Threat Research

Cyble – BlackBit Ransomware: A Threat From The Shadows Of LokiLocker

Securonix

BlackBit is a LokiLocker ransomware variant that operates under a RaaS model and shows signs of being in early development with targeted persistence and evasion capabilities. The strain deploys multiple defense-evasion techniques, persistence mechanisms, and user-facing ransom delivery methods, including ransom notes, pop-ups, and an HTA-based interface.
#BlackBit #LokiLocker #Lokilocker #CRIL

Keypoints

  • BlackBit is identified as a LokiLocker ransomware variant operating on a RaaS model.
  • The sample analyzed is a 32-bit .NET-compiled executable protected with .NET Reactor, named svchost.exe with a detailed hash.
  • Kill Switch checks system language (Persian) and terminates itself if detected; otherwise it proceeds with encryption activities.
  • Persistence is achieved by copying itself to startup locations as winlogon.exe and creating a Task Scheduler entry to run on logon.
  • Data-recovery is impaired by deleting backups and disabling system recovery, Defender, and firewall protections through scripted commands and registry edits.
  • Encryption targets most files (excluding .exe, .dll, .sys), appends a BlackBit extension, and places a ransom note with system ID; it also monitors for new/modified files to extend impact.
  • Indicators of compromise include multiple hashes associated with the BlackBit executable and related artifacts.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – The ransomware executes specific commands via cmd.exe to remove all backups from the infected system. ‘C:WindowsSystem32cmd.exe” /C vssadmin delete shadows /all /quiet’
  • [T1564] Hidden Window – Defense Evasion techniques are used to mask activity; the malware disables Windows Defender and the firewall. ‘netsh advfirewall set currentprofile state off’ and related registry edits
  • [T1082] System Information Discovery – The malware gathers system-related information as part of its operation. ‘The ransomware binary we analyzed is a 32-bit executable built using a .NET compiler and protected with .NET Reactor.’
  • [T1083] File and Directory Discovery – It targets and enumerates files for encryption and manipulation as part of its process. ‘The ransomware creates a startup entry…’
  • [T1057] Process Discovery – The malware monitors system processes and terminates or manipulates them during the attack. ‘…targets listed in the table of processes’
  • [T1486] Data Encrypted for Impact – The ransomware encrypts files and appends a BlackBit extension to filenames. ‘Now the BlackBit ransomware proceeds with file encryption.’
  • [T1490] Inhibit System Recovery – It deletes backups and disables recovery features to hinder restore efforts. ‘C:WindowsSystem32cmd.exe /C vssadmin delete shadows /all /quiet’ etc.

Indicators of Compromise

  • [MD5] 90bae9356dc021172d0ff06603e7a4cf – BlackBit ransomware executable
  • [SHA1] 7fd07c934ce9b7c4ad902408ed528acf4ce32ddb – BlackBit ransomware executable
  • [SHA256] 1d2db070008116a7a1992ed7dad7e7f26a0bfee3499338c3e603161e3f18db2f – BlackBit ransomware executable

Read more: https://blog.cyble.com/2023/05/03/blackbit-ransomware-a-threat-from-the-shadows-of-lokilocker/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint