General

  • Target

    0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335

  • Size

    151KB

  • Sample

    240314-en7vxscc87

  • MD5

    1fbef2a9007eb0e32fb586e0fca3f0e7

  • SHA1

    3e86304198d1185a36834e59147fc767315d8678

  • SHA256

    0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335

  • SHA512

    94de457c74b783413514bc5804e86f5e1f0962dc03acf12d0a22c8b383b099518242314862417c24e5b13101b135d36dce285f4db11c989f3bc4331ce1b437b0

  • SSDEEP

    3072:3m5H8y2mrr217uS8nW+cpsCp2cOy1cjKCy8YjKGiyWDDuMqqD/E0a3Hv/:3MHf2mr/Ww74cdlzXFqqD/Za//

Malware Config

Extracted

Path

C:\Program Files\DVD Maker\en-US\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?83ED6257CCE5CF86CD53F5F936BC8E60 This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?83ED6257CCE5CF86CD53F5F936BC8E60

Extracted

Path

C:\Program Files\dotnet\Restore-My-Files.txt

Family

lockbit

Ransom Note
All your important files are encrypted! Any attempts to restore your files with the thrid-party software will be fatal for your files! RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. There is only one way to get your files back: | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?83ED6257CCE5CF86C512744E10D1A2FF This link only works in Tor Browser! | 3. Follow the instructions on this page ### Attention! ### # Do not rename encrypted files. # Do not try to decrypt using third party software, it may cause permanent data loss. # Decryption of your files with the help of third parties may cause increased price(they add their fee to our). # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN. # Tor Browser user manual https://tb-manual.torproject.org/about !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.
URLs

http://lockbitks2tvnmwk.onion/?83ED6257CCE5CF86C512744E10D1A2FF

Targets

    • Target

      0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335

    • Size

      151KB

    • MD5

      1fbef2a9007eb0e32fb586e0fca3f0e7

    • SHA1

      3e86304198d1185a36834e59147fc767315d8678

    • SHA256

      0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335

    • SHA512

      94de457c74b783413514bc5804e86f5e1f0962dc03acf12d0a22c8b383b099518242314862417c24e5b13101b135d36dce285f4db11c989f3bc4331ce1b437b0

    • SSDEEP

      3072:3m5H8y2mrr217uS8nW+cpsCp2cOy1cjKCy8YjKGiyWDDuMqqD/E0a3Hv/:3MHf2mr/Ww74cdlzXFqqD/Za//

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Renames multiple (9170) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks