .msp
• .msstyles
• .msu
• .nls
• .ocx
• .otf
• .part
• .pif
• .prf
• .rdp
• .reg
• .rom
• .rtp
• .sfcache
• .shs
• .spl
• .sys
• .theme
• .tmp
• .ttf
• .wad
• .wav
• .wma
• .woff
• .wpx
• .xex