SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lockbit (Back to overview)

LockBit

aka: ABCD Ransomware

There is no description at this point.

References
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
@online{team:20200925:double:fe3b093, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/}, language = {English}, urldate = {2020-10-02} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker
2020-09-01Cisco TalosDavid Liebenberg, Caitlin Huey
@online{liebenberg:20200901:quarterly:c02962b, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends in Summer 2020}}, date = {2020-09-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html}, language = {English}, urldate = {2020-09-03} } Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200428:ransomware:3205f3a, author = {Microsoft Threat Protection Intelligence Team}, title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}}, date = {2020-04-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/}, language = {English}, urldate = {2020-05-05} } Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise Ransomware RagnarLocker REvil RobinHood
2020-04-24Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20200424:lockbit:b78dcba, author = {Albert Zsigovits}, title = {{LockBit ransomware IoCs}}, date = {2020-04-24}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md}, language = {English}, urldate = {2020-04-26} } LockBit ransomware IoCs
LockBit
2020-04-24Sophos LabsAlbert Zsigovits
@online{zsigovits:20200424:lockbit:8ebe6f8, author = {Albert Zsigovits}, title = {{LockBit ransomware borrows tricks to keep up with REvil and Maze}}, date = {2020-04-24}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/}, language = {English}, urldate = {2020-05-14} } LockBit ransomware borrows tricks to keep up with REvil and Maze
LockBit
Yara Rules
[TLP:WHITE] win_lockbit_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_lockbit_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b8424300b0000 8984243c0f0000 8b84242c0b0000 898424400f0000 8b8424280b0000 898424440f0000 8b84241c0b0000 }
            // n = 7, score = 100
            //   8b8424300b0000       | mov                 eax, dword ptr [esp + 0xb30]
            //   8984243c0f0000       | mov                 dword ptr [esp + 0xf3c], eax
            //   8b84242c0b0000       | mov                 eax, dword ptr [esp + 0xb2c]
            //   898424400f0000       | mov                 dword ptr [esp + 0xf40], eax
            //   8b8424280b0000       | mov                 eax, dword ptr [esp + 0xb28]
            //   898424440f0000       | mov                 dword ptr [esp + 0xf44], eax
            //   8b84241c0b0000       | mov                 eax, dword ptr [esp + 0xb1c]

        $sequence_1 = { 7536 8d450c c7450c06000000 8945d8 8d45d0 50 8d45e8 }
            // n = 7, score = 100
            //   7536                 | jne                 0x38
            //   8d450c               | lea                 eax, [ebp + 0xc]
            //   c7450c06000000       | mov                 dword ptr [ebp + 0xc], 6
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax
            //   8d45d0               | lea                 eax, [ebp - 0x30]
            //   50                   | push                eax
            //   8d45e8               | lea                 eax, [ebp - 0x18]

        $sequence_2 = { 50 e8???????? 8bf0 83c40c 85f6 7586 8b7508 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   83c40c               | add                 esp, 0xc
            //   85f6                 | test                esi, esi
            //   7586                 | jne                 0xffffff88
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]

        $sequence_3 = { c7853cfbffff4a006f00 c78540fbffff75007200 c78544fbffff6e006100 c78548fbffff6c000000 c785b8fdffff6e007400 c785bcfdffff6c006400 c785c0fdffff72000000 }
            // n = 7, score = 100
            //   c7853cfbffff4a006f00     | mov    dword ptr [ebp - 0x4c4], 0x6f004a
            //   c78540fbffff75007200     | mov    dword ptr [ebp - 0x4c0], 0x720075
            //   c78544fbffff6e006100     | mov    dword ptr [ebp - 0x4bc], 0x61006e
            //   c78548fbffff6c000000     | mov    dword ptr [ebp - 0x4b8], 0x6c
            //   c785b8fdffff6e007400     | mov    dword ptr [ebp - 0x248], 0x74006e
            //   c785bcfdffff6c006400     | mov    dword ptr [ebp - 0x244], 0x64006c
            //   c785c0fdffff72000000     | mov    dword ptr [ebp - 0x240], 0x72

        $sequence_4 = { 88b424b0050000 b65d 0f2805???????? 32ce 0f118424cf100000 32ee 888424b1050000 }
            // n = 7, score = 100
            //   88b424b0050000       | mov                 byte ptr [esp + 0x5b0], dh
            //   b65d                 | mov                 dh, 0x5d
            //   0f2805????????       |                     
            //   32ce                 | xor                 cl, dh
            //   0f118424cf100000     | movups              xmmword ptr [esp + 0x10cf], xmm0
            //   32ee                 | xor                 ch, dh
            //   888424b1050000       | mov                 byte ptr [esp + 0x5b1], al

        $sequence_5 = { 5b 8be5 5d c3 8d8554ffffff 50 8d8508ffffff }
            // n = 7, score = 100
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8d8554ffffff         | lea                 eax, [ebp - 0xac]
            //   50                   | push                eax
            //   8d8508ffffff         | lea                 eax, [ebp - 0xf8]

        $sequence_6 = { 83f919 72ec 0f2805???????? 33c9 c684242409000000 0f1184241d0c0000 66c784242d0c00007371 }
            // n = 7, score = 100
            //   83f919               | cmp                 ecx, 0x19
            //   72ec                 | jb                  0xffffffee
            //   0f2805????????       |                     
            //   33c9                 | xor                 ecx, ecx
            //   c684242409000000     | mov                 byte ptr [esp + 0x924], 0
            //   0f1184241d0c0000     | movups              xmmword ptr [esp + 0xc1d], xmm0
            //   66c784242d0c00007371     | mov    word ptr [esp + 0xc2d], 0x7173

        $sequence_7 = { ff7508 e8???????? 8bd8 83c410 85db 7536 8b45fc }
            // n = 7, score = 100
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   83c410               | add                 esp, 0x10
            //   85db                 | test                ebx, ebx
            //   7536                 | jne                 0x38
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_8 = { 8d4c243e e8???????? 57 8d4c243e 8a00 89442410 e8???????? }
            // n = 7, score = 100
            //   8d4c243e             | lea                 ecx, [esp + 0x3e]
            //   e8????????           |                     
            //   57                   | push                edi
            //   8d4c243e             | lea                 ecx, [esp + 0x3e]
            //   8a00                 | mov                 al, byte ptr [eax]
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   e8????????           |                     

        $sequence_9 = { 85c0 0f843d040000 56 8d4598 50 ffd3 85c0 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   0f843d040000         | je                  0x443
            //   56                   | push                esi
            //   8d4598               | lea                 eax, [ebp - 0x68]
            //   50                   | push                eax
            //   ffd3                 | call                ebx
            //   85c0                 | test                eax, eax

    condition:
        7 of them and filesize < 337568
}
Download all Yara Rules