Other New LockBit Techniques Include Renaming PowerShell Files to Evade Detection and Using Google Docs for Command and Control

OXFORD, U.K. — 十月 21, 2020 —

Sophos, a global leader in next-generation cybersecurity, today released its latest research into LockBit ransomware, “LockBit attackers used automated attack tools to identify tasty targets,” which shows how they used PowerShell tools to search for specific business applications on breached networks, including tax and point-of-sale software. If a fingerprint generated by this search met the keyword criteria, the tools would automatically execute a number of tasks, including launching the LockBit ransomware.

Researchers also uncovered a number of new attack methods that LockBit used to evade detection. These include renaming PowerShell files and using a remote Google document for command and control communications. Due to the highly automated nature of the attacks, the ransomware, once launched, spread across the network within five minutes, wiping its activity logs along the way.

"LockBit’s interest in specific business applications and keywords indicates the attackers were clearly looking to identify systems that are valuable to smaller companies—the systems that store financial information and handle daily business—in order to pressure victims to pay, and pay faster,” said Sean Gallagher, senior threat researcher, Sophos. “We’ve seen ransomware shut down business applications upon execution, but this is the first time we’ve seen attackers looking for certain types of applications in an automated approach to score potential targets.”

The operators also made extensive use of PowerShell throughout the attack, repurposing the code to suit their needs.

“The LockBit gang appears to be following other ransomware groups, including Ryuk—which Sophos recently found using Cobalt Strike—that are adapting tools developed for penetration testing to automate and accelerate their attacks,” said Gallagher. “In this case, the PowerShell scripts help the attackers identify systems that have applications with particularly valuable data, so that they don't waste their time encrypting or ‘supporting’ victims who are less likely to pay. They're using these tools in an automated fashion to cast as wide a net as possible, while limiting their actual hands-on-keyboard activity, to track down the most promising victims."

The LockBit attackers tried to conceal their activities by making them look like normal automated administrative tasks. They did this by abusing native tools: creating disguised copies of Windows scripting components and then using Windows’ task scheduler to launch them. They also modified the built-in anti-malware protection, so it couldn’t function.

“The only way to defend against these types of ransomware attacks is to have defense-in-depth, with a consistent implementation of malware protection across all assets. If systems are left exposed or misconfigured, attackers can easily leverage them,” said Gallagher.

Today’s report continues a deep dive into LockBit that Sophos published in April 2020, revealing its inner workings and showing how the gang was expanding into the targeted extortion business alongside Maze and REvil.

Further information on LockBit and other ransomware is available on SophosLabs Uncut,  where Sophos experts regularly publish their latest research and breakthrough findings, such as Maze leveraging Ragnar Locker and the return of Ryuk. Threat researchers and IT managers can follow SophosLabs Uncut in real time on Twitter at @SophosLabs.

关于 Sophos

Sophos 是先进网络安全解决方案的全球领导者和创新者,包括托管式侦测与响应 (MDR) 和事件响应服务,各种端点、网络、电子邮件和云安全技术,帮助企业防御网络攻击。作为最大的纯网络安全供应商之一,Sophos 帮助全球超过 500,000 家企业和超过 1 亿用户抵御主动攻击对手、勒索软件、网络钓鱼、恶意软件等。Sophos 的服务和产品通过 Sophos Central 云管理控制台连接,并得到内部跨领域威胁情报部门 Sophos X-Ops 的支持。Sophos X-Ops 情报优化整个 Sophos Adaptive Cybersecurity Ecosystem 自适应网络安全生态体系,包括一个中央数据湖,为客户、合作伙伴、开发人员和其他网络安全与信息技术供应商提供一组丰富的开放 API。Sophos 为需要全托管并即使可用的安全解决方案的企业提供网络安全即服务,客户还可以直接利用 Sophos 的安全运行平台管理其网络安全,或者采用混合方法,为内部团队补充 Sophos 服务(包括威胁追踪与修复)。Sophos 通过世界各地的经销商合作伙伴和托管服务供应商 (MSP) 销售。Sophos 总部位于英国牛津。如欲了解更多信息,请访问 www.sophos.com.