General

  • Target

    5ee3246e30d8e0222eb6b27e4ebf67953ac49f559b629ba11238d049d6ddc0a1

  • Size

    628KB

  • Sample

    220305-xngb3safej

  • MD5

    4e6558678dc109a8a107444dccdcdc70

  • SHA1

    d39805b7b03702de99aec7bf6955e0ec62fbc82f

  • SHA256

    5ee3246e30d8e0222eb6b27e4ebf67953ac49f559b629ba11238d049d6ddc0a1

  • SHA512

    2b62dd34f453fb806bce24193ec7217249eef7c3f0375233b267fee2ed36320437e89e24b32b386b0d187bdf18c16736430225926613d9fb838a3262ed040dad

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?9B7FDA8D33FEC3F9B8000BCB0EE53592 | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?9B7FDA8D33FEC3F9B8000BCB0EE53592 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?9B7FDA8D33FEC3F9B8000BCB0EE53592

http://lockbitks2tvnmwk.onion/?9B7FDA8D33FEC3F9B8000BCB0EE53592

Extracted

Path

C:\Users\Admin\Desktop\LockBit-note.hta

Ransom Note
Lock BIT Any attempts to restore your files with the thrid-party software will be fatal for your files! Restore you data posible only buying private key from us. There is only one way to get your files back: Through a standard browser Open link - http://lockbit-decryptor.top/?9B7FDA8D33FEC3F9B8000BCB0EE53592 Follow the instructions on this page Through a recommended Download Tor Browser - https://www.torproject.org/ and install it. Open link in Tor Browser - http://lockbitks2tvnmwk.onion/?9B7FDA8D33FEC3F9B8000BCB0EE53592 This link only works in Tor Browser! Follow the instructions on this page Lockbit-decryptor.com may be blocked. We recommend using a Tor browser to access the site Do not rename encrypted files. Do not try to decrypt using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our). Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?9B7FDA8D33FEC3F9B8000BCB0EE53592

http://lockbitks2tvnmwk.onion/?9B7FDA8D33FEC3F9B8000BCB0EE53592

Extracted

Path

C:\odt\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: 1) Through a standard browser(FireFox, Chrome, Edge, Opera) | 1. Open link http://lockbit-decryptor.top/?9B7FDA8D33FEC3F9B4BB41F534346ECA | 2. Follow the instructions on this page 2) Through a Tor Browser - recommended | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?9B7FDA8D33FEC3F9B4BB41F534346ECA This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about
URLs

http://lockbit-decryptor.top/?9B7FDA8D33FEC3F9B4BB41F534346ECA

http://lockbitks2tvnmwk.onion/?9B7FDA8D33FEC3F9B4BB41F534346ECA

Targets

    • Target

      5ee3246e30d8e0222eb6b27e4ebf67953ac49f559b629ba11238d049d6ddc0a1

    • Size

      628KB

    • MD5

      4e6558678dc109a8a107444dccdcdc70

    • SHA1

      d39805b7b03702de99aec7bf6955e0ec62fbc82f

    • SHA256

      5ee3246e30d8e0222eb6b27e4ebf67953ac49f559b629ba11238d049d6ddc0a1

    • SHA512

      2b62dd34f453fb806bce24193ec7217249eef7c3f0375233b267fee2ed36320437e89e24b32b386b0d187bdf18c16736430225926613d9fb838a3262ed040dad

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

File Deletion

3
T1107

Modify Registry

3
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Impact

Inhibit System Recovery

4
T1490

Defacement

1
T1491

Tasks