Understand the Ransomware TTPs: The BlackBit Under the Microscope

This post was authored by Aufa and Fareed.

This blog post is intended to give a better overall picture of a ransomware attack that is operated by the BlackBit Ransomware gang observed by our team from our observatory farm, within the actual attack launch by the ransomware gang.

This blog post might be useful for security engineers, researchers, and security analysts to catch up with current cybersecurity issues specifically malware threats and ransomware hunting. By the end of this blog post, readers will understand the techniques used by this ransomware operator that compromised users via public-facing RDP. Furthermore, security analysts can collect the provided Indicators of Compromise (IOCs) extracted from the malware to assess whether your environment has been compromised.

This Blackbit ransomware investigation has been handled by Netbytesec Internship:

1. Aufa
2. Abu
3. Iqbal
4. Amin
5. Syahmi
6. Badrul

Case Summary

The threat actor initiates the breach by employing a brute force attack, successfully compromising the user "Administrator". Upon gaining the initial access, the attacker establishes persistence on the machine utilizing a well-known technique known as the "Sticky Keys backdoor". 

Subsequently, a new local user account named 'Microsoft' is created by the attacker, and the attacker login through this account. Leveraging the copy and paste feature in Windows RDP, the attacker transfers a malicious file named 'svchost.exe' to the targeted machine, initiating the ransomware infection process.

Figure 1: One of the Netbytesec PC Malware Lab infected with BlackBit Ransomware

After successfully compromising the user, the threat actor surprisingly does not perform any post-exploitation activity such as data exfiltration, privilege escalation, or lateral movement which solely focuses on dropping and executing the ransomware. 

Figure 2: Graph flow of the threat actor's activity

Timeline

Figure 3: Timeline of the execution

Technical Analysis

Brute-Force RDP for Initial Access

During the initial access phase, the attacker with IP Address 87.251.75.145 started brute-forcing activities targeting the RDP machine and successfully login as a local user named Administrator. Here are some of the account names that the attacker tested during the bruteforce shown in the figure below.

Figure 4: The attacker with IP 87.251.75.145 carry out a brute-force attack

The IP address appears to be hosted on XHOST hosting provider. According to VirusTotal, the IP address 87.251.75.145 has been detected by 5 vendors. Additionally, it has been tagged with "brute force", "RDP", and "SSH" on Alienvault, further raising concerns about its potential for malicious attacks. Furthermore, a security researcher with name "SecGuy" has created a VirusTotal graph, which maps the IP address with his RDP connections intelligence.

Figure 5: VirusTotal community tab

Hence, we are confident that the IP address is malicious and will continuously attempt brute force attacks on open RDP, posing a significant threat to the organization's security that requires immediate protection measures.

Sticky Key backdoor for persistence access

Upon login into the account, the attacker establishes a persistent mechanism by replacing the sethc.exe executable with the cmd.exe executable which is known as the "Sticky Key backdoor" technique. By using this method, the sticky key shortcut will execute cmd.exe instead of the original sethc.exe which gives the attacker a Command Prompt with elevated privileges on the login page of Windows. Thus, the attacker is able to perform malicious actions in high-privileged mode afterward. 

Figure 6: The exploitation of sethc.exe to execute cmd with the highest privilege.

Create new user

Furthermore, after establishing the Sticky Key backdoor and gaining further control over the compromised system, the attacker takes an additional step by creating a new local user account, assigning it the name 'Microsoft', and setting the password as 'Task213'.

Figure 7: Creation of new user Microsoft

Following the creation of the 'Microsoft' user account with the password 'Task213', the attacker proceeds to use a different IP Address, specifically 162.55.243.124, and log into this newly established account with the IP address to proceed to do their main objective, drop and execute ransomware. The figure below shows, the IP address successfully login into the system.

Figure 8: Attacker logins with Microsoft user

Based on VirusTotal, and a few other network scanning platforms, this IP 162.55.243.124 has not been flagged or identified as a malicious entity so far. However, it is important to note that the absence of flags does not guarantee its innocence as the attacker leverages this IP address to log in to our RDP and operated their ransomware activity.

After successfully gaining access to the Microsoft user's account, the attacker waits for a few minutes before proceeding with their next move. 

Drop the ransomware executable

At this point, the attacker utilizes the copy-and-paste feature available in the Windows RDP software to place a malicious file named "svchost.exe" directly into the Desktop folder of the Microsoft user. This activity can be seen in the figure below, where the Sysmon log records the creation of the file in question within the Desktop directory of the Microsoft user. 

Figure 9: Ransomware executable named svchost.exe created

From here, the attacker executes the malware which led to Ransomware infection.

Configure custom exclusion and execute ransomware

The attacker first added exclusion folders in Windows Defender for "Program Files" and the user folder, allowing malware to execute without being blocked by the Defender in those locations.

Afterward, the attacker initiated the ransomware, triggering a sequence of events that will be elaborated in the upcoming section.

Figure 10: Exclusion Defender and Execution of ransomware.exe

Ransomware technical analysis and reverse engineering

Initial Assessment

Based on the VirusTotal analysis, the sample shows a high detection rate among various antivirus signatures, identifying it as the LokiLocker variant of malware.

Figure 11: VirusTotal detection

Upon examining the malware file type and compiler information, the malware executable has been protected by the .NET Reactor protector. Thus, it is important to unpack it first before proceeding with the reverse code engineering process of the malware.

Figure 12: The executable has been protected by .NET Reactor

Once successfully unpacked, the NBS team proceeds with the reverse code engineering of the sample.

After examining the classes of the sample, it becomes evident that they are named "Loki" confirming that the BlackBit ransomware is identical to the Loki Locker ransomware, as shown in the figure below.

Figure 13: Sample classes contains Loki names

The NBS team proceeded with debugging activity on the malware sample as the malware implement heavy obfuscation in their code to slow down the analysis activity.

Checking mutex

Upon execution, the malware initiates a function where it checks for the presence of any existing mutex within the compromised host. If such a mutex is found, the malware will avoid executing its ransomware activities. On the other hand, if the compromised host does not has any mutex, the malware proceeds to create one.

Figure 14: Malware opens any mutex if it has been created

This typical mutex checking and creation approach is commonly observed in various malware samples found in the wild. Its purpose is to identify whether the current compromised host is already infected or not. 

Figure 15: Checking mutex's function

By employing this technique, the malware can ensure that it does not reinfect or conflict with actions on a system that has already been infected with the malware.

Create a persistent mechanism via the Startup folder

The ransomware employs a persistence mechanism to ensure continuous execution on the infected machine. To achieve this, it duplicates itself into multiple folder locations (with name "winlogon.exe"), including the following directories:

• "C:\Users\microsoft\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup" 
• "C:\Users\Microsoft\Windows\Start Menu\Programs\Startup" 

Figure 16: Ransomware copy itself to other location including the startup folder

By leveraging this persistence technique, the ransomware guarantees automatic execution during system startup or when a user logs in. As shown in the below figure, the malware makes a copy of its executable in the Startup folder with the filename "winlogon.exe".

Figure 17: The executable copy into the Startup folder

Furthermore, the malware deploys another copy of its executable in another location such as "C:\Users\microsoft\AppData\Roaming", "C:\ProgramData" and "C:\Windows" folders.

Figure 18: The executable copied to AppData roaming

Then the malware set the copied file as hidden to conceal it from the victim or user as shown in the code below.

Figure 19: Winlogon.exe set to hidden

In the provided figure below, the files have been successfully copied into the targeted folder. Specifically, within the AppData Roaming folder, the executable has been concealed to remain hidden from the user.

Figure 20: The executables have been successfully copied into the targeted location

Create scheduled tasks for the persistent mechanism

The ransomware creates a Task Scheduler for the "winlogon.exe" file to ensure it is able to execute each time a user logs into the system for persistence. In the below figure, we can see the name of the scheduled task is "BlackBit" which will run the "winlogon.exe" residing in the AppData Roaming folder.

Figure 21: Schedule task with the name Blackbit created by the malware

The function code responsible for scheduling task execution is shown in the figure below.

Figure 22: Code that does the schtasks command

Upon execution of the code, the user will encounter the User Account Control (UAC) prompt associated with the schtask command.

Figure 23: UAC associated with the schtask command

Creation of a task manager locker (bat file) into the startup folder

Next, the malware creates a batch file that contains a code of registry modification to disable the task manager. The malware put the batch in the startup folder to execute the code every time the user login.

Figure 24: The creation of the batch file to disable the task manager

With this kind of technique, users are unable to terminate the ransomware process and its associated application. The below figure shows the content of the batch file.

Figure 25: Batch file used for Task Manager locker

Content of the bat file: 

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

Figure 26: Task manager already disabled

Setting up of ransom note application

The ransomware proceeds to establish an application, which is then utilized to execute when a user attempts to open their encrypted files. In our lab, the malware extracts the embedded code from its resources, compile it, and subsequently saves it as an executable file named "bkhpxa3o.exe". It also noted that the malware also drop other files such as info.Blackbit, Restore-My-Files.txt, and a few others.

Figure 27: Code that does the compilation of the ransom note application

The application is placed in the ProgramData folder, and it is then configured as the default application for the ".Blackbit" extension in the system's registry. 

In the screenshot below, it is noteworthy that the executable has a different name due to the Netbytesec analyst conducting several analyses, resulting in variations of the artifact. As the malware generates random names for the compiled executable, the screenshot might have different names in different instances of analysis.

Figure 28: The malware set the application for Blackbit extension

Clicking on one of the encrypted files triggers the execution of the ransom note application.

Figure 29: Ransom note application when the user double click on the encrypted files

Furthermore, upon the user clicks on the "OK" button, the malware will proceed to run HTA file named "info.Blackbit" via the mshta.exe application.

Figure 30: Code of the executable

In the provided figure, the program's code will display this content using a message box, and it executes "info.Blackbit" using mshta.exe.

The content of the HTA file application is shown in the below figure:

Figure 31: info.Blackbit HTA application

Create ransom message

The ransomware proceeds to create a ransom message in a text file named "Restore-My-Files.txt" within every folder named that contain word "Desktop". Additionally, the malware generates an HTA file on the user's microsoft Desktop, which serves to display a pop-up HTA application showcasing the ransom message.

Figure 32: Ransom text created

The content of the ransom text shown in figure below.

Figure 33: Restore-My-Files.txt

Check for admin privilege

Next, the malware checks for administrative privileges, and if they are available, it proceeds with the next malicious activity. However, if the privilege is not available, the malware will attempt to request administrative access through the User Account Control (UAC).

Figure 34: Check for Administrator privileges

Enumerate and close processes

The ransomware proceeds with the next activity, terminating several processes, which could disrupt the encryption process.

Figure 35: The application tries to terminate any disruptive processes.

By terminating these processes, the ransomware aims to gain full control over the system's resources, ensuring smooth and efficient encryption of the victim's files, thereby maximizing the impact and effectiveness of its malicious objectives. 

The snippet code below shows the CloseProcesses function.

Figure 36: The ransomware enumerates all running processes

In the local variables depicted in the above figure, an array stores the names of all currently running processes. This array is then compared with a specific disruptive process list located below.

Figure 37: List of all disruptive processes

The list of the processes includes:

wxserver, wxserverview, sqlservr, ragui, supervise, culture, rtvscan, defwatch, winword, qbw32, qbdbmgr, qbupdate, qbcfmonitorservice, axlbridge, qbidpservice, httpd, fdlauncher, msdtsrvr, tomcat6, zhudongfangyu, vmware-usbarbitator64, vmware-converter, dbsrv12, msftesql, sqlagent, sqlbrowser, sqlwriter, oracle, ocssd, dbsnmp, synctime, agntsvc, mydesktopqos, isqlplussvc, xfssvccon, mydesktopservice, ocautoupds, agntsvc, encsvc, firefoxconfig, tbirdconfig, ocomm, mysqld, mysqld-nt, mysqld-opt, dbeng50, sqbcoreservice, excel, infopath, msaccess, mspub, onenote, outlook, powerpnt, steam, thebat, thebat64, thunderbird, visio, winword, wordpad

Disable Windows update services

After successfully terminating several targeted processes, the ransomware proceeds to disable disruptive services that could potentially interfere with its operation on the compromised host, thus, maximizing its impact on the host.

Figure 38: The ransomware tries to stop services

Similar to the process enumeration phase, the malware initiates by retrieving a comprehensive list of all services running on the system. 

Figure 39: The ransomware gets all the running services process

After enumerating the list of running services, the malware compares it with a collection of targeted services that potentially disrupt the ransomware's activity.

Figure 40: List of targeted processes

The list of the targeted services includes:

defwatch, ccevtmgr, ccsetmgr, savroam, sqlserv, sqlagent, sqladhlp, culserver, rtvscan, sqlbrowser, qbidpservice, quickboooks.fcs, qbcfmonitorservice, sqlwriter, msmdsrv, tomcat6, zhundongfangyu, vmware-usbarbitator64, vmware-converter, dbsrv12, dbeng8, wrapper, mssqlserver, mssql$contoso1, msdtc, sqlserveragent, vds

Once the potentially disruptive services are identified, the malware takes action by stopping the services.

