• Recommended in Last Article: Analyzing ransomware binaries as part of an effective ransomware response strategy. Analyzing binaries is hard, especially obfuscated ones, but it's worth it. A successful analysis can help with data recovery and understanding the encryption/decryption process.
• Analysis of LockBit v3: Calif discovered two issues in this version - a crypto bug that may allow decryption without the private key and a design flaw that may cause data corruption. They published the analysis for several reasons including sharing with other affected organizations.
• Encryption and Decryption Details: Uses a combination of symmetric (Salsa20) and asymmetric (RSA with no padding) cryptography. Files are divided into chunks and encrypted/decrypted using these algorithms. An encrypted file ends with a footer containing information about the file.
• Keystream Reuse Vulnerability: The sample reuses the Salsa20 key for 1,000 files, which leads to a vulnerability. By having a file with a long compressed filename, one can recover enough keystream to decrypt other files.
• Design Flaw and Data Corruption: The ransomware has a mutex checking mechanism that can be disabled, allowing multiple instances to run and potentially cause data corruption. It also attempts to terminate other processes that prevent exclusive access to the file.
• Anti-Debugging Mechanisms: The sample contains multiple anti-debugging checks such as checking the heap structure and calling certain functions. These can be bypassed by modifying the heap structures. It also manually resolves Windows APIs to avoid being tracked.
• Building a Decryption Tool for Linux: Calif re-implemented the decryption logic in C for Linux. They extracted relevant functions from the ransomware and fixed address references. The tool is open-source and can be downloaded from GitHub.
• Indicators of Compromise (IOCs): Specific details about the IOCs for this variant of LockBit v3 such as unique IDs, file hashes, and registry values.