Netskope wird im Gartner® Magic Quadrant™ für SASE-Plattformen erneut als Leader ausgezeichnet.Holen Sie sich den Bericht

Schließen
Schließen
Ihr Netzwerk von morgen
Ihr Netzwerk von morgen
Planen Sie Ihren Weg zu einem schnelleren, sichereren und widerstandsfähigeren Netzwerk, das auf die von Ihnen unterstützten Anwendungen und Benutzer zugeschnitten ist.
          Erleben Sie Netskope
          Machen Sie sich mit der Netskope-Plattform vertraut
          Hier haben Sie die Chance, die Single-Cloud-Plattform Netskope One aus erster Hand zu erleben. Melden Sie sich für praktische Übungen zum Selbststudium an, nehmen Sie an monatlichen Live-Produktdemos teil, testen Sie Netskope Private Access kostenlos oder nehmen Sie an Live-Workshops teil, die von einem Kursleiter geleitet werden.
            Ein führendes Unternehmen im Bereich SSE. Jetzt ein führender Anbieter von SASE.
            Netskope wird als Leader mit der weitreichendsten Vision sowohl im Bereich SSE als auch bei SASE Plattformen anerkannt
            2X als Leader im Gartner® Magic Quadrant für SASE-Plattformen ausgezeichnet
            Eine einheitliche Plattform, die für Ihre Reise entwickelt wurde
              Generative KI für Dummies sichern
              Generative KI für Dummies sichern
              Erfahren Sie, wie Ihr Unternehmen das innovative Potenzial generativer KI mit robusten Datensicherheitspraktiken in Einklang bringen kann.
                Moderne Data Loss Prevention (DLP) für Dummies – E-Book
                Moderne Data Loss Prevention (DLP) für Dummies
                Hier finden Sie Tipps und Tricks für den Übergang zu einem cloudbasierten DLP.
                  Modernes SD-WAN für SASE Dummies-Buch
                  Modernes SD-WAN für SASE-Dummies
                  Hören Sie auf, mit Ihrer Netzwerkarchitektur Schritt zu halten
                    Verstehen, wo die Risiken liegen
                    Advanced Analytics verändert die Art und Weise, wie Sicherheitsteams datengestützte Erkenntnisse anwenden, um bessere Richtlinien zu implementieren. Mit Advanced Analytics können Sie Trends erkennen, sich auf Problembereiche konzentrieren und die Daten nutzen, um Maßnahmen zu ergreifen.
                        Die 6 überzeugendsten Anwendungsfälle für den vollständigen Ersatz älterer VPNs
                        Die 6 überzeugendsten Anwendungsfälle für den vollständigen Ersatz älterer VPNs
                        Netskope One Private Access ist die einzige Lösung, mit der Sie Ihr VPN endgültig in den Ruhestand schicken können.
                          Colgate-Palmolive schützt sein "geistiges Eigentum" mit intelligentem und anpassungsfähigem Datenschutz
                          Colgate-Palmolive schützt sein "geistiges Eigentum" mit intelligentem und anpassungsfähigem Datenschutz
                            Netskope GovCloud
                            Netskope erhält die FedRAMP High Authorization
                            Wählen Sie Netskope GovCloud, um die Transformation Ihrer Agentur zu beschleunigen.
                              Lassen Sie uns gemeinsam Großes erreichen
                              Die partnerorientierte Markteinführungsstrategie von Netskope ermöglicht es unseren Partnern, ihr Wachstum und ihre Rentabilität zu maximieren und gleichzeitig die Unternehmenssicherheit an neue Anforderungen anzupassen.
                                ""
                                Netskope Cloud Exchange
                                Netskope Cloud Exchange (CE) bietet Kunden leistungsstarke Integrationstools, mit denen sie Investitionen in ihre gesamte Sicherheitslage nutzen können.
                                  Technischer Support von Netskope
                                  Technischer Support von Netskope
                                  Überall auf der Welt sorgen unsere qualifizierten Support-Ingenieure mit verschiedensten Erfahrungen in den Bereichen Cloud-Sicherheit, Netzwerke, Virtualisierung, Content Delivery und Software-Entwicklung für zeitnahen und qualitativ hochwertigen technischen Support.
                                    Netskope-Video
                                    Netskope-Schulung
                                    Netskope-Schulungen helfen Ihnen, ein Experte für Cloud-Sicherheit zu werden. Wir sind hier, um Ihnen zu helfen, Ihre digitale Transformation abzusichern und das Beste aus Ihrer Cloud, dem Web und Ihren privaten Anwendungen zu machen.

                                      Netskope Threat Coverage: LockBit

                                      Aug 12 2021

                                      Summary

                                      LockBit Ransomware (a.k.a. ABCD) is yet another ransomware group operating in the RaaS (Ransomware-as-a-Service) model, following the same architecture as other major threat groups, like REvil. This threat emerged in September 2019 and is still being improved by its creators. In June 2021, the LockBit group announced the release of LockBit 2.0, which included a new website hosted on the deep web, as well as a new feature to encrypt Windows domains using group policy.

                                      On August 11, 2021, the LockBit ransomware group announced in their deep web forum that they have infected the global IT consultancy company Accenture.

                                      Screenshot of LockBit official website showing the Accenture information.
                                      LockBit official website, hosted on the deep web, showing the Accenture information.