Figure 41: Ransomware found one of the disruptive services

Figure 42: The malware trying to stop MSDTC service

In the figure below, the ransomware tries to disable services by executing commands, such as "sc stop UsoSvc" and "sc stop bits".

Figure 43: Ransomware stops services

Delete shadow copy, system backup, and disable the firewall

The ransomware then proceeds to disable data backups on the infected machine through a series of commands executed via cmd.exe. These include:

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet

"C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP

"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no

In the figures below, we can observe that the malware sets a command to be executed within the system, aiming to delete system backups and shadow copies, thus disable the Windows restore points.

Figure 44: vssadmin command to delete shadows copy

Figure 45: wbadmin to delete system backup

By using the "wbadmin DELETE SYSTEMSTATEBACKUP" command, the ransomware could potentially delete the system's critical System State backups and shadow copies, effectively removing any chance of the victim restoring their system to a previous state using standard Windows restore options. This action further restricts the victim's ability to recover their files without paying the ransom, putting more pressure on them to comply with the attacker's demands.

Figure 46: The ransomware tries to run WMICcommand to delete Shadowcopy

In the code snippet below, all the destructive commands are executed within this function. Upon successful execution of these commands, the function will write "Verified successfully. All shadow copies deleted" in the log file.

Figure 47: Function that does the deletion of shadow copy and backup data

The provided commands are used to carry out various actions that help the ransomware evade data recovery and system restoration measures on the infected machine.

Figure 48: Few commands to delete backup

All the executed commands used by ransomware are to achieve similar destructive objectives, which involve deleting critical backups or shadow copies on the victim's system. This command is used to remove backups or shadow copies, leaving the victim with limited options for data recovery without paying the ransom.

Disable firewall

Additionally, the ransomware attempts to disable the firewall through the following commands:

"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off

"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable

By executing these commands, the ransomware effectively turns off the Windows Firewall, thereby exposing the infected system to risks of network-based attacks.

Figure 49: Disabling firewall

The first command, netsh advfirewall set currentprofile state off disables the firewall for the current profile. The current profile is the one that is currently in use, which is usually the Domain profile if the victim is connected to a domain network, or the Private profile if the victim is not connected to a domain network. 

The second command, netsh firewall set opmode mode=disable, disables the firewall for all profiles. This means that the firewall will be disabled for the Domain, Private, and Public profiles.

Delete user recycle bin

The ransomware proceeds with its subsequent activity, targeting the victim's Recycle Bin. The ransomware empties the Recycle Bin, permanently erasing any chance of easy file recovery for the victim.

Figure 50: The function that does the emptying victim's recycle bin

Disable Windows Defender

Additionally, the ransomware will take additional measures to disable Windows Defender.

Figure 51: Malware tries to disabling Windows defender anti virus

The ransomware disables Windows Defender by modifying specific registry values in the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware

Figure 52: Function code to disable Windows Defender

By tampering with these registry settings, the ransomware can avoid detection and hinder any attempts by Windows Defender to block or remove the malware, ensuring its sustained presence and successful execution of malicious activities on the compromised system. 

Scan for network share

The ransomware also has the capability to scan the network for available shares. By doing so, it maximizes its reach and potential impact by encrypting files not only on the local system but also those located on network shares.

Figure 53: The ransomware starting network share scanner of the current IP Address

The ransomware possesses the ability to scan SMB shares as well. This capability enables the ransomware to target and encrypt files on network shares that utilize the SMB (Server Message Block) protocol.

Figure 54: Scan SMB shares function

Encryption information

Additionally, the ransomware creates a registry key at HKEY_CURRENT_USER\SOFTWARE\BlackBit, which stores a public key and a timer responsible for triggering data deletion.

Figure 55: The code responsible to add a registry about the ransomware information

Figure 56: Registry key that contains the information

The Timer represents a date-time value (encoded) that indicates the ransom's expiration date. When the date expired, the malware will initiate a wipe of the drives. By default, the date is set to 30 days after the execution of the ransomware.

Start encryption

Finally, after executing all the necessary steps, the ransomware proceeds with the critical phase by calling the StartEncryption function. This function is responsible for initiating the encryption process, targeting and encrypting the files stored on the compromised host using a predefined encryption algorithm and the previously obtained public key.

