SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lockbit (Back to overview)

LockBit

aka: ABCD Ransomware

There is no description at this point.

References
2020-12-05ZDNetCatalin Cimpanu
@online{cimpanu:20201205:ransomware:49c8fff, author = {Catalin Cimpanu}, title = {{Ransomware hits helicopter maker Kopter}}, date = {2020-12-05}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ransomware-hits-helicopter-maker-kopter/}, language = {English}, urldate = {2020-12-08} } Ransomware hits helicopter maker Kopter
LockBit
2020-11-18KELAVictoria Kivilevich
@online{kivilevich:20201118:zooming:f28a9c1, author = {Victoria Kivilevich}, title = {{Zooming into Darknet Threats Targeting Japanese Organizations}}, date = {2020-11-18}, organization = {KELA}, url = {https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/}, language = {English}, urldate = {2020-11-19} } Zooming into Darknet Threats Targeting Japanese Organizations
Conti Ransomware DoppelPaymer Egregor LockBit Maze REvil Snake Ransomware
2020-10-21SophosLabs UncutSean Gallagher
@online{gallagher:20201021:lockbit:13c4faa, author = {Sean Gallagher}, title = {{LockBit uses automated attack tools to identify tasty targets}}, date = {2020-10-21}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/10/21/lockbit-attackers-uses-automated-attack-tools-to-identify-tasty-targets}, language = {English}, urldate = {2020-10-23} } LockBit uses automated attack tools to identify tasty targets
LockBit
2020-10-02LexfoLexfo
@online{lexfo:20201002:lockbit:3dc988e, author = {Lexfo}, title = {{Lockbit analysis}}, date = {2020-10-02}, organization = {Lexfo}, url = {https://blog.lexfo.fr/lockbit-malware.html}, language = {English}, urldate = {2020-10-23} } Lockbit analysis
LockBit
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
@online{team:20200925:double:fe3b093, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/}, language = {English}, urldate = {2020-10-02} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker
2020-09-17CRYPSISDrew Schmitt
@online{schmitt:20200917:ransomwares:ca3dcee, author = {Drew Schmitt}, title = {{Ransomware’s New Trend: Exfiltration and Extortion}}, date = {2020-09-17}, organization = {CRYPSIS}, url = {https://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion}, language = {English}, urldate = {2020-11-09} } Ransomware’s New Trend: Exfiltration and Extortion
LockBit
2020-09-01Cisco TalosDavid Liebenberg, Caitlin Huey
@online{liebenberg:20200901:quarterly:c02962b, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends in Summer 2020}}, date = {2020-09-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html}, language = {English}, urldate = {2020-09-03} } Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200428:ransomware:3205f3a, author = {Microsoft Threat Protection Intelligence Team}, title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}}, date = {2020-04-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/}, language = {English}, urldate = {2020-05-05} } Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise Ransomware RagnarLocker REvil RobinHood
2020-04-24Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20200424:lockbit:b78dcba, author = {Albert Zsigovits}, title = {{LockBit ransomware IoCs}}, date = {2020-04-24}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md}, language = {English}, urldate = {2020-04-26} } LockBit ransomware IoCs
LockBit
2020-04-24Sophos LabsAlbert Zsigovits
@online{zsigovits:20200424:lockbit:8ebe6f8, author = {Albert Zsigovits}, title = {{LockBit ransomware borrows tricks to keep up with REvil and Maze}}, date = {2020-04-24}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/}, language = {English}, urldate = {2020-05-14} } LockBit ransomware borrows tricks to keep up with REvil and Maze
LockBit
Yara Rules
[TLP:WHITE] win_lockbit_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_lockbit_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 88842475030000 e8???????? 6a73 8d8c246e030000 88842476030000 e8???????? 6a6b }
            // n = 7, score = 100
            //   88842475030000       | mov                 byte ptr [esp + 0x375], al
            //   e8????????           |                     
            //   6a73                 | push                0x73
            //   8d8c246e030000       | lea                 ecx, [esp + 0x36e]
            //   88842476030000       | mov                 byte ptr [esp + 0x376], al
            //   e8????????           |                     
            //   6a6b                 | push                0x6b

        $sequence_1 = { c78550fcffff6f007700 c78554fcffff73002e00 c78558fcffff6f006c00 c7855cfcffff64000000 c78578fdffff61007000 c7857cfdffff70006400 c78580fdffff61007400 }
            // n = 7, score = 100
            //   c78550fcffff6f007700     | mov    dword ptr [ebp - 0x3b0], 0x77006f
            //   c78554fcffff73002e00     | mov    dword ptr [ebp - 0x3ac], 0x2e0073
            //   c78558fcffff6f006c00     | mov    dword ptr [ebp - 0x3a8], 0x6c006f
            //   c7855cfcffff64000000     | mov    dword ptr [ebp - 0x3a4], 0x64
            //   c78578fdffff61007000     | mov    dword ptr [ebp - 0x288], 0x700061
            //   c7857cfdffff70006400     | mov    dword ptr [ebp - 0x284], 0x640070
            //   c78580fdffff61007400     | mov    dword ptr [ebp - 0x280], 0x740061

