Lockbit 3.0 Ransomware Attack Demo

JuniperNetworks

3 Mar 202308:16

Summary

TLDRThis demonstration showcases the capabilities of the Juniper SRX firewall in identifying and isolating Lockbit 3.0 ransomware attacks. The script details the ransomware's operation, encryption methods, and the SRX's proactive detection using machine learning. It also illustrates the firewall's response to infected hosts by blocking them at threat levels 8-10 and the process of reconnecting a cleaned system to the network.

Takeaways

🔒 The Juniper SRX firewall is capable of identifying Lockbit 3.0 ransomware and isolating infected hosts.
💥 The Lockbit ransomware gang was notably active in 2022, targeting high-profile businesses and government organizations.
🛠️ A disgruntled developer allegedly leaked the private ransomware Builder, which was disputed by a public spokesperson of the Lockbit gang.
📅 The Lockbit 3.0 operation started in June 2022 and continues to be a threat to businesses.
🛑 The ransomware Builder allows customization of encryption parameters, including processes to stop and files not to encrypt.
📁 The ransomware files lb3.exe and lb3pass.exe are created upon building the ransomware with the Builder.
🔐 A password is required for the lb3pass.exe decryptor, which is used to evaluate sandboxes.
💻 The script demonstrates the encryption of files on a Windows client and the modification of file icons by the ransomware.
📝 A ransom note, readme.txt, is included by the ransomware, providing instructions to contact the operator for decryption.
🚨 The SRX firewall proactively detected the ransomware using a machine learning model engine, scoring the host at Threat Level 9.
⛔️ The SRX firewall, configured to block at Threat Level 8 to 10, successfully disconnected the infected host from the network.
🔄 After cleaning the infected host, the status can be changed in the Security Director to 'Resolved and Fixed' to reconnect the host to the network.

Q & A

What is the Lockbit 3.0 ransomware and what is its significance?
-Lockbit 3.0 is a type of ransomware that has been particularly prevalent in 2022, known for high-profile cyber attacks, including those targeting government organizations. It encrypts files and demands ransom for their decryption.
How did the Lockbit ransomware builder become publicly available?
-A person on Twitter claimed to have hacked Lockbit servers and obtained the builder. However, a public spokesperson for the Lockbit gang disputed this, suggesting instead that a disgruntled developer leaked the private ransomware builder.
What is the purpose of the configuration file in the Lockbit ransomware builder?
-The configuration file allows the customization of various parameters for the ransomware, such as encryption mode, processes and services to stop, and files and directories not to encrypt.
How does the Lockbit ransomware builder create the ransomware files?
-When the build button is clicked, the ransomware builder creates lb3.exe and lb3pass.exe files in the build folder, along with a decryptor that requires a password for use.
What is the role of Wireshark in the demonstration of the Lockbit ransomware attack?
-Wireshark is used to monitor the HTTP downloads that occur during the ransomware attack, providing visibility into the network traffic and file transfers.
How does the SRX firewall detect the Lockbit ransomware attack?
-The SRX firewall uses a machine learning model engine for proactive detection of malware behaviors, scoring the threat level and blocking infected hosts based on predefined policies.
What is the Threat Level configuration for blocking infected hosts and HTTP downloads in the SRX firewall?
-The SRX firewall is configured to block infected hosts at Threat Level 8 to 10 and to block HTTP downloads at a threat score level of 7 to 10.
What happens when a host is detected as infected by the SRX firewall?
-When a host is detected as infected, the SRX firewall disconnects it from the network to prevent further spread of the malware, as per the configured threat level policies.
How can an infected host be reconnected to the network after being cleaned?
-After the host is cleaned and no longer infected, the investigation status can be changed to 'Resolved and Fixed' in the Security Director, which will allow the machine to reconnect to the network.
What is the role of the Security Director in managing the SRX and its policies?
-The Security Director, Juno Space, is used to manage the SRX firewall and its policies, including threat prevention configurations and handling of infected hosts.
What is the significance of the ransom note 'readme.txt' included by the ransomware?
-The 'readme.txt' ransom note contains instructions on how to contact the ransomware operator to negotiate the decryption of the files, which is a common tactic used by ransomware to extort money from victims.

Outlines

00:00

🛡️ Juniper SRX Firewall's Ransomware Detection and Isolation

This paragraph demonstrates the capabilities of the Juniper SRX firewall in identifying and isolating Lockbit 3.0 ransomware. The Lockbit ransomware gang was notably active in 2022, targeting businesses and government organizations. The demonstration involves creating the ransomware using a Builder, which can be configured to set encryption modes and define parameters such as processes to stop and files not to encrypt. The ransomware, once launched, encrypts files and modifies their icons, leaving a ransom note with instructions for decryption. The SRX firewall is shown to detect the attack through behavioral analysis, using a machine learning model engine, and isolates the infected host by disconnecting it from the network until it's cleaned and deemed safe to reconnect.

