Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT On November 18th, 2024, Palo Alto disclosed a critical actively exploited authentication bypass zero-day vulnerability impacting Palo Alto Networks PAN-OS. The…
Nov 13, 2024THE THREAT Update: eSentire has observed multiple exploitation attempts targeting CVE-2024-8069. In real-world attacks, threat actors successfully achieved RCE and attempted to…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
eSentire researchers warn organizations to lock down their Remote Monitoring and Management (RMM) tools and remote access software as the notorious LockBit gang uses them to spread ransomware and hide in plain sight.
BY eSentire
September 17, 2023 | 24 MINS READ
eSentire, a top global Managed Detection and Response (MDR) security services provider, intercepted and shut down three separate ransomware attacks launched by affiliates of the notorious, Russia-linked LockBit Ransomware Gang. The FBI estimates that the LockBit operators and their affiliates have collected approximately $91 million since the group's inception, and that is just U.S. ransoms. LockBit functions as a Ransomware-as-a-Service (RaaS) model where other cybercriminals are recruited to conduct ransomware attacks using LockBit's tools and infrastructure. LockBit is one of the most pervasive, lucrative and destructive ransomware groups currently operating worldwide.
Two incidents disrupted by eSentire occurred between February 2023 and June 2023, and one occurred in February 2022. The companies targeted include a storage materials manufacturer, a manufacturer of home décor, and a Managed Service Provider (MSP).
eSentire's security research team, the Threat Response Unit (TRU), found that in each attack, once the LockBit hackers gained initial access to the targets, they either used the companies' remote monitoring and management (RMM) tools, their remote access software, or brought in their own RMM tools to try and spread ransomware across the targets' IT environment, or in the case of the MSP, push their malware to the MSP's downstream customers.
RMM tools and remote access software are types of software used by individual companies, as well as by IT Consultants, VARs and MSPs. For example, individual businesses use this software so their internal IT teams can manage computer systems at multiple locations. IT Consultants, VARs and MSPs also use RMM tools and remote access software to help monitor and maintain their end customers' IT systems remotely.
When cybercriminals avoid the use of trademark malware and use legitimate technology tools already present within a company's IT environment, this is known as Living-off-the-Land. It is a tactic that hackers have used for numerous years, and it can be very effective because it helps the threat actors avoid detection and it makes attribution more difficult –– particularly when IT management tools can be accessed remotely or from the cloud. This means that usage of standard IT tools, by a malicious threat actor, will not look any different than legitimate usage because:
In this report, TRU will detail three separate incidents. These events will illustrate how these businesses could have suffered significant disruption if the LockBit affiliates had not been quickly detected and had their ransomware attempts neutralized.
"LockBit affiliates tend to get initial access via numerous methods, including browser-based attacks like SocGholish, exploitation of vulnerable servers exposed to the Internet, and valid credentials."
"Some LockBit affiliates have moved towards a Living-off-the-Land attack model, leveraging valid credentials and using legitimate RMM tools and remote access software to deploy their ransomware, including Advanced IP Scanner, AnyDesk, Atera and ConnectWise ScreenConnect™. Using valid credentials for initial access and legitimate software for intrusion actions raises the bar for detecting attacks."
"The LockBit operators purport to have an open affiliate model, and they state on their leak site, ‘We are located in the Netherlands, completely apolitical and only interested in money. It does not matter what country you live in, what types of language you speak, what age you are, what religion you believe in, anyone on the planet can work with us at any time of the year.' Interestingly, there haven't been reported cases of LockBit attacking organizations in Russia, and Russian nationals have been arrested in association with LockBit operations, as recently as June 2023."
"LockBit is one of the busiest global ransomware operations in commission, with victims across geographic and vertical domains, ranging from small mom and pop businesses to large, industrial manufacturing companies."
The Russian-speaking LockBit operators and their affiliates are one of the most prolific, destructive and lucrative ransomware groups in operation today. They emerged on the scene in late 2019, but it is believed they did not launch their ransomware-as-a-service operation until January 2020. Since that time, they have racked up victims across the globe. In a June 2023 U.S. Cybersecurity and Infrastructure Security Agency (CISA) security advisory, the FBI estimated that between January 2020 and June 2023, the LockBit gang launched 1,700 attacks against U.S. organizations, many in critical infrastructure sectors. These were companies and public entities in the healthcare, government, technology and manufacturing industries. The FBI also estimated that the LockBit operators and their affiliates collected approximately $91 million, bringing their U.S. ransom total to just shy of the renowned $100 million club.
