Trend Micro details LockBit 3.0 ransomware that imitates BlackMatter capabilities

Researchers from Trend Micro caught wind of an upcoming new variant of the LockBit ransomware in March this year, less than a year after LockBit 2.0 first emerged. LockBit 3.0, aka ‘LockBit Black’ wouldn’t be unveiled until late June, coinciding with the launch of the group’s new leak site and bug bounty program.

“A researcher has since shared a sample of LockBit 3.0, along with his initial analysis of the new variant,” Trend Micro researchers wrote in a blog post. BlackMatter is a ransomware-as-a-service (RaaS) tool that allows the ransomware’s developers to profit from cybercriminal affiliates such as the BlackMatter hackers, who deploy it against victims. BlackMatter is a possible rebrand of DarkSide, a RaaS which was active from September 2020 through May 2021 and carried out the attack against Colonial Pipeline. BlackMatter hackers have attacked numerous U.S.-based organizations and demanded ransom payments ranging from US$80,000 to $15,000,000 in Bitcoin and Monero.

One notable behavior for this third LockBit version is its file deletion technique: instead of using ‘cmd[dot]exe’ to execute a batch file or command that will perform the deletion, it drops and executes a ‘.tmp’ file decrypted from the binary, they added.

It has, however, retained some of LockBit 2.0’s features, like the earlier version’s ability for lateral movement through a group policy update, as long as there is a ‘-gspd’ parameter provided.

Trend Micro alerted organizations that with the release of this latest variant and the launch of LockBit’s bug bounty program, which rewards its affiliates, it expects the LockBit ransomware group to be even more active in the coming days. “We advise organizations and end users to be wary of this new variant, especially since the bug bounty program might help the operators in making their ransomware an even more formidable one,” it added.

The LockBit ransomware gang led the RaaS scene in the first quarter of this year, with 220 self-reported successful RaaS and extortion attacks, Trend Micro said. One headline-making attack reportedly took place in January, during which LockBit operators claimed to have breached France’s Ministry of Justice. It would be no surprise if some of BlackMatter’s affiliates had joined the ranks of the LockBit group, considering LockBit’s recent rise in notoriety, which would explain the many similarities between the two pieces of ransomware, it added.

Researchers have pointed out that portions of LockBit 3.0’s code seem to be borrowed from the BlackMatter ransomware, hence the nickname LockBit Black. “Likewise, we found similarities between BlackMatter and the new LockBit variant during our debugging of the LockBit 3.0 sample.”

The new LockBit variant checks arguments using hashing and based on the code. It’s designed to perform only one routine from the arguments except for -pass, which needs to be performed before the other arguments can be checked, Trend Micro said. “The routines to print the ransom note and change the victim machine’s wallpaper is also similar to BlackMatter’s routines if the -wall argument is provided. Like BlackMatter, LockBit 3.0 can also restart in safe mode and execute via the RunOnce registry, as long as the -safe argument is provided,” it added.

Trend Micro disclosed that like BlackMatter, LockBit 3.0 performs various routines, including attempts to log in using credentials from its configuration list to determine if the compromised system is a part of the domain admin that it will use for later routines. It also terminates and deletes processes and services from its configuration list, a routine similar to that of BlackMatter, wipes the recycle bin folder of every drive, checks a list of computer name hashes to avoid from its configuration list, connects to the C&C server from its configuration list if the flag is set, and encrypts network shares and Exchange Mailbox if set in its configuration flag.

It also obtains a list of files, folders, and extensions to be avoided from its configuration list, uses pointed files when encrypting .lnk files, prints the ransom note on any available printers, modifies the desktop wallpaper, and uses the same encryption algorithm as BlackMatter. “LockBit 3.0’s deletion of shadow copies is clearly lifted from BlackMatter’s code, as this is performed using Windows Management Instrumentation (WMI) through COM objects, as opposed to LockBit 2.0’s use of vssadmin.exe,” the researchers added.

