Netskope est nommé leader dans le Magic Quadrant™ du Gartner 2022 dédié au Security Service Edge Recevoir le rapport

  • Produits

    Les produits Netskope sont conçus sur Netskope Security Cloud.

  • Plateforme

    Une visibilité inégalée et une protection des données et des menaces en temps réel sur le plus grand cloud privé de sécurité au monde.

Netskope reconnu comme un des leaders dans le rapport du Magic Quadrant™ 2022 du Gartner dédié au SSE

Recevoir le rapport Présentation des produits
Netskope gartner mq 2022 leader sse

Netskope offre une solution moderne de sécurité du cloud, dotée de fonctions unifiées en matière de protection des données et de détection des menaces, et d'un accès privé sécurisé.

Découvrir notre plateforme
Vue aérienne d'une métropole

Optez pour les meilleurs services de sécurité cloud du marché, avec un temps de latence minimum et une fiabilité élevée.

Plus d'informations
Lighted highway through mountainside switchbacks

Neutralisez les menaces qui échappent souvent à d'autres solutions de sécurité à l'aide d'un framework SSE unifié.

Plus d'informations
Lighting storm over metropolitan area

Solutions Zero Trust pour les déploiements du SSE et du SASE

Plus d'informations
Boat driving through open sea

Netskope permet à toutes les entreprises d'adopter des services et des applications cloud ainsi que des infrastructures cloud publiques rapidement et en toute sécurité.

Plus d'informations
Wind turbines along cliffside
  • Suivi de nos clients

    Sécurisez votre transformation digitale et profitez pleinement de vos applications privées, cloud et Web.

  • Support client

    Un accompagnement proactif et la volonté d'optimiser votre environnement Netskope et de booster votre réussite.

  • Formation et certification

    Avec Netskope, devenez un expert de la sécurité du cloud.

Choisissez Netskope pour vous aider à faire face aux menaces toujours grandissantes, mais aussi aux risques émergents, aux évolutions technologiques, aux changements organisationnels et réseau, ainsi qu'aux nouvelles exigences réglementaires.

Plus d'informations
Woman smiling with glasses looking out window

Notre équipe mondiale d'ingénieurs qualifiés met à profit son expérience plurielle dans les domaines de la sécurité du cloud, la mise en réseau, la virtualisation, la diffusion de contenu et le développement logiciel pour fournir une réponse rapide et efficace à vos questions techniques.

Plus d'informations
Bearded man wearing headset working on computer

Sécurisez votre parcours de transformation numérique et tirez le meilleur parti de vos applications cloud, Web et privées grâce à la formation Netskope.

Plus d'informations
Group of young professionals working
  • Ressources

    Découvrez comment Netskope peut vous aider à sécuriser votre migration vers le Cloud.

  • Blog

    Découvrez comment Netskope permet de transformer la sécurité et les réseaux à l'aide du Security Service Edge (SSE).

  • Événements et ateliers

    Restez à l'affût des dernières tendances en matière de sécurité et créez des liens avec vos pairs.

  • Security Defined

    Tout ce que vous devez savoir dans notre encyclopédie de la cybersécurité.

Podcast Security Visionaries

Épisode bonus : L'importance du Security Service Edge (SSE) – en anglais

Écouter le podcast
Black man sitting in conference meeting

Découvrez comment Netskope permet de passer au Zero Trust et au modèle SASE grâce aux fonctions du Security Service Edge (SSE).

Lire le blog
Sunrise and cloudy sky

SASE Week

Netskope is positioned to help you begin your journey and discover where Security, Networking, and Zero Trust fit in the SASE world.

Plus d'informations
SASE Week

Qu'est-ce que le Security Service Edge ?

Découvrez le côté sécurité de SASE, l'avenir du réseau et de la protection dans le cloud.

Plus d'informations
Four-way roundabout
  • Entreprise

    Nous vous aidons à conserver une longueur d'avance sur les défis posés par le cloud, les données et les réseaux en matière de sécurité.

  • Pourquoi Netskope

    La transformation du cloud et le travail à distance ont révolutionné le fonctionnement de la sécurité.

  • Équipe de direction

    Nos dirigeants sont déterminés à faciliter la réussite de nos clients.

  • Partenaires

    Nous collaborons avec des leaders de la sécurité pour vous aider à sécuriser votre transition vers le cloud.

Netskope permet l'avenir du travail.

En savoir plus
Curvy road through wooded area

Netskope redéfinit la sécurité du cloud, des données et des réseaux afin d'aider les entreprises à appliquer les principes Zero Trust pour protéger leurs données.

Plus d'informations
Switchback road atop a cliffside

Penseurs, concepteurs, rêveurs, innovateurs. Ensemble, nous fournissons le nec plus ultra des solutions de sécurité cloud afin d'aider nos clients à protéger leurs données et leurs collaborateurs.

Rencontrez notre équipe
Group of hikers scaling a snowy mountain

La stratégie de commercialisation de Netskope privilégie ses partenaires, ce qui leur permet de maximiser leur croissance et leur rentabilité, tout en transformant la sécurité des entreprises.

Plus d'informations
Group of diverse young professionals smiling
Blog Threat Labs Netskope Threat Coverage: LockBit
Aug 12 2021

Netskope Threat Coverage: LockBit

Résumé

LockBit Ransomware (a.k.a. ABCD) is yet another ransomware group operating in the RaaS (Ransomware-as-a-Service) model, following the same architecture as other major threat groups, like REvil. This threat emerged in September 2019 and is still being improved by its creators. In June 2021, the LockBit group announced the release of LockBit 2.0, which included a new website hosted on the deep web, as well as a new feature to encrypt Windows domains using group policy.

