Ransom.Win32.LOCKBIT.EB

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following processes:

• %System%\cmd.exe" /C DEL /F /Q %ProgramData%\{Random Hex}.tmp >> NUL

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\{Generated Hash}

Process Termination

This Ransomware terminates the following services if found on the affected system:

• backup
• GxBlr
• GxCIMgr
• GxCVD
• GxFWD
• GxVss
• memtas
• mepocs
• msexchange
• oracle
• sophos
• sql
• svc$
• veeam
• vss

It terminates the following processes if found running in the affected system's memory:

• agntsvc
• calc
• dbeng50
• dbsnmp
• encsvc
• excel
• firefox
• infopath
• isqlplussvc
• msaccess
• mspub
• mydesktopqos
• mydesktopservice
• ocautoupds
• ocomm
• ocssd
• onedrive
• onenote
• oracle
• outlook
• powerpnt
• sqbcoreservice
• sql
• steam
• synctime
• tbirdconfig
• thebat
• thunderbird
• visio
• winword
• wordpad
• wuauclt
• xfssvccon

Dropping Routine

This Ransomware drops the following files:

• %ProgramData%\{Random Hex}.tmp → used to delete itself
  • It renames the malware's filename from A to Z sequentially before deleting it. Each letter is duplicated based on the length of the original filename

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

Other Details

This Ransomware does the following:

• It deletes the following services if found running on the affected system:
  • sppsvc
  • WinDefend
  • wscsvc
  • vmvss
  • eventlog
• It bypasses user account control (UAC), by using the ICMLuaUtil COM interface under %System%\dllhost.exe
• It uses the Windows Restart Manager API to close processes or shut down Windows services that may be keeping a file open and preventing encryption.
• It duplicates the token of the following:
  • TrustedInstaller - Service is started if not yet running
• It clears Windows event log.
• It contains a list of username:password that it will use to log into domain controllers.
• It encrypts fixed, removable and network shares.

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It accepts the following parameters:

• -pass {Value} → uses the first 32 characters of the value as a key to deobfuscate the main routine (will encrypt files regardless of the key provided}

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• autorun.inf
• boot.ini
• bootfont.bin
• bootsect.bak
• d3d9caps.dat
• desktop.ini
• GDIPFONTCACHEV1.DAT
• iconcache.db
• ntldr
• ntuser.dat
• ntuser.dat.log
• ntuser.ini
• thumbs.db
• VTZmr7mIb.README.txt

It avoids encrypting files found in the following folders:

• $recycle.bin
• $windows.~bt
• $windows.~ws
• all users
• boot
• config.msi
• default
• intel
• microsoft
• msocache
• perflogs
• program files
• program files (x86)
• programdata
• public
• system volume information
• tor browser
• windows
• windows.old
• x64dbg

It appends the following extension to the file name of the encrypted files:

• .VTZmr7mIb

It drops the following file(s) as ransom note:

• {Encrypted Path}\VTZmr7mIb.README.txt
• %Desktop%\VTZmr7mIb.README.txt
  

It avoids encrypting files with the following file extensions:

• .386
• .adv
• .ani
• .bat
• .bin
• .cab
• .cmd
• .com
• .cpl
• .cur
• .deskthemepack
• .diagcab
• .diagcfg
• .diagpkg
• .dll
• .drv
• .exe
• .hlp
• .hta
• .icl
• .icns
• .ico
• .ics
• .idx
• .key
• .lnk
• .lock
• .mod
• .mpa
• .msc
• .msi
• .msp
• .msstyles
• .msu
• .nls
• .nomedia
• .ocx
• .pdb
• .prf
• .ps1
• .rom
• .rtp
• .scr
• .search-ms
• .shs
• .spl
• .sys
• .theme
• .themepack
• .wpx
• .VTZmr7mIb