One of their most destructive U.S. attacks was in February 2023, when LockBit affiliates hit the city of Oakland, California. The attack wreaked havoc for weeks, causing many of the city's systems to go down and requiring city managers to take their IT network offline out of caution.
Several of the city's non-emergency phone lines were offline or seriously impacted, it delayed the "response times" of Oakland's police department, and the attack affected at least six different government departments. As a result, the city administrators called a state of emergency one week after the ransomware attack. And the LockBit hackers didn't stop there. They also reportedly leaked a large amount of sensitive data about city employees, including social security numbers, medical data, home addresses and other personal information for some Oakland residents.
The LockBit cybercriminals also went after critical infrastructure organizations in the U.K., Canada, France, Italy, Australia and New Zealand, among other countries. Readers might recall that it was the LockBit gang that attacked Toronto's Hospital for Sick Children last December, delaying patient care because of the hospital's difficulty in processing lab results and medical images. Shockingly, on December 31, the LockBit operators issued a public apology to the hospital, provided them with a free decryptor, and stated that the "partner" responsible for the attack violated their rules and, as a result, was being kicked out of their affiliate program. Toronto's Hospital for Sick Children was just one of many Canadian organizations hit by LockBit in 2022. According to the country's cyber intelligence agency, the Communications Security Establishment (CES), LockBit was responsible for 22% of attributed ransomware incidents in Canada in 2022.
Meantime, halfway around the world, officials in Australia claimed that LockBit was behind 18 percent of the total reported ransomware incidents in their country between April 1, 2022, and March 31, 2023.
The LockBit operators might have shown sympathy to the children's hospital in Canada. However, they certainly didn't show any mercy when one of their affiliates attacked the computer networks of a French hospital, Center Hospitalier Sud Francilien (CHSF), in late August 2022. The attack caused the hospital to reroute emergency patients to other regional hospitals. For those patients needing care that required technology, they also had to be diverted to other facilities. The attack also seriously disrupted the hospital's operating rooms because many technical systems went down. The LockBit hackers demanded a $10 million ransom, and it was reported after the hospital refused to pay, the LockBit threat actors published personal data about staff members and patients and business data concerning the hospital's partner organizations.
The LockBit gang continued their criminal acts, kicking off 2023 with a bang. In early January, a LockBit affiliate decided to breach the U.K.'s postal service, the Royal Mail. The attack brought the postal organization's international shipping department to a complete standstill for over a month. The hackers initially demanded a ransom of $80 million but later reduced it to $40 million. According to one news report, it was not clear if the Royal Mail paid any of the ransom, and when a Royal Mail spokesperson was asked, they declined to answer.
Although the Royal Mail attack drew headlines, it is LockBit’s August 2023 breach of England-based Zaun Limited, a maximum-security perimeter fencing manufacturer, which is currently sounding alarms with U.K. government officials. Zaun manufactures security gates, perimeter fencing and other physical security barriers, and counts among its customers the U.K.’s Ministry of Defense. In early September, U.K. tabloids began reporting that the LockBit gang had published thousands of pages stolen from Zaun on their Dark Web leak site, which contained sensitive data relating to Zaun's work with various organizations within the U.K.’s Ministry of Defense.
Reportedly, the leaked data includes information pertaining to Royal Navy Base-- the Clyde nuclear submarine base, located in Scotland; security equipment at a Royal Air Force station in England; the Porton Down chemical weapons lab in England; and detailed drawings for perimeter fencing and a map highlighting installations at Cawdor, a U.K. army site in Wales. It was also reported that sales orders for a Government Communications Headquarters (GCHQ) facility in England and a series of U.K. prisons were leaked by LockBit.
A member of U.K.’s Parliament Tobias Ellwood, who sits on the Commons Defense Select Committee said this about the reported breach, "The government needs to explain why this firm's computer systems were so vulnerable. Any information which gives security arrangements to potential enemies is of huge concern."
