From the Labs: YARA Rule for Detecting LockBit

Our team of threat analysts are constantly working to respond and provide our customers — and the security community — with information and tools to defend their systems from attacks. Constantly checking past open source YARA rules we’ve released to ensure they are of the highest quality is a big part of this effort. Written by our threat analysts, our high-quality YARA rules are intended for threat hunters, incident responders, security analysts, and other defenders.

Our detection rules are high fidelity. As opposed to hunting rules, these detection rules must satisfy certain criteria to be eligible for deployment, namely: they must be as precise as possible, without losing detection quality. Also, our YARA rules aim to provide zero false-positive detections. 

This week, let’s revisit LockBit, which has targeted large organizations in several countries since September, 2019. Below, you will learn more about this threat and the YARA rule our team created to respond to it. 

LockBit: A Self-Spreading Threat

LockBit Ransomware blocks a user’s access to an infected system, forcing a victim to pay a hefty ransom to regain access. LockBit is sophisticated in that it scans target environments for optimal targets and is self-spreading, allowing it to encrypt any vulnerable and accessible system on a compromised network. This makes it unique compared to other ransomware, which typically requires manual direction from attackers (or human error from victims) to spread within environments. The malware often disguises itself as a .PNG image file format, allowing it to bypass a system’s threat detection abilities. 

LockBit functions as ransomware-as-a-service (RaaS), in which representatives of the ransomware gang promote the operation, provide support on (Russian-language) hacking forums, and recruit experienced threat actors to pull off the attack. The gang splits the ransom payment between themselves and other attacking affiliates, who can get up to 75% of the ransom funds. 

LockBit developers switched gears in June, 2021 when they announced LockBit 2.0 RaaS, which is a more advanced version of the malware. Following the gang’s reboot, advisories from several government agencies were released about the ransomware gang’s new campaign. For example, in August, 2021 the Australian Cyber Security Centre released an alert status on LockBit 2.0 after “a number of Australian organisations” were impacted by the ransomware. Soon after, LockBit infected the consultancy Accenture. The gang demanded that the Fortune 500 company pay a $50 Million ransom. In the aftermath of this attack and others across  multiple countries, the Federal Bureau of Investigation (FBI) released a flash report (PDF). It details the components of LockBit 2.0, and it also calls for any organization impacted by the ransomware to hand the attack details over to the FBI. 

Detecting LockBit

ReversingLabs LockBit YARA rule is designed to detect this ransomware within your environment with high fidelity and almost no false-positives. 

Download the LockBit YARA Rule from GitHub here: 

Win32.Ransomware.LockBit.yara

To learn more about the prerequisites for using ReversingLabs’ YARA rules, consult our GitHub page. 

The Work Doesn’t Stop Here

ReversingLabs’ team of analysts are constantly surveying the threat landscape in an effort to better serve our customers and the greater security community. Contact us if you’d like to learn more about how we help organizations combat threats like malicious wipers and ransomware or to schedule a demonstration.