AhnLab A-FIRST conducted a forensic analysis of the damaged system infected with Lockis ransomware around November.
Lockis ransomware is a variant of GlobeImposter ransomware that the Russian attack group TA505 uses, and it first appeared on September 16th. The number of variants of the GlobeImposter ransomware has constantly been increasing since its first appearance in February 2017, and a total of 192 variants have been discovered so far. The attacker is known to use attack techniques such as sending malicious spam emails, exploits, and RDP access for ransomware infection.
Lockis is ransomware that encrypts files and changes the extension to ‘.lockis’, and it is currently being distributed under the filename of ‘lockisdog.exe’.
The attacker in this case used the admin account to RDP access the victim’s system and ran lockisdog.exe, the Lockis ransomware, which was confirmed to have used several utilities for hacking.
- ProcessHacker.exe 48755f2d10f7ff1050fbd081f630aaa3
- Netscan.Chs.exe 230c143d283842061b14967d4df972d0
- dControl.exe 0a50081a6cd37aea0945c91de91c5d97
ProcessHacker.exe is a process control program that provides various features such as process monitoring, process termination, and process execution with system privilege. The attacker can use this tool for the purpose of bypassing security software. The Russian version of ProcessHacker.exe was found in the system infected with Lockis ransomware.
Netscan is a commercial network scanner program from SoftPerfect. As the scanning of various protocols is possible using designated account credentials, the attacker can figure out the components of the network, which can be used to search for attack targets. The Chinese version of Netscan was discovered in the system infected with Lockis ransomware.
dControl.exe is a Windows Defender control utility from Sordum, which provides the feature to conveniently turn on or off Windows Defender.
Such tools are utilities for managing systems and networks, but they can also be used in attacks such as for bypassing security products and lateral movements after the attacker successfully hacks the internal systems. AhnLab detects and blocks such types of tools as HackTool. When there is a detection history of such HackTool, users should be suspicious of a breach and find out what exactly this tool is if it is not a tool that the internal employees use for work.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.