Using the LockBit builder to generate targeted ransomware

The previous Kaspersky research focused on a detailed analysis of the LockBit 3.0 builder leaked in 2022. Since then, attackers have been able to generate customized versions of the threat according to their needs. This opens up numerous possibilities for malicious actors to make their attacks more effective, since it is possible to configure network spread options and defense-killing functionality. It becomes even more dangerous if the attacker has valid privileged credentials in the target infrastructure.
卡巴斯基之前的研究重点是对 2022 年泄露的 LockBit 3.0 构建器进行详细分析。从那时起，攻击者已经能够根据自己的需要生成威胁的自定义版本。这为恶意行为者提供了许多可能性，使他们的攻击更加有效，因为可以配置网络传播选项和防御杀伤功能。如果攻击者在目标基础结构中拥有有效的特权凭据，则会变得更加危险。

In a recent incident response engagement, we faced this exact scenario: the adversary was able to get the administrator credential in plain text. They generated a custom version of the ransomware, which used the aforementioned account credential to spread across the network and perform malicious activities, such as killing Windows Defender and erasing Windows Event Logs in order to encrypt the data and cover its tracks.
在最近的一次事件响应活动中，我们遇到了这样的情况：攻击者能够以纯文本形式获取管理员凭据。他们生成了勒索软件的自定义版本，该版本使用上述帐户凭据在网络上传播并执行恶意活动，例如杀死 Windows Defender 和擦除 Windows 事件日志，以加密数据并掩盖其踪迹。

In this article, we revisit the LockBit 3.0 builder files and delve into the adversary’s steps to maximize impact on the network. In addition, we provide a list of preventive activities that can help network administrators to avoid this kind of threat.
在本文中，我们将重新审视 LockBit 3.0 构建器文件，并深入研究对手的步骤，以最大限度地提高对网络的影响。此外，我们还提供了一系列预防活动，可以帮助网络管理员避免此类威胁。

Revisiting the LockBit 3.0 builder files
重新访问 LockBit 3.0 构建器文件

The LockBit 3.0 builder has significantly simplified creating customized ransomware. The image below shows the files that constitute it. As we can see, keygen.exe generates public and private keys used for encryption and decryption. After that, builder.exe generates the variant according to the options set in the config.json file.
LockBit 3.0 构建器大大简化了创建自定义勒索软件的过程。下图显示了构成它的文件。正如我们所看到的，keygen.exe生成用于加密和解密的公钥和私钥。之后，builder.exe根据 config.json 文件中设置的选项生成变体。

LockBit builder files LockBit builder文件

This whole process is automated with the Build.bat script, which does the following:
整个过程使用 Build.bat 脚本自动执行，该脚本执行以下操作：

The config.json file allows enabling impersonation features (impersonation) and defining accounts to impersonate (impers_accounts). In the example below, the administrator account was used for impersonation. The configuration also allows enabling the encryption of network shares (network_shares), killing Windows Defender (kill_defender), and spreading across the network via PsExec (psexec_netspread). After a successful infection, the malicious sample can delete Windows Event Logs (delete_eventlogs) to cover its tracks.
config.json文件允许启用模拟功能（模拟）和定义要模拟的帐户（impers_accounts）。在下面的示例中，管理员帐户用于模拟。该配置还允许启用网络共享加密 （network_shares）、终止 Windows Defender （kill_defender） 以及通过 PsExec （psexec_netspread） 在网络中传播。成功感染后，恶意样本可以删除 Windows 事件日志 （delete_eventlogs） 以掩盖其踪迹。

Custom configuration 自定义配置

Besides this, the builder allows the attacker to choose which files, in which directories, and in which systems they do not want to encrypt. If the attacker knows their way around the target infrastructure, they can generate malware tailored to the specific configuration of the target’s network architecture, such as important files, administrative accounts, and critical systems. The images below show the process of generating customized ransomware according to the above configuration, and the resulting files. As we can see, LB3.exe is the main file. This is the artifact that will be delivered to the victim. The builder also generates LB3Decryptor.exe for recovering the files, as well as several different variants of the main file. For example, LB3_pass.exe is a password-protected version of the ransomware, while the reflective DLL can be used to bypass the standard operating system loader and inject malware directly into memory. The TXT files contain instructions on how to execute the password-protected files.
除此之外，构建器还允许攻击者选择他们不想加密的文件、目录和系统。如果攻击者知道自己在目标基础架构中的方式，他们就可以生成针对目标网络架构的特定配置（例如重要文件、管理帐户和关键系统）定制的恶意软件。下图显示了根据上述配置生成自定义勒索软件的过程，以及生成的文件。正如我们所看到的，LB3.exe是主文件。这是将交付给受害者的神器。构建器还生成用于恢复文件的LB3Decryptor.exe，以及主文件的几种不同变体。例如，LB3_pass.exe 是受密码保护的勒索软件版本，而反射式 DLL 可用于绕过标准操作系统加载程序并将恶意软件直接注入内存。TXT文件包含有关如何执行受密码保护的文件的说明。