Last November, the BlackMatter ransomware group said it would be shutting down operations after facing ‘certain unsolvable circumstances associated with pressure from authorities (part of the team is no longer available, after the latest news) – the project is closed. After 48 hours, the entire infrastructure will be turned off.’ The move came following pressure from an international coalition that included Europol, Norway, France, the Netherlands, Ukraine, the U.K., Germany, the U.S., and Switzerland.

U.S. security agencies published in October a joint cybersecurity advisory notifying organizations of cyber attackers using the BlackMatter ransomware that could potentially target multiple critical infrastructure entities. It also provided details on the tactics, techniques, and procedures (TTPs) obtained from a sample of BlackMatter ransomware analyzed in a sandbox environment, as well as from trusted third-party reporting.

From Trend Micro’s examination of the unpacked sample and analysis provided by the researcher Chuong Dong, the researchers discovered that LockBit 3.0 requires a pass parameter to decrypt its main routine. Other ransomware families like Egregor have been observed exhibiting this same behavior, where an argument is required to proceed with the routine. This makes the binary harder to reverse if the parameter is not available, they added.

The LockBit 3.0 performs API harvesting by hashing the API names of a DLL and then comparing it to the list of the APIs that the ransomware needs, Trend Micro revealed. “This routine is identical to that of BlackMatter, as the externally available script for renaming BlackMatter’s APIs also works for LockBit 3.0,” it added.

Instead of directly calling the addresses of the harvested APIs, LockBit 3.0 implements a trampoline pointer to go to an allocated heap that contains a disassembly code that will then jump to the API address of the NtTerminateProcess API, the research identified. The code contained in the heap is randomly chosen from this set of codes – ROR by random number, ROL by random number, XOR to key, ROR by random number, then XOR to key, and ROL by random number, then XOR to key, it added.

“Like BlackMatter, LockBit 3.0 employs threading when using an API instead of directly calling an API, which is likely an attempt to make it more difficult for researchers to analyze,” Trend Micro said. “The strings it uses are decrypted using a simple bitwise-XOR routine, a bitwise-XOR and NOT routine, or a decryption routine involving a linear congruential generator (LCG) algorithm to generate a pseudorandom key. This is also similar to how BlackMatter operates, except for the addition of the bitwise-XOR and NOT routine,” it added.

Trend Micro pointed out that LockBit 3.0’s configurations are decrypted using the same XOR routine and keys obtained from an LCG pseudorandom number generator and then decompressed using a compression library called APLib. “LockBit 3.0 also retains these BlackMatter routines for privilege escalation – uses UACMe’s method of bypassing user account control (UAC), which is to use the ICMLuaUtil COM interface under dllhost[dot]exe, duplicates the Explorer[dot]exe token for its own use, and performs a 32-bit or 64-bit shellcode injection to elevate its token,” it added.

“The string that both LockBit 3.0 and BlackMatter use as the encrypted file name extension, ransom note name, and wallpaper and icon name is a Base64-encoded hash,” the research said. “However, a key difference between the two pieces of ransomware is that LockBit 3.0 opts to use an RSA public key embedded in its configuration and hash it with MD5, whereas BlackMatter uses a MachineGUID hashed using the same algorithm for APIs. This makes the string similar for all machines infected by the same sample, which is likely an attempt by LockBit’s operators to make it easier for them to identify which RSA private key pair is needed for an encrypted file,” it added.

Trend Micro advised organizations to adopt best practices for mitigating the risk of a ransomware attack including following the 3-2-1 rule, which involves backing up files in three copies in two different formats, with one copy stored off-site. Remaining vigilant against socially engineered emails to reduce the risk of a ransomware infection, as ransomware is commonly spread through malicious spam email attachments, and keeping applications and programs up to date. Regular patching ensures that software vulnerabilities that ransomware attackers could exploit as entry points can be addressed in a timely fashion.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.