Leaked LockBit builder-based ransomware impersonates employees and self-spreads: incident analysis

15 April 2024

LockBit persists: the 2022 leaked builder remains a threat. Following a recent incident, the Kaspersky Global Emergency Response team is shedding light on an attack where adversaries crafted their own variant of encryption malware equipped with self-propagation capabilities. Exploiting stolen privileged administrator credentials, the cybercriminals breached infrastructure. This incident took place in West Africa, but other regions also experiencing attacks with builder-based ransomware, albeit lacking the sophisticated features observed in this case.

The latest incident occurred in Guinea-Bissau and revealed that custom ransomware employs unseen techniques. It can create an uncontrolled avalanche effect, with infected hosts attempting to spread the malware further within the victim’s network. After the recent occurrence, Kaspersky is providing the detailed analysis.

Impersonation. Leveraging illicitly-acquired credentials, the threat actor impersonates the system administrator with privileged rights. This scenario is critical, as privileged accounts provide extensive opportunities to execute the attack and gain access to the most critical areas of the corporate infrastructure.

Self-spreading. The customized ransomware can also spread autonomously across the network using highly-privileged domain credentials and conduct malicious activities, such as disabling Windows Defender, encrypting network shares, and erasing Windows Event Logs to encrypt data and conceal its actions.

The malware’s behavior results in a scenario where each infected host attempts to infect other hosts within the network.

Adaptive features. The customized configuration files, along with the aforementioned features, enable the malware to tailor itself to the specific configurations of the victimized company’s architecture. For example, the attacker can configure the ransomware to infect only specific files, such as all .xlsx and .docx files, or only a set of specific systems.

When executing this custom build in a virtual machine, Kaspersky observed it performing malicious activities and generating a custom ransom note on the desktop. In real scenarios, this note includes details on how the victim should contact the attackers to obtain the decryptor.

“The LockBit 3.0 builder was leaked in 2022, but attackers still actively use it to create customized versions – and it doesn’t even require advanced programming skills. This flexibility gives adversaries many opportunities to enhance the effectiveness of their attacks, as the recent case shows. It makes these kinds of attacks even more dangerous, considering the escalating frequency of corporate credential leaks”, – says Cristian Souza, Incident Response Specialist at Kaspersky Global Emergency Response Team.

Kaspersky also found that attackers used the SessionGopher script to locate and extract saved passwords for remote connections in the affected systems.

Incidents involving various types of techniques based on the leaked LockBit 3.0 builder – but lacking the self-propagation and impersonation capabilities found in Guinea-Bissau – regularly occur in various industries and regions. They were observed in Russia, Chile, and Italy, and the geography of attacks may be further expanding.

Kaspersky products detect the threat with the following verdicts: Trojan-Ransom.Win32.Lockbit.gen, Trojan.Multi.Crypmod.gen, Trojan-Ransom.Win32.Generic. The SessionGopher script is detected as HackTool.PowerShell.Agent.l or HackTool.PowerShell.Agent.ad.

LockBit is a cybercriminal group offering ransomware as a service (RaaS). In February 2024, an international law-enforcement operation seized control of the group. Few days after the operation, the ransomware group defiantly announced that it was back in action.

Kaspersky recommends the following general measures to mitigate ransomware attacks:

Implement a frequent backup schedule and conduct regular testing.
If you’ve fallen victim to ransomware and there is no known decryptor yet, save your critical encrypted files – a decryption solution may emerge, for example, within an ongoing threat research effort or if the authorities manage to seize control of the actor behind the threat.
Recently, authorities conducted an operation, taking down the LockBit ransomware group. During the operation, law enforcement obtained private decryption keys and prepared tools to decrypt files based on known IDs. These tools, like check_decryption_id.exe and check_decrypt.exe, help assess whether files can be recovered.
Deploy robust security solution like Kaspersky Endpoint Security, ensuring it’s properly configured. Consider Managed Detection and Response (MDR) services for proactive threat hunting.
Reduce your attack surface by disabling unused services and ports.
Maintain up-to-date systems and software to patch vulnerabilities promptly.
Regularly perform penetration tests and vulnerability scanning to detect weaknesses and implement appropriate countermeasures.
Provide regular cybersecurity training to employees to increase awareness of cyber threats and mitigation strategies.