Lock -(B)- it : A Tale of Ransomware

-

EXECUTIVE SUMMARY

             * LockBit is one of the world's most active ransomware group connected to various high-profile attacks. This Blog consists of below Intel related to LockBit Group  

                
                • LockBit & Underground Forums 

                • Affiliates & Partners

                • LockBit Blog - Leaked Data's 

                • LockBit's Builder
    

LOCKBIT & UNDERGROUND FORUMS

       * LockBit's presence in reputed Russian Underground Forums allows it to Hire affiliates for their ransomware & other malware developers as per need.

Some of the most interesting profiles are posted below.

 Profiles


(LockBit's Profile on one of the top russian underground forums)

(LockBit's Profile on other Russian board)


(LockBit's post's on Same Underground Forum)



(Lockbit sponsered competiton of $15,000



AFFILIATES & PARTNERS
            
               * As a RaaS Model , LockBit requires affiliates to get initial access in an Organization . Mostly likely the deal will be in % on a successful attack, where affiliate receives greater percent when compared to lockbit.

LockBit and their other competitors such as Hive , Revil , AvosLocker etc utilizes the same RaaS Model.
          

P.o.V : When things gone wrong , Affiliate panel might endup getting leaked ;)

   

    Affiliate Panel Leaks



 (StealBit Builder)


(LockBit Builder - Black)
               

    (Lockbit Linux / ESXI version Builder)

LOCKBIT's BLOG - LEAKED DATA's

  Interface of LockBit Leak Site




  Security Firm Darktrace Leaks on LockBit




  Onion Mirror


            * LockBit has 9 tor Mirror sites & 24 server mirror sites & 9 chat reserve mirror with ANTI DDOS protection.




Bug Bounty

              
              * LockBit Mostly like offer's Bug Bounty for the VULN's found on Ransomware , Tor webpage , Doxing , The payout will be cypto (BTC , XMR , ZCASH)


                                                      
              

LOCKBIT's BUILDERLeak

        * Recent leaks of LockBit Builder by unknown on twitter  URL : https://github.com/3xp0rt/LockBit-Black-Builder


PUBLIC INTERVIEW OF LOCKBIT GROUP
      

    





       


Popular posts from this blog

Analysis of Latin American Bot (Vadokrist) : Part I - Mechanism & Dropper

-
Image
  EXECUTIVE SUMMARY         Vadokrist Trojan aims to steal credentials from victims’ machines and to create banking overlay windows when the victim visits their home banking portals. Here is the list of known Latin American banking Trojans                  • Grandoreiro                  • URSA                  • Javali                   • Vadokrist (aka) Mispadu DISTRIBUTION         Vadokrist is propagated via social engineering schemas – namely, phishing/malscam campaigns TECHNICAL ANALYSIS            Abusing MSI (Windows Installer) was one of the growing threat in cyber industry. In this sample the msi file acts as a dropper for VadoKrist Trojan          Here we can see the obfuscated JS code Binded into Windows Installer (MSI) which drop a zip file and extracts Vadokrist Trojan    Here is the Full obfuscated code of the dropper                                             
Read more

Analysis of Remote Template Injection used by APT

-
Image
  EXECUTIVE SUMMARY          Attackers are continually trying to find new ways to target users with malware sent via email.Typically, malicious Word documents that are sent as attachments to phishing emails will themselves contain a script or macro that executes malicious code to get initial access. There are numerous techniques used on these malicious docs to bypass anti-virus detection (VBAStomping, obfuscation, etc.). One such method is Remote Template Injection.   TECHNICAL INVESTGATION          Remote template injection was initially found in 2017 , later used by many APT's such as Gamaredon , Lazarus and many more .It was also listed on MITRE (T1221)   In this scenario the template with Macro will be hosted on the attacker's server will get executed when the victim clicks on enable macro   ANALYSIS OF GAMAREDON's SAMPLE            The sample of gamaredon group was found by researchers and shared on Malware Bazaar  Upon opening the sample in word, we can se
Read more