Lockbit 3.0 Ransomware Attack Demo

0:02 this demonstration shows how the Juniper

0:05 SRX firewall can identify lockbit 3.0

0:08 ransomware and isolate an infected host

0:10 in the context of renssware attack in

0:13 2022 the log bit ranswer gang was among

0:16 the most prevalent ransomware to strike

0:18 businesses they were responsible for

0:20 high profile cyber attacks including the

0:23 government organizations

0:25 on September 21st 2022 someone on

0:28 Twitter claimed that they were able to

0:30 hack lockbit servers and get a hold of

0:32 the Builder

0:33 a public spokesperson of luck bit gang

0:36 though disputed the heck

0:38 instead a disgruntled developer leaked

0:41 the private ransomware Builder

0:43 the lockbit 3.0 operation began in June

0:46 2022 and is still infecting businesses

0:48 as to date

0:54 we'll demonstrate how this attack

0:56 operates and encrypts files we will

0:59 create the ransomware using the Builder

1:01 and host it on the HTTP server

1:03 Powershell will then be used to launch

1:05 the attack on a Windows client

1:07 the compromise Builder consists of

1:09 builder.exe and the configuration file

1:12 that may be edited to define various

1:14 parameters such as encryption mode the

1:17 processes the services to stop and the

1:19 files and directories not to encrypt

1:26 when you click on build.back the

1:29 ransomware files lb3.exe and

1:32 lb3pass.exe will be created in the build

1:35 folder there's also the decryptor a

1:38 password is necessary for the

1:40 lb3pass.exe to infect the system

1:43 they use this as one method of evaling

1:46 sandboxes

2:08 in the next section we'll infect the

2:10 Windows computer some documents can be

2:12 seen on the desktop to show that lock

2:14 bit encrypt these files

2:16 Wireshark is launched in order to

2:18 monitor the HTTP downloads

2:21 using Powershell and the command prompt

2:23 we launched the attack

2:25 as you can see it downloads lb3.exe and

2:29 lbb.txt the Powershell script

2:32 the files on the desktop are now

2:34 encrypted after a little delay

2:37 the encrypted file icons were also

2:40 Modified by the ransomware

2:41 you can see that the files are rather

2:44 heavily encrypted if you open them in a

2:46 text editor

2:58 they also included a ransom note

3:00 readme.txt that contains instructions on

3:03 how to get in touch with the ransomware

3:05 operator to have your files decrypted

3:14 in the following we will simulate the

3:16 attack with the SRX involved to show how

3:19 the SRX firewall will be able to detect

3:21 this attack

3:22 the following diagram shows you the

3:24 components used in this demonstration an

3:27 SRX client is involved attached to it

3:30 are several Windows hosts an Ubuntu

3:32 machine is also attached to it which

3:35 will act as the malware server

3:37 a security director Juno space is also

3:40 included which will be used to manage

3:42 our SRX and policies we will use the

3:45 windows client pc1 to launch the attack

3:49 from our jump station we log into the

3:51 security director which we'll use to

3:53 manage our SRX and our policies

3:58 we will go to configure threat

4:01 prevention and then the policies

4:06 as you can see it's configured to block

4:09 infected host at Threat Level 8 to 10.

4:29 for HTTP downloads it is configured to

4:32 block at a threat score level 7 to 10.

4:39 using RDP we're connecting to one of the

4:42 windows clients that we're going to

4:43 infect before we begin we want to make

4:46 sure that this client has internet

4:48 connectivity

4:55 next using the command line we execute

4:58 the attack in the background you can see

5:00 Wireshark and the files being downloaded

5:03 from the HTTP server

5:21 if we go back to security director we

5:24 can see that it has detected the

5:26 ransomware

5:27 lb3.exe and lb3 underscore pass.exe

5:32 we can click on the file to see more

5:34 details about the specific download

5:40 under the behavioral analysis we can see

5:43 the behaviors that have been seen

5:46 it is important to note that this

5:48 malware was detected proactively using

5:50 the machine learning model engine

6:00 if we look at the host it was scored at

6:02 Threat Level 9 and it shows that this

6:05 was because of a downloaded malicious

6:07 file

6:08 since our SRX is configured to block

6:10 host at Threat Level 8 through 10 it

6:13 will disconnect this host from the

6:15 network

6:24 since this host is disconnected from the

6:26 network we're not able to Ping to this

6:29 machine or connect to it via RDP

7:09 once the machine is cleaned and is no

7:12 longer infected we can go back to

7:14 security director to get this machine

7:16 back on the network in order to do this

7:19 we change the investigation status back

7:22 to resolved and fixed which will put the

7:25 machine back on the network

7:38 as you can see we can once again ping

7:41 the machine and connect to it

7:56 the windows client is now connected back

7:59 to the network and has internet

8:00 connectivity once again