        $sequence_2 = { 33d2 8ac8 bf10000000 2bfa 85d2 0f4efa 80e10f }
            // n = 7, score = 100
            //   33d2                 | xor                 edx, edx
            //   8ac8                 | mov                 cl, al
            //   bf10000000           | mov                 edi, 0x10
            //   2bfa                 | sub                 edi, edx
            //   85d2                 | test                edx, edx
            //   0f4efa               | cmovle              edi, edx
            //   80e10f               | and                 cl, 0xf

        $sequence_3 = { c78508ffffff73007100 c7850cffffff76002000 c78510ffffff71005300 66898524ffffff 0fb705???????? 6683f053 66898526ffffff }
            // n = 7, score = 100
            //   c78508ffffff73007100     | mov    dword ptr [ebp - 0xf8], 0x710073
            //   c7850cffffff76002000     | mov    dword ptr [ebp - 0xf4], 0x200076
            //   c78510ffffff71005300     | mov    dword ptr [ebp - 0xf0], 0x530071
            //   66898524ffffff       | mov                 word ptr [ebp - 0xdc], ax
            //   0fb705????????       |                     
            //   6683f053             | xor                 ax, 0x53
            //   66898526ffffff       | mov                 word ptr [ebp - 0xda], ax

        $sequence_4 = { c644240b20 32842452060000 88842453060000 8a44240b 888c2454060000 8a8c2452060000 32c1 }
            // n = 7, score = 100
            //   c644240b20           | mov                 byte ptr [esp + 0xb], 0x20
            //   32842452060000       | xor                 al, byte ptr [esp + 0x652]
            //   88842453060000       | mov                 byte ptr [esp + 0x653], al
            //   8a44240b             | mov                 al, byte ptr [esp + 0xb]
            //   888c2454060000       | mov                 byte ptr [esp + 0x654], cl
            //   8a8c2452060000       | mov                 cl, byte ptr [esp + 0x652]
            //   32c1                 | xor                 al, cl

        $sequence_5 = { 0fb705???????? 6683f038 668945de 0fb705???????? 6683f038 668945e0 }
            // n = 6, score = 100
            //   0fb705????????       |                     
            //   6683f038             | xor                 ax, 0x38
            //   668945de             | mov                 word ptr [ebp - 0x22], ax
            //   0fb705????????       |                     
            //   6683f038             | xor                 ax, 0x38
            //   668945e0             | mov                 word ptr [ebp - 0x20], ax

        $sequence_6 = { 0fb705???????? 6683f053 6689458e 0fb705???????? 6683f053 66894590 }
            // n = 6, score = 100
            //   0fb705????????       |                     
            //   6683f053             | xor                 ax, 0x53
            //   6689458e             | mov                 word ptr [ebp - 0x72], ax
            //   0fb705????????       |                     
            //   6683f053             | xor                 ax, 0x53
            //   66894590             | mov                 word ptr [ebp - 0x70], ax

        $sequence_7 = { 895df4 e8???????? 8d45d8 50 e8???????? 6a00 6a00 }
            // n = 7, score = 100
            //   895df4               | mov                 dword ptr [ebp - 0xc], ebx
            //   e8????????           |                     
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   50                   | push                eax
            //   e8????????           |                     
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_8 = { 68???????? e8???????? 83c414 eb14 6a10 8d442444 50 }
            // n = 7, score = 100
            //   68????????           |                     
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   eb14                 | jmp                 0x16
            //   6a10                 | push                0x10
            //   8d442444             | lea                 eax, [esp + 0x44]
            //   50                   | push                eax

        $sequence_9 = { 88842479060000 8a842478060000 32c8 c68424e505000000 32e8 888c247a060000 32d0 }
            // n = 7, score = 100
            //   88842479060000       | mov                 byte ptr [esp + 0x679], al
            //   8a842478060000       | mov                 al, byte ptr [esp + 0x678]
            //   32c8                 | xor                 cl, al
            //   c68424e505000000     | mov                 byte ptr [esp + 0x5e5], 0
            //   32e8                 | xor                 ch, al
            //   888c247a060000       | mov                 byte ptr [esp + 0x67a], cl
            //   32d0                 | xor                 dl, al

    condition:
        7 of them and filesize < 337568
}
Download all Yara Rules