Over 800 organizations found themselves listed on ransomware sites lurking in the depths of the dark web, indicating an increase in victims by approx. 20% compared to the previous quarter. While tracking ransomware during the first quarter (Q1) of 2023, we encountered more than 20 distinct ransomware and we want to share the top 5 of those with their associated tactics, techniques, and procedures (TTPs) as well as possible ways to detect the activity.
During Q1 2023, LockBit 3.0, Hive, Alphv (aka BlackCat), BianLian and Black Basta emerged as the most active and prolific ransomware. Our observation indicated that LockBit 3.0 maintained a significant lead at the top position amongst these five most active ransomware.
Ransomware Background
LockBit 3.0:
Also known as “LockBit Black” is a latest version of LockBit family that demonstrates better modularity and evasiveness compared to previous iterations, showing similarities to Blackmatter and Blackcat ransomware. Initial access for LockBit 3.0 ransomware is achieved through various techniques, including remote desktop protocol (RDP) exploitation [T1133], drive-by compromise [T1189], phishing campaigns [T1566], abuse of valid accounts [T1078], and exploitation of public-facing applications [T1190].
It was first observed in January 2020 with the need of a [T1480.001] password during execution, serving as a cryptographic key for decrypting the ransomware itself. This encryption technique makes it difficult to detect and analyse since the code remains unreadable in its encrypted state. It also employs a language exclusion list [T1614.001] to avoid detection. The decision to check the runtime language is determined by a configuration flag set during compilation.
Hive:
During June 2021, the first signs of Hive ransomware were observed. Victim networks have been initially accessed by attackers through the utilization of single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols [T1133]. Multifactor authentication (MFA) has been bypassed in certain instances, granting access to FortiOS servers by exploiting a Common Vulnerability and Exposure (CVE-2020-12812). Furthermore, initial access to victim networks has also been acquired via phishing emails containing malicious attachments [T1566.001].
Before encryption, Hive ransomware checks and disables all components of Windows Defender and antivirus from registry [T1112]. The antivirus/anti-spyware programs are forcibly terminated. [T1562] and wipe out of Windows event logs (system, security, and application logs) has been carried out [T1070]. The successful removal of Shadow copies was observed by utilizing vssadmin through the command line or by employing PowerShell [T1059] [T1490].
ALPHV:
ALPHV, also known as Noberus or Blackcat (S1068), emerged in November 2021 as a ransomware-as-a-service (RaaS). It is speculated by some researchers to be a potential successor to BLACKMATTER, REvil, and DARKSIDE ransomware. The BlackCat ransomware has been seen gaining initial access through vulnerabilities in the MS Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065), and has the ability to maintain access via remote code execution (RCE).
In most cases, BlackCat affiliates have utilized legitimate tools to extract authentication data by dumping the LSASS (Local Security Authority Server Service) process (ProcDump). Moreover, the attackers have employed various NirSoft tools to extract authentication data from the registry, web browsers, and other storage spaces, extending their targets beyond just LSASS. In their quest to gather information about Active Directory, the attackers have employed ADRecon. For lateral movement within the network, they have utilized various techniques such as RDP and Impacket’s wmiexec and smbexec, along with the aid of Cobalt Strike.
BianLian:
The BianLian ransomware, developed using the Go programming language, was first observed in June 2022. Initial access is gained by compromised Remote Desktop Protocol (RDP) credentials which are believed to have been obtained from initial access brokers [T1078],[T1133] or via phishing [T1566]. The backdoor utilized by BianLian functions as a technique for infiltrating specific systems [T1587.001]. Additionally, they establish persistence and control over compromised systems by installing remote management and access software, such as TeamViewer, Atera Agent, SplashTop, and AnyDesk [T1105], [T1219].
BianLian group creates and/or activates local administrator accounts [T1136.001], modifies associated passwords [T1098], utilizes PowerShell [T1059.001] and Windows Command Shell [T1059.003] to disable antivirus tools [T1562.001]. This is achieved through specific modifications to the Windows Registry, targeting Sophos SAVEnabled, SEDEenabled, and SAVService services[T1112]. The BianLian ransomware utilizes data extraction from the memory of the Local Security Authority Subsystem Service (LSASS) for credential gathering [T1003.001], employes RDP Recognizer, attempts to gain access to the Active Directory domain database (NTDS.dit) [T1003.003].
Black Basta:
Ransomware strain known as Black Basta (S1070) has emerged in April 2022. Black Basta gains initial access by phishing [T1566.001] or employs QBot as both, an initial entry point and a mechanism for lateral movement within compromised networks. To evade detection in virtual or analysis environments, the ransomware incorporates anti-analysis techniques. It is equipped with the ability to detect code emulation or sandboxing[T1497]. Moreover, it supports the command line argument “-forcepath” for encrypting files within a designated directory. Alternatively, it encrypts the entire system, excluding specific critical directories[T1486].
Visibility (TTP) Through Tidal Cyber platform:
Here we have captured the techniques used by these five ransomware variants to let organizations perform gap analysis against their employed threat detections/analytics.
The impact on the target system is executed through the encryption of data by all five ransomwares (LockBit 3.0, Hive, Blackcat, Blackbasta, and BianLian) [T1486]. Apart from BianLian, all four variants employ a common technique to impact the target systems by deleting or removing shadow copies [T1490]. This technique has been consistently observed in these ransomware cases as one of their impact strategies. (Additional impact techniques can be found in Tidal Layer)
When it comes to Data exfiltration, Lockbit and BlackCat were observed to have transitioned to an aggressive Triple extortion strategy, whereas BianLian ransomware seemed to have shifted from double extortion to primarily focusing on exfiltration-based extortion. On the other hand, Hive Ransomware and BlackBasta ransomware appeared to have both adopted the double-extortion model.