Although the LockBit operators are Russian-speaking, they claim to be based in the Netherlands. It is reported that the LockBit operators maintain the ransomware encryptors and the websites, including their Dark Web leak site. The affiliates are tasked with breaking into the victim networks, stealing the data and encrypting the victims' devices. It is generally believed that the affiliates pay the LockBit operators 20 percent of the ransom monies they collect. Although it is not publicly known how many operators run the LockBit syndicate, the fact is that 20 percent of $91 million (the FBI's estimate of the ransoms paid to LockBit by U.S. organizations between January 2020 and June 2023) is $26 million and tax free. Not bad wages for working part-time.
For comparison, the average annual salary for a software engineer working in Russia is $19,000. So, even if there are 10 operators behind LockBit, each operator's take would be $2.6 million over three and a half years, giving the operators an average annual salary of approximately $743,000, and that estimate only includes U.S. ransoms.
As previously mentioned, LockBit functions as a Ransomware-as-a-Service (RaaS) model. One of the other interesting aspects of LockBit are some of the clever marketing tactics used to recruit their affiliates, including:
In tracking the activities of the LockBit group, it did not come as a surprise to TRU that LockBit used RMM tools or remote access software in their attacks against eSentire's customers. In fact, in CISA's June security advisory, they specifically called out how LockBit affiliates are repurposing remote access software such as AnyDesk, Atera and ConnectWise ScreenConnect™ and other legitimate software for their ransomware operations. Cybercriminals are leveraging these powerful tools because users and organizations are not executing Access Control Management best practices when using these solutions. Extra caution should be given whenever RMM and other Remote Access Technologies are utilized.
During the first quarter of 2023, cyber analysts with eSentire's Security Operations Center (SOC) were alerted by eSentire's MDR for Endpoint solution that ransomware was being detected and blocked on a handful of customers' computers. TRU was immediately called in to investigate and to make sure no other actions had been taken by the threat actors, such as lateral movement, persistence, and credential access, and to determine how the hackers gained initial entry.
The impacted endpoints were promptly isolated, and the malware was identified as LockBit. TRU wiped the computers clean and initiated a threat hunt to make sure the LockBit criminals were no longer in the customers' networks. Once it was confirmed the cybercriminals were gone, TRU began investigating how the LockBit hackers were able to gain access.
TRU discovered that each organization hit by LockBit was a client of the same MSP. TRU reached out to the MSP to begin running down possible leads, and the picture started coming together.
The initial question asked by TRU was how did the LockBit ransomware get on the endpoints of multiple customers? The MSP showed no signs of a break in; thus, TRU thought the threat actors might have gotten valid credentials to the MSP's remote access software. In previous cases, TRU has seen where the LockBit ransomware has been deployed into a victim's environment after being infected with the malware loader, SocGholish. However, SocGholish was not discovered during the incident investigation.
TRU identified that the MSP had the login panel for its ConnectWise ScreenConnect™ solution exposed to the Internet. Many providers of remote access solutions will leave this service open to the Internet, to make it easier for their customers' IT administrators to access the service for deployment, device enrollments, file sharing and brand building.
However, if an IT system, like a remote access solution, is open to the Internet, threat actors can use any number of search services, like Shodan, to find Internet-connected systems and devices and then target those systems for ransomware attacks or other types of attacks.
To avoid situations like this, it is recommended that all providers of RMM services and remote access software:
If protections like these are not in place, then the chances of threat actors gaining access is exponentially higher. For example, cybercriminals can brute-force or phish a set of legitimate credentials. Alternatively, plenty of legitimate login credentials are for sale on the Underground Marketplaces. In tracking these Dark Web markets, TRU observed countless posts advertising stolen credentials for some of the most popular RMM and remote access software, including AnyDesk, Atera, ConnectWise ScreenConnect™ and Kaseya VSA.
The price for a set of credentials is a mere $10. See Figure 1.
If threat actors are able to obtain system administration credentials from a provider of RMM tools or remote access software, or if they are able to procure a set of legitimate access credentials from a customer of a RMM or remote access software provider and can work their way into obtaining system administration credentials, then chances are good that the threat actors can deploy ransomware or other malware to a service provider’s downstream customers. This is why it is so important that remote access providers have two-factor authentication, strong password usage, and secure remote access rules in place.
Remote Monitoring and Management tools and remote access software are powerful, productive solutions. They help individual companies manage their computer systems at multiple locations and they help manage their employees’ remote access to the corporate network. Additionally, many small and medium businesses (SMBs) depend heavily on IT Consultants, VARs and MSPs to help them maintain their IT systems, ensuring the SMBs that their computer environment is always up and running, 24/7, so in turn they can focus on their core business. However, as this report illustrates, these powerful solutions require the users of these tools, whether it be an individual company or a VAR, Consultant or MSP, to implement Access Control Management best practices and take extra caution whenever RMM and other Remote Access Technologies are utilized.
As previously mentioned, because the hackers used the LockBit ransomware as their final payload against several of the MSP's customers, the attack was quickly intercepted and shut down. The impacted endpoints were promptly isolated, the malware identified, the computers wiped clean, and TRU carried out a threat hunt to make sure the LockBit threat actors were no longer in the customers' networks.
See technical details of this LockBit incident at the end of the report.
In this incident, LockBit affiliates were detected disabling Windows services on the endpoint of a manufacturing company. Recognizing the signs of a hands-on intrusion, the incident was escalated for active response by TRU. During the investigation, it was discovered that a PsExec service had been initiated and was being leveraged by the threat actors to delete files they brought into the manufacturer's environment, making it harder for security defenders to retrace the threat actors' steps and gather forensics.
The computers were immediately isolated from the network, and PsExec usage was traced back to an unmanaged, unprotected machine. The threat actors were also attempting to establish persistence via AnyDesk, an RMM tool also known to be popular with LockBit intrusions. Further attempts to spread to other computers were detected from the unmanaged endpoint. At this time, TRU suspected the LockBit affiliates had administrator privileges on that specific computer. The threat actors attempted to delete shadow volume copies of the manufacturer's files– a method that can certainly inhibit recovery from a ransomware attack. However, the LockBit affiliates were unsuccessful. Working with the client, eSentire disabled the source machine. The ransomware affiliates were suppressed through host isolation and infrastructure blocking, and the threat was shut down.
In late May 2023, eSentire's 24/7 SOC alerted TRU that suspicious activity had been spotted on a corporate desktop belonging to a manufacturer of storage materials. Upon investigation, TRU found that a threat actor had gained an initial foothold into the organization's network and had uploaded a Microsoft Install File onto one of the company's computers. They then installed the remote access software, ConnectWise ScreenConnect™, and used it to push ransomware onto a different corporate computer. Interestingly, the manufacturer also had the ConnectWise ScreenConnect™ software implemented as part of their IT environment.
eSentire's endpoint solution immediately detected the malicious software and blocked the execution of the ransomware binary. The computer was taken off the network, and the ransomware code was wiped from the system. TRU conducted further investigations to assess lateral movement and persistence in the environment, finding that an additional RMM tool, TSD Service, had been written to disk. No additional persistence mechanisms were found.
Why would the LockBit hackers bring their own copy of ConnectWise ScreenConnect™ , when the target already had the software installed in their corporate environment? TRU surmises that the threat actors may not have had credentials for the company's ConnectWise ScreenConnect™ software and decided it would be quieter and less intrusive if they brought their own copy into the target's environment. Because the manufacturer already had the software running in their network, the presence of additional copies would not immediately raise a red flag with system administrators and security defenders.
The LockBit attack against the MSP and the two manufacturers highlights the importance of securing RMM tools and remote access software. Below are security tips for defending against LockBit and other cyberthreats, utilizing an organization's legitimate IT tools to spread their malware and hide in plain sight.
The CISA LockBit security advisory also details more of the threat group's techniques, tactics and procedures (TTPs). See here.
During LockBit's attack against the MSP, the ransomware binaries were dropped on multiple endpoints within five minutes. Downstream customer organizations in which the LockBit affiliates attempted to deploy ransomware included manufacturing organizations and companies in business services, transportation and hospitality.
TRU believes the threat actor(s) likely generated a new ransomware build for three of the customers based on the hashes to circumvent hash blocking. The threat actors dropped 32-bit and 64-bit versions of LockBit ransomware binaries on Windows servers, and the PowerShell loader for the DLL version of the ransomware on one of the hosts. TRU saw that the LockBit Green version was dopped onto the hosts and other LockBit versions. LockBit Green was released at the beginning of 2023 and was first reported by vx-underground.
TRU was able to recover the PowerShell script dropped by the threat group on one of the servers. The script is named "LBB_PS1_obfuscated". The first layer of the obfuscated script consists mostly of the code lines responsible for concatenating and reversing the order of the characters.
Before executing the decoded data, the script attempts to disable the Anti-Malware Scan Interface (AMSI) by assigning amsiInitFailed to "True"(System.Management.Automation.AmsiUtils class) which will disable the scan for the current process. AMSI is a feature in Windows that can be used by antivirus and other security products to scan PowerShell commands for malicious content.
The function "fnD" takes an array of 64-bit integers within the $data array, decodes them using bitwise AND (-band) operations, and returns the decoded string as ASCII; $scb is then populated with the decoded strings.
The third deobfuscated layer reveals the PowerShell loader that contains the LockBit ransomware binary. The deobfuscated script is responsible for reflectively loading the DLL that is base64-encoded and GZIP-compressed into the current process in memory, resulting in the ransomware execution.
LockBit uses ROR13 hashing algorithm for API hashing. API hashing is used in malware to evade detection. The process involves creating a unique hash value for the API function, which can help the malware bypass signature-based detection techniques used by security tools.
Most of the API hashes are further obfuscated with XOR. The XOR key 0x11039FFE is hardcoded in the binary. TRU was able to resolve the hashes using HashDB plugin, developed by OALabs.
LockBit implements trampolines including rotate and XOR operations (with the key mentioned above) to call out to specific API functions.
The ransomware binary contains multiple anti-debugging functions. When the debugger is detected, the ForceFlags field is set to the HEAP_TAIL_CHECKING_ENABLED flag, and the sequence 0xABABABAB is appended at the end of the allocated heap block.
Another anti-debugging technique the ransomware implements is by using ZwSetInformationThread with ThreadInformationClass set to 0x11 (ThreadHideFromDebugger) to hide the threads from the debugger. The debugger won't be able to receive any events while the threads are running.
The third anti-debugging technique is implemented via encrypting the call to DbgUiRemoteBreakin. DbgUiRemoteBreakin is used by debuggers to remotely break into a running process and interrupt its execution. When a debugger needs to debug a process, it can call the DbgUiRemoteBreakin function to cause the process to break into the debugger, which allows the debugger to take control and examine the process' state. Thirty-two bytes are encrypted by SystemFunction040 (RtlEncryptMemory) function after modifying the memory protection of DbgUiRemoteBreakin to PAGE_EXECUTE_READWRITE. This will cause the DbgUiRemoteBreakin call to be corrupted.
LockBit determines the version of the Windows operating system currently running on the system from the PEB (Process Environment Block) data structure.
The ransomware creates a mutex to prevent another instance of the ransomware running. The mutex is the MD4 hash of the infected machine GUID (globally unique identifier), for example, "Global\\a91a66d6abc26041b701bf8da3de4d0f". If more than one instance of the ransomware is running, the ransomware terminates the execution, and the PowerShell ransomware loader file gets removed using the "/c del /f /q" command via the Command Prompt without prompting for confirmation.
LockBit also implements UAC bypass via The COM Elevation Moniker with "Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}". The COM elevation moniker is a technique used to bypass the UAC prompt and elevate the privileges of a process or program by creating a new instance of a COM object with administrator privileges. The moniker syntax "Elevation:Administrator!new:{GUID}" specifies that a new instance of the COM object with the specified GUID should be created with administrator privileges, thus bypassing the UAC prompt.
The ransomware decrypts the strings using bitwise XOR operations, as shown below. TRU wrote the IDAPython script that decrypts the strings within the ransomware binary.
LockBit leverages TrustedInstaller to stop services such as Microsoft Defender Antivirus; it queries for the TrustedInstaller service, starts the service and duplicates the token for the TrustedInstaler.exe process. It's worth mentioning that a similar technique was observed in the Hive ransomware.