Creation of a customized LockBit version
创建自定义 LockBit 版本

Generated LockBit files 生成的 LockBit 文件

When we executed this custom build on a virtual machine, it performed its malicious activities and generated custom ransom note files. In real-life scenarios, the note will include details on how the victim should contact the attackers to obtain a decryptor. It is worth noting that negotiating with the attackers and paying ransom should not be an option. Besides the ethical issues involved, there is doubt whether a tool for recovering the files will ever be provided.
当我们在虚拟机上执行此自定义构建时，它执行了恶意活动并生成了自定义赎金记录文件。在现实生活中，该说明将包括有关受害者应如何联系攻击者以获取解密器的详细信息。值得注意的是，与攻击者谈判并支付赎金不应该是一种选择。除了涉及的道德问题外，还不确定是否会提供恢复文件的工具。

Custom ransom note 自定义赎金票据

However, as we generated the ransomware sample and a corresponding decryptor ourselves in a controlled lab environment, we were able to test if the latter actually worked. We tried to decrypt our encrypted files and found out that if the decryptor for the sample was available, it was indeed able to recover the files, as shown in the image below.
但是，当我们在受控的实验室环境中自己生成勒索软件样本和相应的解密器时，我们能够测试后者是否真的有效。我们尝试解密加密文件，发现如果示例的解密器可用，它确实能够恢复文件，如下图所示。

LB3Decryptor execution LB3Decryptor 执行

That said, we must once again underscore that even a correctly working decryptor is no guarantee that the attackers will play fair.
也就是说，我们必须再次强调，即使是正常工作的解密器也不能保证攻击者会公平竞争。

The recent LockBit takedown and custom LockBit builds
最近的 LockBit 下架和自定义 LockBit 构建

In February 2024, the international law enforcement task force Operation Cronos gained visibility into LockBit’s operations after taking the group down. The collaborative action involved law enforcement agencies from 10 countries, which seized the infrastructure and took control of the LockBit administration environment. However, a few days after the operation, the ransomware group announced that they were back in action.
2024 年 2 月，国际执法特遣队 Cronos 行动在击落该组织后了解了 LockBit 的行动。合作行动涉及来自10个国家的执法机构，他们没收了基础设施并控制了LockBit管理环境。然而，在行动几天后，勒索软件组织宣布他们重新开始行动。

The takedown operation allowed LEAs to seize the group’s infrastructure, obtain private decryption keys and prepare a decryption toolset based on a known-victim ID list obtained by the authorities. The check_decryption_id utility checks if the ransom ID enabled for the victim is on the list of known decryption keys:
这次下架行动使执法机构能够夺取该组织的基础设施，获取私人解密密钥，并根据当局获得的已知受害者身份列表准备解密工具集。check_decryption_id实用程序检查为受害者启用的赎金 ID 是否在已知解密密钥列表中：

check_decryption_id.exe execution
check_decryption_id.exe执行

The check_decrypt tool assesses decryptability: while there is a possibility that the files will be recovered, the outcome of the process depends on multiple conditions, and this tool just checks which of these conditions are met in the systems being analyzed. A CSV file is created, listing files that can be decrypted and providing an email address to reach out to for further instructions on restoring the files:
check_decrypt工具评估可解密性：虽然文件有可能被恢复，但该过程的结果取决于多个条件，此工具仅检查正在分析的系统中满足哪些条件。将创建一个 CSV 文件，列出可以解密的文件，并提供一个电子邮件地址，以便联系以获取有关恢复文件的进一步说明：

check_decrypt.exe execution
check_decrypt.exe执行

This toolset caught our attention because we had investigated several cases relating to the LockBit threat. We normally recommend that our customers save their encrypted critical files and wait for an opportunity to decrypt them with the help of threat researches or artifacts seized by the authorities, which is merely a matter of time. We ran victim IDs and encrypted files analyzed by our team through the decryption tool, but most of them showed the same result:
这个工具集引起了我们的注意，因为我们已经调查了几个与 LockBit 威胁相关的案例。我们通常建议我们的客户保存他们的加密关键文件，并等待机会在威胁研究或当局查获的工件的帮助下解密它们，这只是时间问题。我们运行了受害者 ID 和加密文件，这些文件由我们的团队通过解密工具进行分析，但大多数都显示了相同的结果：

