Threat analysis study: LockBit

Posted date 23/03/2023
Author
INCIBE (INCIBE)
Study decorative image

We add a new study to our collection analysing malware threats and campaigns affecting Spain. This study compiles the capabilities of a series of analysed samples belonging to the LockBit malware family, specifically version 3.0 of the same, describing in detail the execution chain of the samples, including their comparative analysis, with the aim of reviewing their differences.

Through a static and dynamic analysis of a sample of this malware in a controlled environment, the study gathers information which will help to find out the details of the tools and techniques used (anti-detection and anti-reverse-engineering), as well as its functioning and configuration, with the aim to provide the mechanisms necessary to identify and respond to the threat.

To this end, the entire execution flow of the infection and its analysis is reviewed, providing information on defensive techniques employed by the threat, encryption methods used and more information. The study also includes details on the encryption algorithm used by LockBit, as well as the configuration and text strings that are decrypted during execution.

Finally, indicators of compromise (IOCs) associated with LockBit 3.0 are also included, along with tactics, techniques and procedures (TTPs), and information regarding the scripts used for sample analysis.

The full study can be downloaded below: