Case of Infection With Lockis Ransomware in a Company, Caused by Not Using Anti-Malware’s Lock Policy

Around November, one of AhnLab’s clients suffered an infection from the Lockis ransomware to several of their servers. As the targeted company suffered a malware infection despite the fact it was using the anti-malware program V3, AhnLab A-FIRST conducted a forensic analysis to find out the cause of infection. 

As stated in “ASEC Blog: Hacking Tool Used Together With Lockis Ransomware,” the Lockis ransomware is a variant of the GlobeImposter ransomware that first appeared on September 16th.

AhnLab has been detecting and blocking GlobeImposter-type of ransomware using the alias ‘Trojan/Win32.FileCoder’ since May 2018 and was capable of detecting and blocking the Lockis ransomware that made appearance on September 16th. 

The attack flow of the attacker discovered in the infected system is as follows: 

  • 1. RDP access (local Administrator account)
  • 2. Uninstall anti-malware program
    • V3 Uninstall 
  • 3. Copy hacking tool and ransomware
    • ProcessHacker.exee
    • Netscan.Chs.exe
    • dControl.exe
    • lockisdog.exe
  • 4. Run hacking tool and ransomware
    • Run dControl.exe
    • Run Netscan.Chs.exe
    • Run ProcessHacker.exe
    • Run lockisdog.exe (ransomware)

In order to bypass the security features of OS and avoid being detected and blocked by security software, the attacker uninstalled the anti-malware program V3 and disabled Windows Defender before running the ransomware and used ProcessHacker to terminate the impeditive processes. 

In other words, ransomware was run after thorough preparation so that the ransomware could run successfully.

The primary reason why this method of attack was possible is that the attacker was able to GUI control the system via admin privilege after RDP accessing with the administrator account. The secondary reason would be the fact that security software can be deleted arbitrarily. As the user with admin privilege is an administrator who can perform nearly everything in the system, the attacker can easily uninstall anti- malware program.

It is thus advised that in a corporate environment, users should not have privilege to uninstall security software and change such software so that the security features installed or set in the IT infrastructure cannot be disabled.

AhnLab APC provides the ‘Lock Settings’ feature to restrict configuration and deletion of V3 software, but unfortunately, the targeted company was not using the lock policy. 

Figure. Lock settings applied in AhnLab APC

Conclusion

  • The reason why the company was not protected by the anti-malware program even though that it was in use is that the ‘lock settings’ of the anti-malware were not applied.
  • Corporate security managers should enable the provided lock feature to prevent the deletion and changes to the settings of the security program applied to the company. 

[File Detection]

  • Trojan/Win32.FileCoder
  • HackTool/Win.NetScan
  • HackTool/Win.Disabler
  • Trojan/BAT.Delete

[IOC Info]

  • 58c8c8c3038a5fbca2202248a1101da0
  • 48755f2d10f7ff1050fbd081f630aaa3
  • 230c143d283842061b14967d4df972d0
  • 0a50081a6cd37aea0945c91de91c5d97
  • 116e1e7a0c8d3ff9175b87927d188835

Related Blog Posts

Case of Ransomware Infection in a Company Using Local Administrator Accounts Set with Same Password
Lockis 랜섬웨어와 함께 사용된 해킹 툴

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Case of Infection With Lockis Ransomware in a Company, Caused by Not Using Anti-Malware’s Lock Policy appeared first on ASEC BLOG.

Article Link: https://asec.ahnlab.com/en/30427/