Figure 57: Snippet code of the StartEncryption function

Figure 58: All files encrypted

The ransomware proficiently encrypts files, employing a renaming scheme that follows this pattern: "[[email protected]][Unique System ID]ActualFileName.BlackBit." and each file is transformed into an unreadable format as its already encrypted.

In this malicious process, the ransomware alters the original file names by appending "BlackBit" at the end, while also adding the attacker's contact email address and a unique system identifier within square brackets as a means of identification for communication and decryption purposes.

Figure 59: Encrypted files append with BlackBit extension and contact email

This naming scheme ensures that the attacker can differentiate between various infected systems and provides a straightforward way for the victims to initiate contact for further instructions on the ransom payment and potential file decryption. 

Once the ransomware initiates its encryption process, it employs a multi-threaded approach to simultaneously encrypt files on various local drives and network shares on the compromised system. This multi-thread technique allows the ransomware to encrypt numerous files in parallel, speeding up the encryption process.

C2 communication

The malware made POST request communication, with information such as unique-id, disk-size, affiliate username, CPU-name, ram-size, and os-name to the url path /api/index.php hosted on the command-and-control (C2) server hosted on domain application-api.xyz. 

Figure 60: POST request made by the ransomware contains information about the compromised host

Ransom message on the login screen

Furthermore, the ransomware deploying a custom ransom message directly onto the logon screen. This means that as soon as the user attempts to log in to their system, they are immediately confronted with the ransom message.

Figure 61: The ransomware tries to modify the registry to change the user login note

Figure 62: Ransom note in logon screen

Change volume label

In addition to its encryption activities, the ransomware alters the label of the infected drives, replacing it with "Locked by Blackbit".

Figure 63: The label of the drive has been changed

Change wallpaper

In addition to its other malicious activities, the ransomware changes the compromised host's wallpaper background, replacing it with their custom wallpaper. This new wallpaper prominently displays a ransom message, stating that the victim's files have been encrypted. 

The figure below shows the altered wallpaper, which clearly indicates that it has been modified. Also, the code function responsible for the desktop wallpaper change is shown in the dnSpy application shown below.

Figure 64: Wallpaper has been changed

Conclusion

In conclusion, the BlackBit ransomware shows a significant threat to organizations and individuals, leveraging public-facing RDP brute force attacks to gain initial access. By exploiting weak credentials, the threat actors successfully infiltrate the target system and perform the ransomware's deployment. Once executed, the ransomware executes its malicious payload, including creating persistent, disabling task manager, terminating processes and services, deleting shadow copy and backups, disabling firewall, and encrypting all files on the system to make them inaccessible and unreadable. The attackers strategically place ransom notes within the compromised system, making the victim follow with their demands to retrieve back all their encrypted data.

Preventative actions, like implementing strong access controls, employing regular data backups offline, and disabling exposed RDP ports or vulnerable services to the public, are crucial in mitigating the impact of ransomware and protecting critical data from falling into the hands of cybercriminals.

The first responders must take the following actions when dealing with ransomware incidents, such as:

1. Isolate the infected system from the network to prevent spreading to other connected devices and shares.
2. Preserve evidence that may be important for investigations.
3. Alert and notify the IT security team or IR team.
4. Evaluate the availability and integrity of backup files. If possible, restore encrypted files from backups to minimize data loss and avoid paying the ransom.
5. Perform a post-incident analysis to understand how the ransomware gained access, what weaknesses were exploited, and how the response could be improved in the future.

IOCs

• MD5: 
• 2931fae146c3944c277538970a4fdeca - svchost.exe and winlogon.exe
• Domain: 
• application-api.xyz - C2 Communication
• IP Address: 
  • 87.251.75.145 - Bruteforce RDP
  • 162.55.243.124 - Successful login RDP

TTPs

• T1110 - Brute Force
• T1015 - Sticky Keys
• T1136 - Create Account
• T1059.001 - Command-Line Interface
• T1059.005 - Scheduled Task/Job
• T1547.001 - Boot or Logon Autostart Execution
• T1548.002 - Bypass User Account Control (UAC)
• T1562.001 - Disable or Modify Tools
• T1489 - Service Stop
• T1490 - Inhibit System Recovery
• T1562.002 - Disable or Modify System Firewall
• T1071.001 - Web Protocols
• T1486 - Data Encrypted for Impact