14 April 2023

Lockbit goes green

Articles

In the field of ransomware, Lockbit is a group that keeps evolving. Proof of this is the discovery of a new version of the Lockbit ransomware. This new variant seems to be based on the source code of another well-known ransomware: Conti.
The Conti ransomware appeared in 2020 and quickly became a pioneer in the field. With the establishment of a very lucrative business model, the group gained popularity very quickly. One of their most famous victims is the HSE (Irish Health Service) in May 2021.

In 2021, an affiliate leaked internal documents to the team and created the first scandal surrounding the group. In 2022, following the group’s stance in favor of Russia in the war between it and Ukraine, an internal conflict erupted and this time it is the full source code of the ransomware that was released online. The Lockbit group took advantage of this leak to recover the source code and integrate it into theirs. With Lockbit’s victim list still on the rise, this new wave may not lower the trend.

We were able to obtain some strains of this new variant and submit them to our GLIMPS Malware analysis platform. We present here the results of the automated analysis performed.

Analysis of a first strain

45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315

This file is identified by GLIMPS Malware as malicious. The Deep Enginetells us that this sample embeds functions used in binaries of the Conti family as well as Lockbit. This link between Lockbit and Conti brought to light by our analysis platform leads us to investigate further.

The strain is submitted for dynamic analysis via a sandbox connected to GLIMPS Malware and confirms that we are dealing with a ransomware without providing more information about the family at this stage.

 

Analysis of a second strain

fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3

A second file, associated with the same campaign as the previous one, is analyzed. Like the previous sample, the Deep Engine found similarities with the Conti and Lockbit families as well as correlations with the Trickbot and Bazaloader families.
Trickbot elements are used by the Conti group in their attacks which explains the link found here. For BazaLoader, it’s a bit more subtle: the BazaLoader group has indeed, like Lockbit, used the Conti code that leaked in 2022. The links that appear here show transitivity in the Lockbit Green –> Conti <– BazaLoader relationships.

Analysis of a third strain

924ec909e74a1d973d607e3ba1105a17e4337bd9a1c59ed5f9d3b4c25478fe11

A third file, related to the previously analyzed binaries campaign, is submitted to our analysis platform. As with the second sample, the Deep Engine technology shows similarities with the ContiLockbitBazaloader and Trickbot families. Once again, the correlation with these families is quite obvious from the link mentioned in the previous analysis.

Moreover, following the detection of Lockbit families and thanks to our partnership with the CTI expert company Sekoia.IO., we can integrate the analysis report related to this group.  This report also allows us to confirm the code link between the Lockbit and Conti families.

This time, the platform extracts a file whose iOCs are .onions links.

These links, which start with a Lockbit string, suggest that this would be the group’s ransomware payment portal. In order to deepen our analysis and wring out this malware, the file is submitted to dynamic analysis, which allows us to recover the ransom note of the ransomware. It seems that we are indeed facing one, or even several, Lockbit variants.

The sandbox analysis also highlights the change in file extension with a random string.

Unlike the previous versions, the extension of the files encrypted by Lockbit is no longer “.lockbit” but a random string of characters. The structure of the ransom note is the same as for Lockbit V3 (Lockbit Black).

Conclusion

The various results produced by the analyses combined with the information from CTI confirm what we thought at first. We are indeed facing Lockbit variants that shamelessly rely on Conti code, the Lockbit Green version.

Appendices

Correlation graph

1. The Deep Engine is the deep learning engine developed by GLIMPS to compare and correlate computer codes. It is used at the heart of the GLIMPS Malware platform to enable the detection of malware, even when the code has been modified by the attackers.

Please contact us to find out more: contact@glimps.re