Testing the tool on a victim ID obtained by our team
在我们团队获得的受害者 ID 上测试该工具

The check_decrypt also confirmed that it was not possible to decrypt the files by using the database of known keys:
check_decrypt还确认，无法使用已知密钥的数据库来解密文件：

Testing the check_decrypt.exe tool on encrypted files
在加密文件上测试check_decrypt.exe工具

Our analysis and previous research confirmed that files encrypted with a payload generated with the help of the leaked LockBit builder could not be decrypted with existing decryption tools, essentially because the independent groups behind these attacks did not share their private keys with the RaaS operator.
我们的分析和之前的研究证实，在泄露的 LockBit 构建器的帮助下，使用有效载荷加密的文件无法使用现有的解密工具进行解密，主要是因为这些攻击背后的独立团体没有与 RaaS 运营商共享他们的私钥。

Geography of the leaked LockBit builder-based attacks
泄露的基于 LockBit 构建器的攻击的地理位置

Custom LockBit builds created with the leaked builder were involved in a number of incidents all over the world. These attacks were most likely unrelated and executed by independent actors. The leaked builder apparently has been used by LockBit ransomware competitors to target companies in the Commonwealth of Independent States, violating the group’s number one rule to avoid compromising CIS nationals. This triggered a discussion on the dark web, where LockBit operators tried to explain that they had nothing to do with these attacks.
使用泄露的构建器创建的自定义 LockBit 构建涉及世界各地的许多事件。这些攻击很可能是无关的，是由独立行为者执行的。泄露的构建器显然已被 LockBit 勒索软件竞争对手用来针对独立国家联合体的公司，违反了该组织避免损害独联体国民的头号规则。这在暗网上引发了一场讨论，LockBit运营商试图解释他们与这些攻击无关。

In our incident response practice, we have come across ransomware samples created with the help of the leaked builder in incidents in Russia, Italy, Guinea-Bissau, and Chile. Although the builder provides a number of customization options, as we have shown above, most of the attacks used the default or slightly modified configuration. However, one incident stood out.
在我们的事件响应实践中，我们在俄罗斯、意大利、几内亚比绍和智利的事件中遇到了在泄露的构建器的帮助下创建的勒索软件样本。尽管构建器提供了许多自定义选项，但如上所示，大多数攻击都使用默认配置或稍作修改的配置。然而，有一件事很突出。

A real-life incident response case involving a custom LockBit build
涉及自定义 LockBit 构建的真实事件响应案例

In a recent incident response engagement, we faced a ransomware scenario involving a LockBit sample built with the leaked builder and featuring impersonation and network spread capabilities we had not seen before. The attacker was able to exploit an internet-facing server that exposed multiple sensitive ports. Somehow, they were able to obtain the administrator password – we believe that it may have been stored in plain text inside a file, or that the attacker may have used social engineering. Then, the adversary generated custom ransomware using the privileged account they had access to. Our team was able to obtain the relevant fields present in the config.json file that the attacker used:
在最近的一次事件响应活动中，我们遇到了一个勒索软件场景，该场景涉及使用泄露的构建器构建的 LockBit 示例，并具有我们以前从未见过的模拟和网络传播功能。攻击者能够利用暴露多个敏感端口的面向 Internet 的服务器。不知何故，他们能够获得管理员密码——我们认为它可能以纯文本形式存储在文件中，或者攻击者可能使用了社会工程。然后，攻击者使用他们有权访问的特权帐户生成自定义勒索软件。我们的团队能够获取攻击者使用的 config.json 文件中存在的相关字段：

As we can see, the custom version has the ability to impersonate the administrator account, affect network shares, and spread easily across the network via PsExec.
正如我们所看到的，自定义版本能够模拟管理员帐户，影响网络共享，并通过 PsExec 轻松在网络中传播。

