Threat Research

Lighter Ransomware Locks Users Out of System | SonicWall

CTI

SonicWall Capture Labs analyzed Lighter Ransomware: it launches as a portable executable that opens a countdown ransom window, blocks common keyboard shortcuts and system utilities, then encrypts files using AES (RijndaelManaged) and appends the .L0cked extension. SonicWall detects it as GAV: Lighter.RSM and provides protection via Capture ATP w/RTDMI and Capture Client. #LighterRansomware #SonicWall

Keypoints

  • Arrives as a portable Windows executable that immediately displays a ransom window with a countdown timer.
  • The ransom UI blocks common keyboard shortcuts, preventing normal user interaction and forcing a reboot to regain control.
  • Common system tools are blocked or killed (taskmgr, cmd, msconfig, regedit, Process Explorer), limiting remediation options.
  • Encrypts user files using AES via the .NET RijndaelManaged class and appends the .L0cked extension to encrypted files.
  • Targets a wide set of file extensions (as shown in the analysis screenshots) to maximize impact on user data.
  • Ransom demand shown is unusually low ($100) but the malware still renders systems effectively unusable.
  • SonicWall protections: detected as GAV: Lighter.RSM and blocked by Capture ATP w/RTDMI and Capture Client endpoint solutions.

MITRE Techniques

  • None explicitly mentioned in the article.

Indicators of Compromise

  • [File Extension] Encrypted files – .L0cked (extension appended to encrypted files)
  • [Detection Signature] SonicWall GAV – GAV: Lighter.RSM (Trojan) detected by SonicWall solutions

The malware is delivered as a portable Windows executable which, on execution, spawns a full-screen ransom window with a visible countdown. That UI intercepts or disables standard keyboard shortcuts and blocks or terminates administrative utilities (taskmgr, cmd, msconfig, regedit, Process Explorer), leaving the user unable to interact with the system unless they force a reboot.

Concurrently, the binary performs bulk file encryption using AES implemented via the .NET RijndaelManaged class, renaming encrypted files with the .L0cked extension. The sample observed targets a broad set of common document and data file extensions to maximize data loss and displays a $100 ransom demand in the UI.

SonicWall Capture Labs identifies this threat as GAV: Lighter.RSM and notes protection is available through SonicWall Capture ATP with RTDMI and Capture Client endpoint defenses. Defensive priorities are detection and isolation of the executing binary, preventing privilege escalation, and restoring from backups to recover affected files.

Read more: https://blog.sonicwall.com/en-us/2024/03/lighter-ransomware-locks-users-out-of-system/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint