Evasive LockBit Campaign

In December 2022 and January 2023, a new campaign involving LockBit ransomware was observed by researchers at FortiGuard Labs. The campaign utilized techniques successful in evading AV and EDR solutions. LockBit has established itself as a serious and growing threat, with their proficiency often demonstrated by leading charts tracking victim count and data leak entries. The observed attack campaign began with a .img container and used social engineering tactics to display only one disguised shortcut file to the user while concealing the rest of the files. When the shortcut file is executed a python and/or a batch script runs to enable "the attacker’s BAT file to run in a new elevated process without the user’s approval." The purpose of the batch script is to reset the password of the logged-in user, copy files into the C:\ProgramData directory, setup the host to run in safe mode after restart and "logs in without user interaction," setup services to run and restart the system. Following reboot, a script executes another BAT script to extract the ransomware payload from a password-protected archive that contains the ransomware executable.