The ransomware avoids encrypting the following extensions:
386 |
adv |
ani |
bat |
bin |
cab |
cmd |
com |
cpl |
cur |
deskthemepack |
diagcab |
diagcfg |
diagpkg |
dll |
drv |
exe |
hlp |
icl |
icns |
ico |
ics |
idx |
ldf |
lnk |
mod |
mpa |
msc |
msp |
msstyles |
ns5 |
nls |
nomedia |
ocx |
prf |
ps1 |
rom |
rtp |
tc2 |
th3 |
spl |
sys |
theme |
themepack |
wpx |
lock |
key |
hta |
msi |
pdb |
The following files are also skipped from decryption:
autorun.inf |
boot.ini |
bootfont.bin |
bootsect.bak |
desktop.ini |
iconcache.db |
ntldr |
ntuser.dat |
ntuser.dat.log |
ntuser.ini |
thumbs.db |
List of services to be killed by the ransomware:
vss |
sql |
svc$ |
memtas |
mepocs |
msexchange |
sophos |
veeam |
backup |
GxVss |
GxBlr |
GxFWD |
GxCVD |
GxCIMgr |
List of processes to be killed:
sql |
oracle |
ocssd |
dbsnmp |
synctime |
agntsvc |
isqlplussvc |
xfssvccon |
mydesktopservice |
ocautoupds |
encsvc |
firefox |
tbirdconfig |
mydesktopqos |
ocomm |
dbeng50 |
sqbcoreservice |
excel |
infopath |
msaccess |
mspub |
onenote |
outlook |
powerpnt |
steam |
thebat |
thunderbird |
visio |
winword |
wordpad |
notepad |
LockBit can also send the configuration of the infected machine to the C2 server in the following format:
{
"host_hostname": "%s",
"host_user": "%s",
"host_os": "%s",
"host_domain": "%s"
"host_arch": "%s",
"host_lang": "%s",
"disks_info":[
{
"disk_name": "%s",
"disk_size": "%u",
"free_size": "%u"
}]
}
Using the following user agents:
If you’re not currently engaged with a Managed Detection and Response (MDR) provider, we highly recommend you partner with us for security services to disrupt threats before they impact your business. Want to learn more? Connect with an eSentire Security Specialist.
Name |
Indicator |
LBG64.exe |
38c813d99d54de6639a80148ff1cfc6acec08066b0912c49576604ed67e9cfaf |
LBG32.exe |
8793537b1422beb7d314c65761135b38c63fbdefac6092e93c80191a2e22de91 |
LBG32.exe |
6a686c39a6d0e11f217ca6fce2ebc45039f2ab34daa69afb548d847ee09561c5 |
LBB_PS1_obfuscated.ps1 |
6ac1084e747153b3958df7af09eb71fdeb883385f508a0bec8b983b9a87d729a |
LockBit DLL binary (32-bit) |
5e947d728f25449601414e025ce298c69df1c6c852e3994aa1a2b23c8e8c4db4 |
https://twitter.com/vxunderground/status/1618885718839001091?s=20
https://github.com/OALabs/hashdb
https://anti-debug.checkpoint.com/techniques/debug-flags.html
https://github.com/RussianPanda95/IDAPython/blob/main/LockBit/lockbit_string_decrypt.py
https://www.microsoft.com/en-us/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/
https://research.openanalysis.net/lockbit/lockbit3/yara/triage/ransomware/2022/07/07/lockbit3.html
eSentire, Inc., the Authority in Managed Detection and Response (MDR), protects the critical data and applications of 2000+ organizations in 80+ countries, across 35 industries from known and unknown cyber threats by providing Exposure Management, Managed Detection and Response and Incident Response services designed to build an organization’s cyber resilience & prevent business disruption. Founded in 2001, eSentire protects the world’s most targeted organizations with 65% of its global base recognized as critical infrastructure, vital to economic health and stability. By combining open XDR platform technology, 24/7 threat hunting, and proven security operations leadership, eSentire's award-winning MDR services and team of experts help organizations anticipate, withstand and recover from cyberattacks. For more information, visit: www.esentire.com and follow @eSentire.