The LockBit ransomware cartel behind the recent Advanced Software – NHS attack continues to evolve and upgrade its locker malware, incorporating new wormable functionality that allows it to self-spread, making it easier to use, and obfuscation capabilities that enable it to mimic the activity of legitimate penetration testers.
Operatives at Sophos’s Managed Detection and Response (MDR) unit pored over evidence from leaks and a series of attacks and found evidence that LockBit’s creators have been experimenting with scripting that allows it to self-propagate using Windows Group Policy Objects (GPOs) or the PSExec tool, which they say makes it easier for the ransomware to move laterally and infect other computers.
Critically, said the MDR team, this would substantially reduce the technical legwork required for LockBit affiliates to infect their victims, speeding up the time to ransomware execution. It also runs with permissions that mean an affiliate does not necessarily need administrator-level access to their victim in order to cause damage.
Reverse-engineering of LockBit 3.0, which launched earlier this year, also revealed that the ransomware has adopted new behaviours that make it harder for researchers to analyse properly. For example, affiliates must now enter a 32-character password in the ransomware binary’s command line when they launch it, or it won’t run.
Sophos also posited a stronger-than-ever link to the BlackMatter group, noting multiple similarities that suggest LockBit is reusing BlackMatter code, notably an anti-debugging trick that conceals internal functions calls from researchers, similar means of string obfuscation, thread hiding, enumerating DNS hostnames, OS checking and configuration. They also both send ransom notes to any available printers they may find.
Sophos principal researcher Andrew Brandt wrote: “Some researchers have speculated that the close relationship between the LockBit and BlackMatter code indicates possible recruitment of BlackMatter members by LockBit, a purchase of the BlackMatter code base, or a collaboration between developers. As we noted in our whitepaper on multiple attackers earlier this year, it’s not uncommon for ransomware groups to interact, either inadvertently or deliberately.
“Either way, these findings are further evidence that the ransomware ecosystem is complex and fluid. Groups reuse, borrow or steal each other’s ideas, code and tactics as it suits them. And, as the LockBit 3.0 leak site – containing, among other things, a bug bounty and a reward for ‘brilliant ideas’ – suggests that gang in particular is not averse to paying for innovation.”
Interestingly, Brandt and the MDR team also found that it is increasingly difficult to distinguish LockBit 3.0 activity from the work of legitimate penetration testers.
They found evidence that LockBit 3.0 is using a package from GitHub known as Backstab, the function of which is to sabotage security operation centre tooling – in addition to the now practically standard use of red teaming framework Cobalt Strike and password sniffer Mimikatz.
It has also been observed using GMER, a rootkit detector and remover, ESET’s AV Remover tool, and a number of PowerShell scripts that seek to remove Sophos’s own products from systems.
“It is safe to assume that experienced threat actors are at least as familiar with Sophos Central and other console tools as the legitimate users of those consoles, and they know exactly where to go to weaken or disable the endpoint protection software,” said Brandt.
“In fact, in at least one incident involving a LockBit threat actor, we observed them downloading files which, from their names, appeared to be intended to remove Sophos protection.”