LockBit Ransomware Gang Attacks an MSP and Two Manufacturers Using…

MITRE Techniques

• [T1078] Valid Accounts – LockBit affiliates gained initial access via valid credentials among other methods. ‘LockBit affiliates tend to get initial access via numerous methods, including browser-based attacks like SocGholish, exploitation of vulnerable servers exposed to the Internet, and valid credentials.’
• [T1021.001] Remote Services – Attackers used legitimate remote-access software (AnyDesk, Atera, ConnectWise ScreenConnect) and even brought their own copies to spread ransomware. ‘using legitimate RMM tools and remote access software to deploy their ransomware, including Advanced IP Scanner, AnyDesk, Atera and ConnectWise ScreenConnect™.’
• [T1059.001] PowerShell – A PowerShell loader and obfuscated layers were used to load the ransomware in memory. ‘The third deobfuscated layer reveals the PowerShell loader that contains the LockBit ransomware binary. The deobfuscated script is responsible for reflectively loading the DLL that is base64-encoded and GZIP-compressed into the current process in memory, resulting in the ransomware execution.’
• [T1055] Process Injection – In-memory loading of the DLL within the current process to execute the ransomware. ‘reflectively loading the DLL that is base64-encoded and GZIP-compressed into the current process in memory, resulting in the ransomware execution.’
• [T1562.001] Impair Defenses – AMSI bypass by manipulating AMSI state to avoid scanning. ‘Before executing the decoded data, the script attempts to disable the Anti-Malware Scan Interface (AMSI) by assigning amsiInitFailed to “True”‘
• [T1548.002] Bypass User Account Control – UAC bypass via COM Elevation Moniker to elevate privileges. ‘The COM Elevation Moniker with “Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}”‘
• [T1082] System Information Discovery – OS version detection via PEB data. ‘LockBit determines the version of the Windows operating system currently running on the system from the PEB data structure.’
• [T1490] Inhibit System Recovery – Shadow copies deletion to hinder recovery. ‘delete shadow volume copies of the manufacturer’s files’
• [T1027] Obfuscated/Compressed Files and Information – String decryption and XOR-based decryption. ‘The ransomware decrypts the strings using bitwise XOR operations’ and ‘decrypt the strings using bitwise XOR operations’
• [T1562.004] Impair Defenses: Disable or Modify Security Tools (generalized) – TrustedInstaller technique to stop Defender and other security measures. ‘locks to stop services such as Microsoft Defender Antivirus; it queries for the TrustedInstaller service, starts the service and duplicates the token for the TrustedInstaler.exe process.’