Ransom.Win32.LOCKBIT.EOA

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following processes:

• if -safe is used:
  • bcdedit /set {current} safeboot network

Process Termination

This Ransomware terminates the following services if found on the affected system:

• backup
• GxBlr
• GxCIMgr
• GxCVD
• GxFWD
• GxVss
• memtas
• mepocs
• msexchange
• sophos
• sql
• svc$
• veeam
• vss

It terminates the following processes if found running in the affected system's memory:

• agntsvc
• calc
• dbeng50
• dbsnmp
• encsvc
• excel
• firefox
• infopath
• isqlplussvc
• msaccess
• mspub
• mydesktopqos
• mydesktopservice
• notepad
• ocautoupds
• ocomm
• ocssd
• onenote
• oracle
• outlook
• powerpnt
• sqbcoreservice
• sql
• steam
• synctime
• tbirdconfig
• thebat
• thunderbird
• visio
• winword
• wordpad
• wuaclt
• xfssvccon

Other Details

This Ransomware does the following:

• If not executed with admin rights, it will attempt relaunch itself as admin by elevating its privileges via bypassing UAC
• It encrypts fixed, removable and network drives
• It deletes files in recycle bin folder for removable and fixed drives
• It uses WQL to delete shadow copies
• It deletes the following services:
  • wdnissvc
  • WinDefend
  • wscsvc
  • sppsvc
  • Sense
  • SecurityHealthService
• It attempts logging in to infected machine using specific sets of email and password.

It accepts the following parameters:

• -pass {value} Uses the first 32 characters of the value as key to decrypt the main routine. Required to execute properly.
• And performs only one from the following parameters:
• -safe → Reboots in safeboot
• -path {target} → Specifically encrypt the target, can be file or folder
• -gspd → Perform Group Policy Modification for Lateral Movement
• -psex → Lateral Movement via Admin Shares
• -gdel → Delete group policy updates
• -del → Delete itself

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• autorun.inf
• boot.ini
• bootfont.bin
• bootsect.bak
• desktop.ini
• iconcache.db
• ntldr
• ntuser.dat
• ntuser.dat.log
• ntuser.ini
• thumbs.db

It avoids encrypting files found in the following folders:

• $recycle.bin
• $windows.~bt
• $windows.~ws
• all users
• boot
• config.msi
• default
• intel
• msocache
• perflogs
• program files
• program files (x86)
• programdata
• public
• system volume information
• tor browser
• windows
• windows.old
• x64dbg

It appends the following extension to the file name of the encrypted files:

• .qxzb3ZaxP

It drops the following file(s) as ransom note:

• {Encrypted Directory}\qxzb3ZaxP.README.txt
  

It avoids encrypting files with the following file extensions:

• 386
• adv
• ani
• bat
• bin
• cab
• cmd
• com
• cpl
• cur
• deskthemepack
• diagcab
• diagcfg
• diagpkg
• dll
• drv
• exe
• hlp
• hta
• icl
• icns
• ico
• ics
• idx
• key
• ldf
• lnk
• lock
• mod
• mpa
• msc
• msi
• msp
• msstyles
• msu
• nls
• nomedia
• ocx
• pdb
• prf
• ps1
• rom
• rtp
• scr
• shs
• spl
• sys
• theme
• themepack
• wpx