Moreover, it is configured to run more than once on each host. One of the first steps that the executable does when started is check for, and create, a unique mutex based on a hash sum of the ransomware public key in the format: “Global\%.8x%.8x%.8x%.8x%.8x”. If the running_one flag is set to true in the configuration and the mutex is already present in the operating system, the process will exit.
此外，它被配置为在每台主机上运行多次。可执行文件启动时执行的第一步是检查并创建一个基于勒索软件公钥哈希和的唯一互斥锁，格式为：“Global\%.8x%.8x%.8x%.8x%.8x%.8x%.8x”。如果在配置中将 running_one 标志设置为 true，并且操作系统中已存在互斥锁，则进程将退出。

In our case, the configuration allowed concurrent executions of several ransomware instances on the same host. This behavior, combined with the use of configuration flags for automatic network propagation with high-privileged domain credentials, led to an uncontrolled avalanche effect: each host that got infected then started trying to infect other hosts on the network, including those already infected. From an incident response point of view, this means finding evidence, if available, of different origins for the same threat. See below the evidence found on one host of remote service creation by PsExec with authentication completed from multiple infected hosts.
在我们的例子中，该配置允许在同一主机上并发执行多个勒索软件实例。这种行为与使用配置标志进行具有高特权域凭据的自动网络传播相结合，导致了不受控制的雪崩效应：每个被感染的主机都开始尝试感染网络上的其他主机，包括那些已经感染的主机。从事件响应的角度来看，这意味着为同一威胁找到不同来源的证据（如果有）。请参阅下面在一台主机上找到的证据，这些证据显示 PsExec 在多个受感染的主机上完成了身份验证，从而创建了远程服务。

Remote service creation by PsExec
通过 PsExec 创建远程服务

Although this evidence was present in the infected systems, most of the logs had been deleted by the ransomware immediately after the initial infection. Because of that, it was not possible to determine how the attacker was able to gain access to the server and to the administrator password. The remote service creation logs remained because when the malware was performing lateral movement on the network, it generated new logs, which it did not delete, and which were helpful in detecting its spread across the infrastructure.
尽管这些证据存在于受感染的系统中，但大多数日志在初始感染后立即被勒索软件删除。因此，无法确定攻击者如何能够访问服务器和管理员密码。远程服务创建日志之所以保留，是因为当恶意软件在网络上执行横向移动时，它会生成新的日志，这些日志不会删除，并且有助于检测其在基础架构中的传播。

Event logs cleared 清除事件日志

By analyzing some of the traces that were not erased on the initial affected server, we identified compressed Gzip data in a memory stream. The data was encoded in Base64. After decoding and decompression, we found evidence of the use of Cobalt Strike. We were able to identify the C2 server used by the attacker to communicate with the affected machine and promptly sent this indicator to the customer for blacklisting.
通过分析最初受影响服务器上未擦除的一些跟踪，我们识别了内存流中的压缩 Gzip 数据。数据以 Base64 编码。在解码和解压缩后，我们发现了使用 Cobalt Strike 的证据。我们能够识别攻击者用于与受影响机器通信的 C2 服务器，并及时将此指示器发送给客户以列入黑名单。

We also spotted the use of the SessionGopher script. This tool uses WMI to extract saved session information for remote desktop access tools, such as WinSCP, PuTTY, FileZilla, and Microsoft Remote Desktop. This is accomplished by querying HKEY_USERS for PuTTY, WinSCP, and Remote Desktop saved sessions. In Thorough mode, the script can identify .ppk, .rdp, and .sdtid files in order to extract private keys and session information. It can be run remotely by using the -iL option followed by the list of computers. The -AllDomain flag allows running it against all AD-joined computers. As shown in the image below, the script can easily extract saved passwords for remote connections. The results can be exported to a CSV file for later use.
我们还发现了 SessionGopher 脚本的使用。此工具使用 WMI 提取远程桌面访问工具（如 WinSCP、PuTTY、FileZilla 和 Microsoft 远程桌面）的已保存会话信息。这是通过查询 PuTTY、WinSCP 和远程桌面保存的会话HKEY_USERS来实现的。在彻底模式下，脚本可以识别 .ppk、.rdp 和 .sdtid 文件，以便提取私钥和会话信息。它可以通过使用 -iL 选项后跟计算机列表来远程运行。-AllDomain 标志允许对所有已加入 AD 的计算机运行它。如下图所示，该脚本可以轻松提取远程连接的已保存密码。结果可以导出到 CSV 文件以供以后使用。

