Evasive LockBit Campaign

  |  Source: 

Evasive LockBit Campaign

Category: Ransomware News | Industry: Global | Level: Tactical | Source: Fortinet

In December 2022 and January 2023, a new campaign involving LockBit ransomware was observed by researchers at FortiGuard Labs. The campaign utilized techniques successful in evading AV and EDR solutions. LockBit has established itself as a serious and growing threat, with their proficiency often demonstrated by leading charts tracking victim count and data leak entries. The observed attack campaign began with a .img container and used social engineering tactics to display only one disguised shortcut file to the user while concealing the rest of the files. When the shortcut file is executed a python and/or a batch script runs to enable "the attacker’s BAT file to run in a new elevated process without the user’s approval." The purpose of the batch script is to reset the password of the logged-in user, copy files into the C:\ProgramData directory, setup the host to run in safe mode after restart and "logs in without user interaction," setup services to run and restart the system. Following reboot, a script executes another BAT script to extract the ransomware payload from a password-protected archive that contains the ransomware executable.

Anvilogic Scenario:

  • Suspicious BAT File Inhibit/Modifies System Config

Anvilogic Use Cases:

  • Executable Create Script Process
  • Create/Modify Schtasks
  • Registry key added with reg.exe

Get trending threats published weekly by the Anvilogic team.

Sign Up Now