                                      According to the company Cyble, the attackers have allegedly stolen about 6TB of data, and are demanding $50M (USD) as ransom. Also, Cyble mentioned that this attack was supposedly carried out by an insider, however, that has not been verified yet. The IT giant Accenture has confirmed the attack and also affirmed that the breach had no impact on their operations or systems. 

                                      The period established for Accenture to pay the ransom was August 11, 2021, which has now passed.

                                      Screenshot showing the original deadline for the ransom’s payment has passed, according to LockBit’s website.
                                      The original deadline for the ransom’s payment has passed, according to LockBit’s website.

                                      However, as I am writing this blog post, the period to pay the ransom was changed to August 12, 2021, at the end of the day.

                                      Screenshot showing new deadline established by the attackers for Accenture’s ransom
                                      New deadline established by the attackers for Accenture’s ransom

                                      At this point, it’s unclear how the attack was carried out, or if LockBit really stole sensitive data from the company. In this threat coverage report, we will briefly show how LockBit works, describing some features used for anti-analysis.

                                      Threat 

                                      LockBit ransomware is developed in both C and Assembly and uses AES + ECC to encrypt the files. The group operates in the RaaS model, and on their official website hosted on the deep web, we can find an advertisement trying to attract more affiliates into the scheme.

                                      LockBit “advertisement” posted on their website.

                                      According to the page, the group is using a custom stealer named “StealBIT” to exfiltrate data from companies. They have even included a comparison between their service and other services, like MEGA and pCloud.

                                      Screenshot of LockBit “advertisement” showing how fast they are when it comes to data exfiltration.
                                      LockBit “advertisement” showing how fast they are when it comes to data exfiltration.

                                      The website also includes an encryption speed comparative between LockBit and other ransomware families, such as Ragnar, REvil, Conti, and others.

                                      Screenshot of LockBit “advertisement” showing an encryption speed comparison between ransomware families.
                                      LockBit “advertisement” showing an encryption speed comparison between ransomware families.

                                      Once the sample is executed, the code implements a very simple technique to detect if the process is being debugged, by checking the NtGlobalFlag value in the Process Environment Block (PEB) structure. This is usually done to avoid direct calls to the function ​​CheckRemoteDebuggerPresent or IsDebuggerPresent.

                                      Screenshot of basic anti-debug technique.
                                      Basic anti-debug technique.

                                      Also, LockBit verifies if the process is running with Administrator privileges by checking the return of the API OpenSCManagerA. If it’s not a privileged process, the function will fail, consequently reaching the ExitProcess call.

                                      Screenshot of LockBit checking if the process is privileged.
                                      LockBit checking if the process is privileged.

                                      The sample also uses a Mutex to verify if there is another instance of LockBit running at the same time.

                                      Screenshot of LockBit creating a Mutex object.
                                      LockBit creating a Mutex object.

                                      Looking at the PE .rdata section, we can see that LockBit attempts to protect some relevant information by encrypting the strings, which is just a basic protection against detection or quick analyses.

                                      Furthermore, we can observe that LockBit is using Intel 128-bit XMM registers in the operations, probably to increase the performance of the code.

                                      Screenshot of LockBit encrypted strings.
                                      LockBit encrypted strings.

                                      The algorithm is straightforward — it decrypts the string by doing a single byte XOR operation, using the first byte of the string as a key.

                                      Screenshot of LockBit string decryption algorithm.
                                      LockBit string decryption algorithm.

                                      It should be possible to decrypt LockBit strings applying the same logic.

                                      Screenshot showing decrypting of LockBit’s strings using Python.
                                      Decrypting LockBit’s strings using Python.

                                      In addition, LockBit also executes a series of commands using the API ShellExecuteA to avoid any restoration of the files in the machine by disabling the system’s recovery mode and the Windows Shadow Copies.

                                      Screenshot of some of the commands executed by LockBit
                                      Some of the commands executed by LockBit.

                                      After the files are encrypted, LockBit creates the ransom note in every single directory where there are encrypted files.

                                      Screenshot of LockBit ransom note
                                      LockBit ransom note

                                      Lastly, the computer’s wallpaper is also changed by the malware, in case encrypting the files wasn’t enough to catch the victim’s attention.

                                      Screenshot of LockBit wallpaper.
                                      LockBit wallpaper.

                                      Protection

                                      Netskope Threat Labs is actively monitoring this campaign and has ensured coverage for all known threat indicators and payloads. 

                                      • Netskope Threat Protection
                                        • Generic.Ransom.LockBit.19F98D1F
                                      • Netskope Advanced Threat Protection provides proactive coverage against this threat.
                                        • Gen.Malware.Detect.By.StHeur indicates a sample that was detected using static analysis
                                        • Gen.Malware.Detect.By.Sandbox indicates a sample that was detected by our cloud sandbox

                                      IOCs

                                      SHA256

                                      6292c2294ad1e84cd0925c31ee6deb7afd300f935004a9e8a7a43bf80034abae

                                      A full list of IOCs and a Yara rule are available in our Git repo.

                                      author image
                                      Gustavo Palazolo
                                      Gustavo Palazolo is an expert in malware analysis, reverse engineering and security research, working many years in projects related to electronic fraud protection.
                                      Gustavo Palazolo is an expert in malware analysis, reverse engineering and security research, working many years in projects related to electronic fraud protection.
                                      Verbinden Sie sich mit Netskope

                                      Subscribe to the Netskope Blog

                                      Sign up to receive a roundup of the latest Netskope content delivered directly in your inbox every month.