YARA rules for LockBit Operators
61 rules · scoped to actor · back to LockBit Operators
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule MAL_Trojan_DLL_Nov23 {
meta:
author = "X__Junior"
description = "Detects a trojan DLL that installs other components - was seen being used by LockBit 3.0 affiliates exploiting CVE-2023-4966"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a"
date = "2023-11-23"
hash1 = "e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068"
score = 80
id = "1dd87d0a-2b8b-5386-8fdd-40d184c731a4"
strings:
$op1 = { C7 84 24 ?? ?? ?? ?? 52 70 63 53 C7 84 24 ?? ?? ?? ?? 74 72 69 6E C7 84 24 ?? ?? ?? ?? 67 42 69 6E C7 84 24 ?? ?? ?? ?? 64 69 6E 67 C7 84 24 ?? ?? ?? ?? 43 6F 6D 70 C7 84 24 ?? ?? ?? ?? 6F 73 65 41 C7 84 24 ?? ?? ?? ?? 00 40 01 01 }
$op2 = { C7 84 24 ?? ?? ?? ?? 6C 73 61 73 C7 84 24 ?? ?? ?? ?? 73 70 69 72 66 C7 84 24 ?? ?? 00 00 70 63 }
$op3 = { C7 84 24 ?? ?? ?? ?? 4E 64 72 43 C7 84 24 ?? ?? ?? ?? 6C 69 65 6E C7 84 24 ?? ?? ?? ?? 74 43 61 6C C7 84 24 ?? ?? ?? ?? 6C 33 00 8D }
condition:
uint16(0) == 0x5a4d and all of them
}
rule MAL_DLL_Stealer_Nov23 {
meta:
author = "X__Junior"
description = "Detects a DLL that steals authentication credentials - was seen being used by LockBit 3.0 affiliates exploiting CVE-2023-4966"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a"
date = "2023-11-23"
hash1 = "17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994"
score = 80
id = "9cfed8ec-1d04-53d7-88ef-2576075cfc33"
strings:
$op1 = { C7 45 ?? 4D 69 6E 69 C7 45 ?? 44 75 6D 70 C7 45 ?? 57 72 69 74 C7 45 ?? 65 44 75 6D C7 45 ?? 70 00 27 00 C7 45 ?? 44 00 62 00 C7 45 ?? 67 00 68 00 C7 45 ?? 65 00 6C 00 C7 45 ?? 70 00 2E 00 C7 45 ?? 64 00 6C 00 C7 45 ?? 6C 00 00 00}
condition:
uint16(0) == 0x5a4d and all of them
}
rule MAL_Python_Backdoor_Script_Nov23 {
meta:
author = "X__Junior"
description = "Detects a trojan (written in Python) that communicates with c2 - was seen being used by LockBit 3.0 affiliates exploiting CVE-2023-4966"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a"
date = "2023-11-23"
hash1 = "906602ea3c887af67bcb4531bbbb459d7c24a2efcb866bcb1e3b028a51f12ae6"
score = 80
id = "861f9ce3-3c54-5c56-b50b-2b7536783f6e"
strings:
$s1 = "port = 443 if \"https\"" ascii
$s2 = "winrm.Session basic error" ascii
$s3 = "Windwoscmd.run_cmd(str(cmd))" ascii
condition:
filesize < 50KB and all of them
}
rule APT_RANSOM_Lockbit_ForensicArtifacts_Nov23 {
meta:
description = "Detects patterns found in Lockbit TA attacks exploiting Citrixbleed vulnerability CVE 2023-4966"
author = "Florian Roth"
date = "2023-11-22"
score = 75
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a"
id = "04bde599-2a5b-5a33-a6f1-67d57a564946"
strings:
$x1 = "taskkill /f /im sqlwriter.exe /im winmysqladmin.exe /im w3sqlmgr.exe"
$x2 = " 1> \\\\127.0.0.1\\admin$\\__"
condition:
1 of ($x*)
}
rule mal_lockbit4_hashing_alg_win_feb24
{
meta:
author = "0x0d4y"
description = "This rule detects the custom hashing algorithm of Lockbit4.0 unpacked"
date = "2024-02-16"
score = 100
reference = "https://0x0d4y.blog/lockbit4-0-evasion-tales/"
hash = "062311F136D83F64497FD81297360CD4"
uuid = "e91aedba-6f70-4ca2-9217-2991cbbc6e8d"
license = "CC BY 4.0"
rule_matching_tlp = "TLP:WHITE"
rule_sharing_tlp = "TLP:WHITE"
malpedia_family = "win.lockbit"
strings:
$hashing_alg = { 41 89 d0 46 0f be 04 00 45 09 c0 74 ?? 45 8d 48 ?? 45 8d 50 ?? 41 80 f9 ?? 45 0f 43 d0 44 31 d1 44 8d 04 3a 45 0f af c2 41 01 c8 89 d1 31 f9 09 d2 0f 44 ca 41 0f af c8 44 01 d1 ff c2 eb ?? 49 ff c6 }
condition:
uint16(0) == 0x5a4d and
$hashing_alg
}
rule mal_lockbit4_rc4_win_feb24
{
meta:
author = "0x0d4y"
