Paulo Pereira, PhD
Abstract
This article, Part I, focuses on the Lockbit 3.0 (Black) forensics files analysis. Lockbit 3.0 represents a class of Ransomware as a Service and has increased the attack surface.
I. The Lockbit 3.0 Black files
This article uses a virtual environment prepared to test the Lockbit ransomware, version 3.0, known as Black. A few months ago, some files of this version were leaked. Figure 1 below shows such files. The REMnux Linux platform is used to get file information and open the executable files in Ghidra and text in Visual Studio. The victim is represented by a Windows 10 virtual host, created to receive the files and to understand the infection process.
Figure 1: Lockbit 3 Black files
When the Builder.bat file is executed, several command instructions are executed as shown in Figure 2.
Figure 3: The Builder.bat instructions
Then, as shown by Figure 4, the created files:
Figure 4: The files created by Builder.bat
The Password_exe.txt file contains the commands to execute LB3_pass.exe or LB3.exe files. Figure 5 shows these instructions.
Figure 5: Password_exe.txt file
This step encrypts the files on the victim’s system. In the attacker side, who is the owner of a private key, the LB3Decriptor.exe could be used to decrypt the victim’s encrypted files.
Figure 6: Running LBBDecryptor.exe
II. A Little....
Author
- Paulo Pereira is an independent malware analyst, Cyber Security Professional, EXIN Instructor.
Latest Articles
OfficialJune 6, 2024Dark Web File Sharing: Basic Forensics Using CSI Linux
OfficialOctober 24, 2023The LockBit 3 Black Forensics Analysis Part II
OfficialOctober 24, 2023The Lockbit 3 Black Forensics Analysis (Part III)
OfficialOctober 17, 2023Reflections on Artificial Intelligence and Digital Forensics