Lockbit 3.0 Ransomware Attack Demo
Summary
TLDRThis demonstration showcases the capabilities of the Juniper SRX firewall in identifying and isolating Lockbit 3.0 ransomware attacks. The script details the ransomware's operation, encryption methods, and the SRX's proactive detection using machine learning. It also illustrates the firewall's response to infected hosts by blocking them at threat levels 8-10 and the process of reconnecting a cleaned system to the network.
Takeaways
- 🔒 The Juniper SRX firewall is capable of identifying Lockbit 3.0 ransomware and isolating infected hosts.
- 💥 The Lockbit ransomware gang was notably active in 2022, targeting high-profile businesses and government organizations.
- 🛠️ A disgruntled developer allegedly leaked the private ransomware Builder, which was disputed by a public spokesperson of the Lockbit gang.
- 📅 The Lockbit 3.0 operation started in June 2022 and continues to be a threat to businesses.
- 🛑 The ransomware Builder allows customization of encryption parameters, including processes to stop and files not to encrypt.
- 📁 The ransomware files lb3.exe and lb3pass.exe are created upon building the ransomware with the Builder.
- 🔐 A password is required for the lb3pass.exe decryptor, which is used to evaluate sandboxes.
- 💻 The script demonstrates the encryption of files on a Windows client and the modification of file icons by the ransomware.
- 📝 A ransom note, readme.txt, is included by the ransomware, providing instructions to contact the operator for decryption.
- 🚨 The SRX firewall proactively detected the ransomware using a machine learning model engine, scoring the host at Threat Level 9.
- ⛔️ The SRX firewall, configured to block at Threat Level 8 to 10, successfully disconnected the infected host from the network.
- 🔄 After cleaning the infected host, the status can be changed in the Security Director to 'Resolved and Fixed' to reconnect the host to the network.
Q & A
What is the Lockbit 3.0 ransomware and what is its significance?
-Lockbit 3.0 is a type of ransomware that has been particularly prevalent in 2022, known for high-profile cyber attacks, including those targeting government organizations. It encrypts files and demands ransom for their decryption.
How did the Lockbit ransomware builder become publicly available?
-A person on Twitter claimed to have hacked Lockbit servers and obtained the builder. However, a public spokesperson for the Lockbit gang disputed this, suggesting instead that a disgruntled developer leaked the private ransomware builder.
What is the purpose of the configuration file in the Lockbit ransomware builder?
-The configuration file allows the customization of various parameters for the ransomware, such as encryption mode, processes and services to stop, and files and directories not to encrypt.
How does the Lockbit ransomware builder create the ransomware files?
-When the build button is clicked, the ransomware builder creates lb3.exe and lb3pass.exe files in the build folder, along with a decryptor that requires a password for use.
What is the role of Wireshark in the demonstration of the Lockbit ransomware attack?
-Wireshark is used to monitor the HTTP downloads that occur during the ransomware attack, providing visibility into the network traffic and file transfers.
How does the SRX firewall detect the Lockbit ransomware attack?
-The SRX firewall uses a machine learning model engine for proactive detection of malware behaviors, scoring the threat level and blocking infected hosts based on predefined policies.
What is the Threat Level configuration for blocking infected hosts and HTTP downloads in the SRX firewall?
-The SRX firewall is configured to block infected hosts at Threat Level 8 to 10 and to block HTTP downloads at a threat score level of 7 to 10.
What happens when a host is detected as infected by the SRX firewall?
-When a host is detected as infected, the SRX firewall disconnects it from the network to prevent further spread of the malware, as per the configured threat level policies.
How can an infected host be reconnected to the network after being cleaned?
-After the host is cleaned and no longer infected, the investigation status can be changed to 'Resolved and Fixed' in the Security Director, which will allow the machine to reconnect to the network.
What is the role of the Security Director in managing the SRX and its policies?
-The Security Director, Juno Space, is used to manage the SRX firewall and its policies, including threat prevention configurations and handling of infected hosts.
What is the significance of the ransom note 'readme.txt' included by the ransomware?
-The 'readme.txt' ransom note contains instructions on how to contact the ransomware operator to negotiate the decryption of the files, which is a common tactic used by ransomware to extort money from victims.
Outlines
🛡️ Juniper SRX Firewall's Ransomware Detection and Isolation
This paragraph demonstrates the capabilities of the Juniper SRX firewall in identifying and isolating Lockbit 3.0 ransomware. The Lockbit ransomware gang was notably active in 2022, targeting businesses and government organizations. The demonstration involves creating the ransomware using a Builder, which can be configured to set encryption modes and define parameters such as processes to stop and files not to encrypt. The ransomware, once launched, encrypts files and modifies their icons, leaving a ransom note with instructions for decryption. The SRX firewall is shown to detect the attack through behavioral analysis, using a machine learning model engine, and isolates the infected host by disconnecting it from the network until it's cleaned and deemed safe to reconnect.
🔒 SRX Firewall's Response to Ransomware Infection
The second paragraph details the SRX firewall's response to a detected ransomware infection. Once the ransomware, identified as lb3.exe and lb3_pass.exe, is downloaded from an HTTP server, the security director detects it proactively using machine learning. The infected host is scored at Threat Level 9 due to the malicious file download, triggering the SRX to block the host from the network. This isolation prevents further communication with the infected machine until it is cleaned. After remediation, the security director can change the investigation status to 'Resolved and Fixed,' allowing the machine to reconnect to the network and regain internet connectivity, ensuring the system's security and integrity.