On August 11, 2021, the LockBit ransomware group announced in their deep web forum that they have infected the global IT consultancy company Accenture.

Screenshot of LockBit official website showing the Accenture information.
LockBit official website, hosted on the deep web, showing the Accenture information.

According to the company Cyble, the attackers have allegedly stolen about 6TB of data, and are demanding $50M (USD) as ransom. Also, Cyble mentioned that this attack was supposedly carried out by an insider, however, that has not been verified yet. The IT giant Accenture has confirmed the attack and also affirmed that the breach had no impact on their operations or systems. 

The period established for Accenture to pay the ransom was August 11, 2021, which has now passed.

Screenshot showing the original deadline for the ransom’s payment has passed, according to LockBit’s website.
The original deadline for the ransom’s payment has passed, according to LockBit’s website.

However, as I am writing this blog post, the period to pay the ransom was changed to August 12, 2021, at the end of the day.

Screenshot showing new deadline established by the attackers for Accenture’s ransom
New deadline established by the attackers for Accenture’s ransom

At this point, it’s unclear how the attack was carried out, or if LockBit really stole sensitive data from the company. In this threat coverage report, we will briefly show how LockBit works, describing some features used for anti-analysis.

Threat 

LockBit ransomware is developed in both C and Assembly and uses AES + ECC to encrypt the files. The group operates in the RaaS model, and on their official website hosted on the deep web, we can find an advertisement trying to attract more affiliates into the scheme.

LockBit “advertisement” posted on their website.

According to the page, the group is using a custom stealer named “StealBIT” to exfiltrate data from companies. They have even included a comparison between their service and other services, like MEGA and pCloud.

Screenshot of LockBit “advertisement” showing how fast they are when it comes to data exfiltration.
LockBit “advertisement” showing how fast they are when it comes to data exfiltration.

The website also includes an encryption speed comparative between LockBit and other ransomware families, such as Ragnar, REvil, Conti, and others.

Screenshot of LockBit “advertisement” showing an encryption speed comparison between ransomware families.
LockBit “advertisement” showing an encryption speed comparison between ransomware families.

Once the sample is executed, the code implements a very simple technique to detect if the process is being debugged, by checking the NtGlobalFlag value in the Process Environment Block (PEB) structure. This is usually done to avoid direct calls to the function ​​CheckRemoteDebuggerPresent or IsDebuggerPresent.

Screenshot of basic anti-debug technique.
Basic anti-debug technique.

Also, LockBit verifies if the process is running with Administrator privileges by checking the return of the API OpenSCManagerA. If it’s not a privileged process, the function will fail, consequently reaching the ExitProcess call.

Screenshot of LockBit checking if the process is privileged.
LockBit checking if the process is privileged.

The sample also uses a Mutex to verify if there is another instance of LockBit running at the same time.

Screenshot of LockBit creating a Mutex object.
LockBit creating a Mutex object.

Looking at the PE .rdata section, we can see that LockBit attempts to protect some relevant information by encrypting the strings, which is just a basic protection against detection or quick analyses.

Furthermore, we can observe that LockBit is using Intel 128-bit XMM registers in the operations, probably to increase the performance of the code.

Screenshot of LockBit encrypted strings.
LockBit encrypted strings.

The algorithm is straightforward — it decrypts the string by doing a single byte XOR operation, using the first byte of the string as a key.

Screenshot of LockBit string decryption algorithm.
LockBit string decryption algorithm.

It should be possible to decrypt LockBit strings applying the same logic.

Screenshot showing decrypting of LockBit’s strings using Python.
Decrypting LockBit’s strings using Python.

In addition, LockBit also executes a series of commands using the API ShellExecuteA to avoid any restoration of the files in the machine by disabling the system’s recovery mode and the Windows Shadow Copies.

Screenshot of some of the commands executed by LockBit
Some of the commands executed by LockBit.

After the files are encrypted, LockBit creates the ransom note in every single directory where there are encrypted files.

Screenshot of LockBit ransom note
LockBit ransom note

Lastly, the computer’s wallpaper is also changed by the malware, in case encrypting the files wasn’t enough to catch the victim’s attention.

Screenshot of LockBit wallpaper.
LockBit wallpaper.

Protection

Netskope Threat Labs is actively monitoring this campaign and has ensured coverage for all known threat indicators and payloads. 

  • Netskope Threat Protection
    • Generic.Ransom.LockBit.19F98D1F
  • Netskope Advanced Threat Protection provides proactive coverage against this threat.
    • Gen.Malware.Detect.By.StHeur indicates a sample that was detected using static analysis
    • Gen.Malware.Detect.By.Sandbox indicates a sample that was detected by our cloud sandbox

IOCs

SHA256

6292c2294ad1e84cd0925c31ee6deb7afd300f935004a9e8a7a43bf80034abae

A full list of IOCs and a Yara rule are available in our Git repo.

author image
About the author
Gustavo Palazolo is an expert in malware analysis, reverse engineering and security research, working many years in projects related to electronic fraud protection. He is currently working on the Netskope Research Team, discovering and analyzing new malware threats.
Gustavo Palazolo is an expert in malware analysis, reverse engineering and security research, working many years in projects related to electronic fraud protection. He is currently working on the Netskope Research Team, discovering and analyzing new malware threats.