Lockbit 3.0 Ransomware Attack Demo

JuniperNetworks

3 Mar 202308:16

Summary

TLDRThis demonstration showcases the capabilities of the Juniper SRX firewall in identifying and isolating Lockbit 3.0 ransomware attacks. The script details the ransomware's operation, encryption methods, and the SRX's proactive detection using machine learning. It also illustrates the firewall's response to infected hosts by blocking them at threat levels 8-10 and the process of reconnecting a cleaned system to the network.

Takeaways

🔒 The Juniper SRX firewall is capable of identifying Lockbit 3.0 ransomware and isolating infected hosts.
💥 The Lockbit ransomware gang was notably active in 2022, targeting high-profile businesses and government organizations.
🛠️ A disgruntled developer allegedly leaked the private ransomware Builder, which was disputed by a public spokesperson of the Lockbit gang.
📅 The Lockbit 3.0 operation started in June 2022 and continues to be a threat to businesses.
🛑 The ransomware Builder allows customization of encryption parameters, including processes to stop and files not to encrypt.
📁 The ransomware files lb3.exe and lb3pass.exe are created upon building the ransomware with the Builder.
🔐 A password is required for the lb3pass.exe decryptor, which is used to evaluate sandboxes.
💻 The script demonstrates the encryption of files on a Windows client and the modification of file icons by the ransomware.
📝 A ransom note, readme.txt, is included by the ransomware, providing instructions to contact the operator for decryption.
🚨 The SRX firewall proactively detected the ransomware using a machine learning model engine, scoring the host at Threat Level 9.
⛔️ The SRX firewall, configured to block at Threat Level 8 to 10, successfully disconnected the infected host from the network.
🔄 After cleaning the infected host, the status can be changed in the Security Director to 'Resolved and Fixed' to reconnect the host to the network.

Q & A

What is the Lockbit 3.0 ransomware and what is its significance?
-Lockbit 3.0 is a type of ransomware that has been particularly prevalent in 2022, known for high-profile cyber attacks, including those targeting government organizations. It encrypts files and demands ransom for their decryption.
How did the Lockbit ransomware builder become publicly available?
-A person on Twitter claimed to have hacked Lockbit servers and obtained the builder. However, a public spokesperson for the Lockbit gang disputed this, suggesting instead that a disgruntled developer leaked the private ransomware builder.
What is the purpose of the configuration file in the Lockbit ransomware builder?
-The configuration file allows the customization of various parameters for the ransomware, such as encryption mode, processes and services to stop, and files and directories not to encrypt.
How does the Lockbit ransomware builder create the ransomware files?
-When the build button is clicked, the ransomware builder creates lb3.exe and lb3pass.exe files in the build folder, along with a decryptor that requires a password for use.
What is the role of Wireshark in the demonstration of the Lockbit ransomware attack?
-Wireshark is used to monitor the HTTP downloads that occur during the ransomware attack, providing visibility into the network traffic and file transfers.
How does the SRX firewall detect the Lockbit ransomware attack?
-The SRX firewall uses a machine learning model engine for proactive detection of malware behaviors, scoring the threat level and blocking infected hosts based on predefined policies.
What is the Threat Level configuration for blocking infected hosts and HTTP downloads in the SRX firewall?
-The SRX firewall is configured to block infected hosts at Threat Level 8 to 10 and to block HTTP downloads at a threat score level of 7 to 10.
What happens when a host is detected as infected by the SRX firewall?
-When a host is detected as infected, the SRX firewall disconnects it from the network to prevent further spread of the malware, as per the configured threat level policies.
How can an infected host be reconnected to the network after being cleaned?
-After the host is cleaned and no longer infected, the investigation status can be changed to 'Resolved and Fixed' in the Security Director, which will allow the machine to reconnect to the network.
What is the role of the Security Director in managing the SRX and its policies?
-The Security Director, Juno Space, is used to manage the SRX firewall and its policies, including threat prevention configurations and handling of infected hosts.
What is the significance of the ransom note 'readme.txt' included by the ransomware?
-The 'readme.txt' ransom note contains instructions on how to contact the ransomware operator to negotiate the decryption of the files, which is a common tactic used by ransomware to extort money from victims.