Mindmap
Keywords
💡Juniper SRX firewall
💡Lockbit 3.0
💡Ransomware attack
💡Ransomware Builder
💡Encryption mode
💡Threat Level
💡Threat score
💡Behavioral analysis
💡Machine learning model engine
💡Security Director
💡Isolation
Highlights
Demonstration of Juniper SRX firewall identifying Lockbit 3.0 ransomware.
Lockbit ransomware gang was one of the most prevalent attackers of businesses in 2022.
Controversy over the hacking of Lockbit servers and the release of the ransomware Builder.
Lockbit 3.0 operation began in June 2022 and continues to infect businesses.
Explanation of how the ransomware operates and encrypts files using a Builder.
Creation of ransomware files lb3.exe and lb3pass.exe using the Builder.
Use of a password for lb3pass.exe as a method to evade sandbox analysis.
Infection simulation on a Windows computer with visible documents on the desktop.
Wireshark used to monitor HTTP downloads during the ransomware attack.
Files on the desktop encrypted with a delay and modified file icons.
Inclusion of a ransom note readme.txt with instructions for decryption.
Simulation of the ransomware attack with the SRX firewall involved.
SRX firewall's detection capabilities using a machine learning model engine.
SRX firewall configured to block infected hosts at Threat Level 8 to 10.
Disconnection of the infected host from the network by the SRX firewall.
Process to reconnect a cleaned and disinfected host back to the network.
Restoration of network connectivity to the cleaned Windows client.
Transcripts
this demonstration shows how the Juniper
SRX firewall can identify lockbit 3.0
ransomware and isolate an infected host
in the context of renssware attack in
2022 the log bit ranswer gang was among
the most prevalent ransomware to strike
businesses they were responsible for
high profile cyber attacks including the
government organizations
on September 21st 2022 someone on
Twitter claimed that they were able to
hack lockbit servers and get a hold of
the Builder
a public spokesperson of luck bit gang
though disputed the heck
instead a disgruntled developer leaked
the private ransomware Builder
the lockbit 3.0 operation began in June
2022 and is still infecting businesses
as to date
we'll demonstrate how this attack
operates and encrypts files we will
create the ransomware using the Builder
and host it on the HTTP server
Powershell will then be used to launch
the attack on a Windows client
the compromise Builder consists of
builder.exe and the configuration file
that may be edited to define various
parameters such as encryption mode the
processes the services to stop and the
files and directories not to encrypt
when you click on build.back the
ransomware files lb3.exe and
lb3pass.exe will be created in the build
folder there's also the decryptor a
password is necessary for the
lb3pass.exe to infect the system
they use this as one method of evaling
sandboxes
in the next section we'll infect the
Windows computer some documents can be
seen on the desktop to show that lock
bit encrypt these files
Wireshark is launched in order to
monitor the HTTP downloads
using Powershell and the command prompt
we launched the attack
as you can see it downloads lb3.exe and
lbb.txt the Powershell script
the files on the desktop are now
encrypted after a little delay
the encrypted file icons were also
Modified by the ransomware
you can see that the files are rather
heavily encrypted if you open them in a
text editor
they also included a ransom note
readme.txt that contains instructions on
how to get in touch with the ransomware
operator to have your files decrypted
in the following we will simulate the
attack with the SRX involved to show how
the SRX firewall will be able to detect
this attack
the following diagram shows you the
components used in this demonstration an
SRX client is involved attached to it
are several Windows hosts an Ubuntu
machine is also attached to it which
will act as the malware server
a security director Juno space is also
included which will be used to manage
our SRX and policies we will use the
windows client pc1 to launch the attack
from our jump station we log into the
security director which we'll use to
manage our SRX and our policies
we will go to configure threat
prevention and then the policies
as you can see it's configured to block
infected host at Threat Level 8 to 10.
for HTTP downloads it is configured to
block at a threat score level 7 to 10.
using RDP we're connecting to one of the
windows clients that we're going to
infect before we begin we want to make
sure that this client has internet
connectivity
next using the command line we execute
the attack in the background you can see
Wireshark and the files being downloaded
from the HTTP server
if we go back to security director we
can see that it has detected the
ransomware
lb3.exe and lb3 underscore pass.exe
we can click on the file to see more
details about the specific download
under the behavioral analysis we can see
the behaviors that have been seen
it is important to note that this
malware was detected proactively using
the machine learning model engine
if we look at the host it was scored at
Threat Level 9 and it shows that this
was because of a downloaded malicious
file
since our SRX is configured to block
host at Threat Level 8 through 10 it
will disconnect this host from the
network
since this host is disconnected from the
network we're not able to Ping to this
machine or connect to it via RDP
once the machine is cleaned and is no
longer infected we can go back to
security director to get this machine
back on the network in order to do this
we change the investigation status back
to resolved and fixed which will put the
machine back on the network
as you can see we can once again ping
the machine and connect to it
the windows client is now connected back
to the network and has internet
connectivity once again
Просмотреть больше связанных видео
Complete Guide to SentinelOne EDR (Endpoint Detection and Response): Exploring the Console in Part 1
Introdução ao Gerenciamento de Redes - parte 3 - IDSs
世上無人能破解!量子力學為何是最強之盾?量子糾纏不只安全,還能讓你上網超光速!?|量子熊 ✕ 泛科學 EP11
Is Elon Musk a Security Expert? - ThreatWire
Wireshark - Malware traffic Analysis
Incident Planning - CompTIA Security+ SY0-701 - 4.8
5.0 / 5 (0 votes)