Lockbit 3.0 Ransomware Attack Demo

Demo Drop Security
Still screen of an image with a dark gray background and the words ‘Lockbit 3.0’, underneath it says, ‘Ransomware’ and underneath that it says ‘Attack Demo.’  There is a little logo in the bottom right corner that says ‘Juniper Threat Labs’.

This video demonstrates how the Juniper SRX Series Firewall can identify Lockbit 3.0 Ransomware and isolate an infected host in a ransomware attack.

Show more

You’ll learn

  • How the Juniper SRX firewall can identify Lockbit 3.0

  • How to isolate an infected host 

Who is this for?

Security Professionals Network Professionals

Transcript

0:02 this demonstration shows how the Juniper

0:05 SRX firewall can identify lockbit 3.0

0:08 ransomware and isolate an infected host

0:10 in the context of renssware attack in

0:13 2022 the log bit ranswer gang was among

0:16 the most prevalent ransomware to strike

0:18 businesses they were responsible for

0:20 high profile cyber attacks including the

0:23 government organizations

0:25 on September 21st 2022 someone on

0:28 Twitter claimed that they were able to

0:30 hack lockbit servers and get a hold of

0:32 the Builder

0:33 a public spokesperson of luck bit gang

0:36 though disputed the heck

0:38 instead a disgruntled developer leaked

0:41 the private ransomware Builder

0:43 the lockbit 3.0 operation began in June

0:46 2022 and is still infecting businesses

0:48 as to date

0:54 we'll demonstrate how this attack

0:56 operates and encrypts files we will

0:59 create the ransomware using the Builder

1:01 and host it on the HTTP server

1:03 Powershell will then be used to launch

1:05 the attack on a Windows client

1:07 the compromise Builder consists of

1:09 builder.exe and the configuration file

1:12 that may be edited to define various

1:14 parameters such as encryption mode the

1:17 processes the services to stop and the

1:19 files and directories not to encrypt

1:26 when you click on build.back the

1:29 ransomware files lb3.exe and

1:32 lb3pass.exe will be created in the build

1:35 folder there's also the decryptor a

1:38 password is necessary for the

1:40 lb3pass.exe to infect the system

1:43 they use this as one method of evaling

1:46 sandboxes

2:08 in the next section we'll infect the

2:10 Windows computer some documents can be

2:12 seen on the desktop to show that lock

2:14 bit encrypt these files

2:16 Wireshark is launched in order to

2:18 monitor the HTTP downloads

2:21 using Powershell and the command prompt

2:23 we launched the attack

2:25 as you can see it downloads lb3.exe and

2:29 lbb.txt the Powershell script

2:32 the files on the desktop are now

2:34 encrypted after a little delay

2:37 the encrypted file icons were also

2:40 Modified by the ransomware

2:41 you can see that the files are rather

2:44 heavily encrypted if you open them in a

2:46 text editor

2:58 they also included a ransom note

3:00 readme.txt that contains instructions on

3:03 how to get in touch with the ransomware

3:05 operator to have your files decrypted

3:14 in the following we will simulate the

3:16 attack with the SRX involved to show how

3:19 the SRX firewall will be able to detect

3:21 this attack

3:22 the following diagram shows you the

3:24 components used in this demonstration an

3:27 SRX client is involved attached to it

3:30 are several Windows hosts an Ubuntu

3:32 machine is also attached to it which

3:35 will act as the malware server

3:37 a security director Juno space is also

3:40 included which will be used to manage

3:42 our SRX and policies we will use the

3:45 windows client pc1 to launch the attack

3:49 from our jump station we log into the

3:51 security director which we'll use to

3:53 manage our SRX and our policies

3:58 we will go to configure threat

4:01 prevention and then the policies

4:06 as you can see it's configured to block

4:09 infected host at Threat Level 8 to 10.

4:29 for HTTP downloads it is configured to

4:32 block at a threat score level 7 to 10.

4:39 using RDP we're connecting to one of the

4:42 windows clients that we're going to

4:43 infect before we begin we want to make

4:46 sure that this client has internet

4:48 connectivity

4:55 next using the command line we execute

4:58 the attack in the background you can see

5:00 Wireshark and the files being downloaded

5:03 from the HTTP server

5:21 if we go back to security director we

5:24 can see that it has detected the

5:26 ransomware

5:27 lb3.exe and lb3 underscore pass.exe

5:32 we can click on the file to see more

5:34 details about the specific download

5:40 under the behavioral analysis we can see

5:43 the behaviors that have been seen

5:46 it is important to note that this

5:48 malware was detected proactively using

5:50 the machine learning model engine

6:00 if we look at the host it was scored at

6:02 Threat Level 9 and it shows that this

6:05 was because of a downloaded malicious

6:07 file

6:08 since our SRX is configured to block

6:10 host at Threat Level 8 through 10 it

6:13 will disconnect this host from the

6:15 network

6:24 since this host is disconnected from the

6:26 network we're not able to Ping to this

6:29 machine or connect to it via RDP

7:09 once the machine is cleaned and is no

7:12 longer infected we can go back to

7:14 security director to get this machine

7:16 back on the network in order to do this

7:19 we change the investigation status back

7:22 to resolved and fixed which will put the

7:25 machine back on the network

7:38 as you can see we can once again ping

7:41 the machine and connect to it

7:56 the windows client is now connected back

7:59 to the network and has internet

8:00 connectivity once again

Show more