Uncovering LockBit Black’s Attack Chain and Anti-Forensic Activity

MITRE Techniques

• [T1110] Brute Force – The group obtains initial access to the victim’s network via SMB brute forcing from various IPs. “The group obtains initial access to the victim’s network via SMB brute forcing from various IPs.”
• [T1021.002] SMB/Windows Admin Shares – PSEXEC is used to spread laterally and execute the ransomware payload across the network. “The sys-internal tool PSEXEC is used to execute malicious BAT files on a single system which were later cleaned off. These files indicate activity related to modifying RDP & authentication settings while disabling antivirus at the same time.”
• [T1027] Deobfuscate/Decode Files or Information – Resolving obfuscated APIs by decrypting strings with a per-payload XOR key. “Being packed and having only a few imports, Win32 APIs are resolved by decrypting the obfuscated string with XOR using the key 0x3A013FD5, which is again unique to each payload.”
• [T1548.002] Pass-the-Through Privilege Escalation / UAC Bypass – Privilege escalation via CMSTPLUA COM to bypass the UAC prompt. “This elevates the rights from the user to the administrator level with another instance of the ransomware payload, terminating the current process.”
• [T1562.001] Impair Defenses – Disabling Windows Defender for evasion. “Specifically, Windows Defender is disabled for evasion.”
• [T1070.001] Clear Windows Event Logs – Anti-forensic activity includes disabling event logs by registry changes. “As part of wiping out its traces, lots of anti-forensic activity is observed where Windows Event Logs are disabled by setting multiple registry subkeys to value 0.”
• [T1053.005] Scheduled Task/Job – Tasks are enumerated and deleted to hinder detection. “Scheduled tasks are enumerated and deleted, some of which are shown below.”
• [T1486] Data Encrypted for Impact – File encryption across shares using multi-threading and per-file naming. “Files are encrypted by creating multiple threads where each filename is replaced with a random string generated and appending the extension to them.”
• [T1490] Inhibit System Recovery – Shadow copies are deleted to prevent restoration. “Volume shadow copies are enumerated using a WMI query and then deleted to prevent system restoration.”
• [T1112] Modify Registry – Registry changes disable defenses and alter system settings. “Windows Event Logs are disabled by setting multiple registry subkeys to value 0.”