Password extraction using SessionGopher
使用 SessionGopher 提取密码

Although SessionGopher is designed for collecting stored credentials, it was not the tool used by the attackers for initial credential dumping. Instead, they employed SessionGopher to collect additional credentials and services in the infrastructure at a later stage.
尽管 SessionGopher 是为收集存储的凭据而设计的，但它不是攻击者用于初始凭据转储的工具。相反，他们使用 SessionGopher 在稍后阶段在基础设施中收集其他凭据和服务。

Once we identified the C2 domains and some other IP addresses related to the attacker and extracted details about the impersonated accounts and tools implemented for automatic deployment, the customer changed all affected users’ credentials and configured security controls to avoid PsExec execution, thus stopping the infection. Monitoring network and user account activities allowed us to identify the infected systems and isolate them for analysis and recovery.
一旦我们识别了与攻击者相关的 C2 域和其他一些 IP 地址，并提取了有关为自动部署而实施的模拟帐户和工具的详细信息，客户就更改了所有受影响用户的凭据并配置了安全控制以避免 PsExec 执行，从而阻止感染。通过监控网络和用户帐户活动，我们可以识别受感染的系统并隔离它们以进行分析和恢复。

This case shows an interesting combination of techniques used to gain and maintain access to the target network, as well as encrypt important data and impair defenses. Below are the TTPs identified for this scenario.
这个案例展示了一个有趣的技术组合，用于获取和维持对目标网络的访问，以及加密重要数据和削弱防御。以下是为此方案确定的 TTP。

Preventive actions against ransomware attacks
针对勒索软件攻击的预防措施

Ransomware attacks can be devastating, especially if the attackers manage to get hold of high-privileged credentials. Measures for mitigating the risk of such an attack may vary depending on the technology used by the company. However, there are certain infrastructure-agnostic techniques:
勒索软件攻击可能是毁灭性的，特别是如果攻击者设法掌握了高特权凭据。降低此类攻击风险的措施可能因公司使用的技术而异。但是，有一些与基础结构无关的技术：

• Using a robust, properly-configured antimalware solution, such as Kaspersky Endpoint Security
  使用强大、配置正确的反恶意软件解决方案，例如 Kaspersky Endpoint Security
• Implementing Managed Detection and Response (MDR) to proactively seek out threats
  实施托管检测和响应 （MDR） 以主动查找威胁
• Disabling unused services and ports to minimize the attack surface
  禁用未使用的服务和端口以最大程度地减少攻击面
• Keeping all systems and software up to date
  使所有系统和软件保持最新状态
• Conducting regular penetration tests and vulnerability scanning to identify vulnerabilities and promptly apply appropriate countermeasures
  定期进行渗透测试和漏洞扫描，以识别漏洞并及时采取适当的对策
• Adopting regular cybersecurity training, so that employees are aware of cyberthreats and ways to avoid them
  定期进行网络安全培训，让员工了解网络威胁和避免这些威胁的方法
• Making backups frequently and testing them
  经常进行备份并对其进行测试

Conclusion 结论

Our examination of the LockBit 3.0 builder files shows the alarming simplicity with which attackers can craft customized ransomware, as evidenced by a recent incident where adversaries exploited administrator credentials to deploy a tailored ransomware variant. This underscores the need for robust security measures capable of mitigating this kind of threat effectively, as well as adoption of a cybersecurity culture among employees.
我们对 LockBit 3.0 构建器文件的检查表明，攻击者可以制作定制勒索软件的惊人简单性，最近发生的一起事件证明了这一点，该事件表明，攻击者利用管理员凭据部署了量身定制的勒索软件变体。这凸显了能够有效缓解此类威胁的强大安全措施的必要性，以及在员工中采用网络安全文化的必要性。

Kaspersky products detect the threat with the following verdicts:
卡巴斯基产品通过以下判定来检测威胁：

• Trojan-Ransom.Win32.Lockbit.gen
  特洛伊木马-Ransom.Win32.Lockbit.gen
• Trojan.Multi.Crypmod.gen
  特洛伊木马.Multi.Crypmod.gen
• Trojan-Ransom.Win32.Generic
  特洛伊木马-Ransom.Win32.Generic

And the SessionGopher script, as:
和 SessionGopher 脚本，如下所示：

• HackTool.PowerShell.Agent.l
• HackTool.PowerShell.Agent.ad