05:01

🔒 SRX Firewall's Response to Ransomware Infection

The second paragraph details the SRX firewall's response to a detected ransomware infection. Once the ransomware, identified as lb3.exe and lb3_pass.exe, is downloaded from an HTTP server, the security director detects it proactively using machine learning. The infected host is scored at Threat Level 9 due to the malicious file download, triggering the SRX to block the host from the network. This isolation prevents further communication with the infected machine until it is cleaned. After remediation, the security director can change the investigation status to 'Resolved and Fixed,' allowing the machine to reconnect to the network and regain internet connectivity, ensuring the system's security and integrity.

Mindmap

Keywords

💡Juniper SRX firewall

Juniper SRX firewall is a network security device designed to protect against various threats, including ransomware. In the context of the video, it plays a crucial role in identifying and isolating infected hosts during a ransomware attack. The script describes how the SRX firewall is configured to detect malicious activities and block infected hosts at certain threat levels, demonstrating its proactive security capabilities.

💡Lockbit 3.0

Lockbit 3.0 is a type of ransomware that encrypts files and demands payment for their decryption. The script mentions that the Lockbit ransomware gang was responsible for high-profile cyber attacks in 2022. The video demonstrates the creation and operation of Lockbit 3.0 ransomware, including its encryption process and the inclusion of a ransom note for the victims.

💡Ransomware attack

A ransomware attack is a cyber threat where an attacker encrypts a victim's files and demands payment to restore access. The video script provides an example of such an attack, detailing the steps taken by the attacker to infect a host with Lockbit 3.0 and the subsequent encryption of files on the victim's computer.

💡Ransomware Builder

The Ransomware Builder is a tool used to create custom ransomware. In the script, it is mentioned that a disgruntled developer leaked the private Ransomware Builder, which was then used to create the Lockbit 3.0 ransomware. The Builder allows for customization of encryption modes and other parameters, highlighting the adaptable nature of ransomware threats.

💡Encryption mode

Encryption mode refers to the specific method used by ransomware to encrypt files. The script explains that the Ransomware Builder allows the attacker to define the encryption mode, which is a key aspect of how the ransomware operates and affects the victim's files.

💡Threat Level

Threat Level is a measure used by security systems, like the Juniper SRX firewall, to evaluate the severity of a potential threat. The script describes the SRX firewall's configuration to block infected hosts at Threat Level 8 to 10, indicating the system's sensitivity to high-risk threats.

💡Threat score

Threat score is a numerical value assigned to a potential threat, indicating its level of danger. The video script mentions that the SRX firewall is configured to block HTTP downloads at a threat score level of 7 to 10, demonstrating how the system uses scoring to determine the appropriate response to detected threats.

💡Behavioral analysis

Behavioral analysis is a method of detecting malware by observing its behavior on a system. The script notes that the SRX firewall detected the ransomware proactively using a machine learning model engine, which performed a behavioral analysis of the downloaded files.

💡Machine learning model engine

A machine learning model engine is a component of security systems that uses machine learning algorithms to identify and respond to threats. In the video, it is highlighted as the technology enabling the SRX firewall to detect the Lockbit 3.0 ransomware through its behavioral patterns.

💡Security Director

Security Director is a management tool used to configure and monitor security devices like the Juniper SRX firewall. The script describes using the Security Director to manage SRX policies and to detect and respond to the ransomware attack, showcasing its role in network security management.

💡Isolation

Isolation is a security measure where a compromised system is disconnected from the network to prevent the spread of malware. The video script explains how the SRX firewall isolates the infected Windows client by disconnecting it from the network until it is cleaned and no longer poses a threat.

Highlights

Demonstration of Juniper SRX firewall identifying Lockbit 3.0 ransomware.

Lockbit ransomware gang was one of the most prevalent attackers of businesses in 2022.

Controversy over the hacking of Lockbit servers and the release of the ransomware Builder.

Lockbit 3.0 operation began in June 2022 and continues to infect businesses.

Explanation of how the ransomware operates and encrypts files using a Builder.

Creation of ransomware files lb3.exe and lb3pass.exe using the Builder.

Use of a password for lb3pass.exe as a method to evade sandbox analysis.

Infection simulation on a Windows computer with visible documents on the desktop.

Wireshark used to monitor HTTP downloads during the ransomware attack.

Files on the desktop encrypted with a delay and modified file icons.

Inclusion of a ransom note readme.txt with instructions for decryption.

Simulation of the ransomware attack with the SRX firewall involved.

SRX firewall's detection capabilities using a machine learning model engine.

SRX firewall configured to block infected hosts at Threat Level 8 to 10.

Disconnection of the infected host from the network by the SRX firewall.

Process to reconnect a cleaned and disinfected host back to the network.

Restoration of network connectivity to the cleaned Windows client.