Threat Summary:
| RANSOMWARE NAME | LOCKBIT 3.0/ LockBit Black | BLACKCAT/ALPHV/ ALPHV-ng/Noberus | HIVE | BIANLIAN | BlackBasta |
| MODEL | Ransomware-as-a- Service (RaaS) model | Ransomware-as-a- Service (RaaS) model | Ransomware-as-a- Service (RaaS) model | Ransomware-as-a- Service (RaaS) model | |
| HISTORY | previous version: LockBit 2.0, LockBit | Believed to be the successor of the Darkside and BlackMatter, REvil ransomware groups | Connection to the Conti ransomware group, potentially including some of its previous members. | Link to the gang behind Conti and may be the closest thing it has to a successor. | |
| FIRST OBSERVED | June 2022 | late 2021 | June 2021 | June 2022 | April 2022 |
| PLATFORM |
|
|
|
|
|
| INITIAL ACCESS |
|
|
|
|
|
| EXTORTION TYPE | Triple extortion | Triple extortion | Double extortion | Exfiltration-based Extortion. | Double extortion |
| TOOLS |
|
|
|
|
|
| INDUSTRY |
|
|
|
|
|
| COUNTRY |
|
|
|
|
|
| CVE |
We thank all the independent researchers who contributed several detections to the community and helped organizations to quickly triage. In this section we want to share a few detections in the format of Sigma and Osquery. More analytics on Osquery, our contribution to the community, can be found over here.
Detection – Sigma
Title: Backup catalogs deleted using Wbadmin.EXE
description: Detects Use of wbadmin.exe to delete backup catalogs
logsource:
product: windows
category: process_creation
detection:
selection_wbadmin:
Imgae|endswith:
- 'wbadmin.exe'
OriginalFileName : 'WBADMIN.EXE'
CommandLine|contains:
- 'systemstatebackup'
- 'catalog-quiet'
selection_del:
CommandLine|contains:
- 'delete'
condition: selection_wbadmin and selection_del
Title: RDP registry modification
description: Detects RDP registry modification, allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
logsource:
product: windows
category: process_creation
detection:
selection:
TargetObject|endswith:
- 'fDenyTSConnections'
- 'UserAuthentication'
Details: 'DWORD (0x00000000)'
condition: selection
Title: Registry copy in Safe Mode
description: Detects Copying the configuration settings for the tvnserver service to a new location in the registry that will be used when the computer boots into Safe Mode with networking
logsource:
product: windows
category: process_creation
detection:
selection:
Imgae|endswith:
- 'reg.exe'
CommandLine|contains|all:
- 'copy'
- 'hklm\system\*\services\tvnserver'
- 'hklm\system\*\safeboot\network\tvnserver'
- '/s'
- '/f'
condition: selection
Detection – Osquery
Title: Execution of ADRecon tool in powershell
description: Detects the execution of ADRecon tool in powershell to enumerate AD environment.
SELECT
datetime,
script_block_id,
script_text,
script_name,
script_path
FROM powershell_events
WHERE
(
script_text LIKE '%ADRecon.ps1%'
OR script_text LIKE '%Function Get-ADRExcelComOb%'
OR script_text LIKE '%Get-ADRGPO%'
OR script_text LIKE '%Get-ADRDomainController%'
OR script_text LIKE '%PasswordPolicy%'
OR script_text LIKE '%FineGrainedPasswordPolicy%'
OR script_text LIKE '%DomainControllers%'
OR script_text LIKE '%Get-ADRGPLink%'
OR script_text LIKE '%Get-ADRDNSZone%'
);
Title: Net.exe suspicious commands
description: Using net.exe logoff was disabled, and the password age was set to unlimited.
SELECT
name,
pid,
path,
cmdline,
parent
FROM processes
WHERE LOWER(name) = 'net.exe'
AND
(
cmdline LIKE '%forcelogoff:no%'
AND cmdline LIKE '%maxpwage:unlimited%'
);
Community – Yara rules
Hive Ransomware
- Linux: https://github.com/StrangerealIntel/Orion/blob/main/Ransomware/RAN_ELF_Hive_March_2022_1.yara
- Windows: https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Ransomware_Hive.yar
ALHV Ransomware
- Linux: https://github.com/StrangerealIntel/Orion/blob/main/Ransomware/RAN_ALPHV_Mar_2023_1.yara
- Windows: https://www.cloudsek.com/blog/technical-analysis-of-alphv-blackcat-ransomware#:~:text=YARA%20Rule%20for,and%20filesize%20%3C%2029981696%0A%7D
Lockbit3.0 Ransomware
- Linux: https://github.com/interprobe/lockbit3.0detect_v2-byInterProbe.yara/blob/main/lockbit3.0detect_v2.yara
- Windows: https://github.com/reversinglabs/reversinglabs-yara-rules/blob/develop/yara/ransomware/Win32.Ransomware.LockBit.yara
Blackbasta Ransomware
- Linux: https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Linux_Ransomware_BlackBasta.yar
- Windows: https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Ransomware_BlackBasta.yar
References
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-321a
- https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html
- https://www.hhs.gov/sites/default/files/lockbit-3-analyst-note.pdf
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
- https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackcat
- https://www.group-ib.com/blog/blackcat/
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomwar
- https://www.sentinelone.com/anthology/black-basta/
- https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta
Author: Ketki I
Threat Researcher, Loginsoft