Analytics Story: LockBit Ransomware

Date: 2023-01-16 ID: 67e5b98d-16d6-46a6-8d00-070a3d1a5cfc Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the LockBit ransomware, including looking for file writes (file encryption and ransomware notes), deleting services, terminating processes, registry key modification and more.

Why it matters

LockBit ransomware was first seen in 2019. This ransomware was used by cybercriminal in targeting multiple sectors and organizations. Lockbit is one of the ransomware being offered as a Ransomware-as-a-Service(RaaS) and also known to affiliates to implement the 'double extortion' techniques by uploading the stolen and sensitive victim information to their dark website and then threatening to sell/release it in public if their demands are not met. LockBit Ransomware advertised opportunities for threat actors that could provide credential access via RDP and VPN. Aside from this it is also uses threat emulation like Cobalt Strike and Metasploit to gain foot hold to the targeted host and persist if needed.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
CMLUA Or CMSTPLUA UAC Bypass System Binary Proxy Execution, CMSTP TTP
Cobalt Strike Named Pipes Process Injection TTP
Common Ransomware Extensions Data Destruction Hunting
Common Ransomware Notes Data Destruction Hunting
Deleting Shadow Copies Inhibit System Recovery TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Fsutil Zeroing File Indicator Removal TTP
High Process Termination Frequency Data Encrypted for Impact Anomaly
Known Services Killed by Ransomware Inhibit System Recovery TTP
Modification Of Wallpaper Defacement TTP
Ransomware Notes bulk creation Data Encrypted for Impact Anomaly
Recon Using WMI Class Gather Victim Host Information, PowerShell Anomaly
Suspicious Process File Path Create or Modify System Process TTP
UAC Bypass With Colorui COM Object System Binary Proxy Execution, CMSTP TTP
Wbemprox COM Object Execution System Binary Proxy Execution, CMSTP TTP
Windows Modify Registry Default Icon Setting Modify Registry Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 18 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 5 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 7036 Windows icon Windows xmlwineventlog XmlWinEventLog:System

References

Source: GitHub | Version: 1