description = "Detect the implementation of RC4 Algorithm by Lockbit4.0"
date = "2024-02-13"
score = 100
reference = "https://0x0d4y.blog/lockbit4-0-evasion-tales/"
hash = "062311F136D83F64497FD81297360CD4"
uuid = "4de48ced-b9fa-4286-aac4-c263ad20d67d"
license = "CC BY 4.0"
rule_matching_tlp = "TLP:WHITE"
rule_sharing_tlp = "TLP:WHITE"
malpedia_family = "win.lockbit"
strings:
$rc4_alg = { 48 3d 00 01 00 00 74 0c 88 84 04 ?? ?? ?? ?? 48 ff c0 eb ec 29 c9 41 b8 ?? ?? ?? ?? 4c 8d 0d 15 7b 00 00 45 31 d2 48 81 f9 00 01 00 00 74 34 44 8a 9c 0c ?? ?? ?? ?? 45 00 da 89 c8 99 41 f7 f8 46 02 14 0a 41 0f b6 c2 8a 94 04 ?? ?? ?? ?? 88 94 0c ?? ?? ?? ?? 44 88 9c 04 ?? ?? ?? ?? 48 ff c1 eb c3 29 c0 48 8b 0d 14 9e 00 00 31 d2 45 29 c0 48 3d ?? ?? ?? ?? 74 4b 41 ff c0 45 0f b6 c0 46 8a 8c 04 ?? ?? ?? ?? 44 00 ca 44 0f b6 d2 46 8a 9c 14 ?? ?? ?? ?? 46 88 9c 04 ?? ?? ?? ?? 46 88 8c 14 ?? ?? ?? ?? 46 02 8c 04 ?? ?? ?? ?? 45 0f b6 c9 46 8a 8c 0c ?? ?? ?? ?? 44 30 0c 01 48 ff c0 eb ad }
condition:
uint16(0) == 0x5a4d and
$rc4_alg
}
rule MAL_RANSOM_LNX_macOS_LockBit_Apr23_1 {
meta:
description = "Detects LockBit ransomware samples for Linux and macOS"
author = "Florian Roth"
reference = "https://twitter.com/malwrhunterteam/status/1647384505550876675?s=20"
date = "2023-04-15"
hash1 = "0a2bffa0a30ec609d80591eef1d0994d8b37ab1f6a6bad7260d9d435067fb48e"
hash2 = "9ebcbaf3c9e2bbce6b2331238ab584f95f7ced326ca4aba2ddcc8aa8ee964f66"
hash3 = "a405d034c01a357a89c9988ffe8a46a165915df18fd297469b2bcaaf97578442"
hash4 = "c9cac06c9093e9026c169adc3650b018d29c8b209e3ec511bbe34cbe1638a0d8"
hash5 = "dc3d08480f5e18062a0643f9c4319e5c3f55a2e7e93cd8eddd5e0c02634df7cf"
hash6 = "e77124c2e9b691dbe41d83672d3636411aaebc0aff9a300111a90017420ff096"
hash7 = "0be6f1e927f973df35dad6fc661048236d46879ad59f824233d757ec6e722bde"
hash8 = "3e4bbd21756ae30c24ff7d6942656be024139f8180b7bddd4e5c62a9dfbd8c79"
score = 85
id = "c01cb907-7d30-5487-b908-51f69ddb914c"
strings:
$x1 = "restore-my-files.txt" ascii fullword
$s1 = "ntuser.dat.log" ascii fullword
$s2 = "bootsect.bak" ascii fullword
$s3 = "autorun.inf" ascii fullword
$s4 = "lockbit" ascii fullword
$xc1 = { 33 38 36 00 63 6D 64 00 61 6E 69 00 61 64 76 00 6D 73 69 00 6D 73 70 00 63 6F 6D 00 6E 6C 73 } /* extensions that get encrypted */
$xc2 = { 6E 74 6C 64 72 00 6E 74 75 73 65 72 2E 64 61 74 2E 6C 6F 67 00 62 6F 6F 74 73 65 63 74 2E 62 61 6B } /* file name list */
$xc3 = { 76 6D 2E 73 74 61 74 73 2E 76 6D 2E 76 5F 66 72 65 65 5F 63 6F 75 6E 74 00 61 2B 00 2F 2A } /* vm.stats + short strings */
$op1 = { 84 e5 f0 00 f0 e7 10 40 2d e9 2e 10 a0 e3 00 40 a0 e1 ?? fe ff }
$op2 = { 00 90 a0 e3 40 20 58 e2 3f 80 08 e2 3f 30 c2 e3 09 20 98 e1 08 20 9d }
$op3 = { 2d e9 01 70 43 e2 07 00 13 e1 01 60 a0 e1 08 d0 4d e2 02 40 }
condition:
( uint32be(0) == 0x7f454c46 or uint16(0) == 0xfeca or uint16(0) == 0xfacf or uint32(0) == 0xbebafeca )
and (
1 of ($x*)
or 3 of them
)
or 2 of ($x*)
or 5 of them
}
rule MAL_RANSOM_LockBit_Apr23_1 {
meta:
description = "Detects indicators found in LockBit ransomware"
author = "Florian Roth"
reference = "https://objective-see.org/blog/blog_0x75.html"
date = "2023-04-17"
score = 75
id = "75dc8b95-16f0-5170-a7d6-fc10bb778348"
strings:
$xe1 = "-i '/path/to/crypt'" xor
$xe2 = "http://lockbit" xor
$s1 = "idelayinmin" ascii
$s2 = "bVMDKmode" ascii
$s3 = "bSelfRemove" ascii
$s4 = "iSpotMaximum" ascii
$fp1 = "<html"
condition:
(
1 of ($x*)
or 4 of them
)
and not 1 of ($fp*)
}
rule MAL_RANSOM_LockBit_Locker_LOG_Apr23_1 {
meta:
description = "Detects indicators found in LockBit ransomware log files"
author = "Florian Roth"
reference = "https://objective-see.org/blog/blog_0x75.html"
date = "2023-04-17"
score = 75
id = "aa0a2393-e5a2-5151-8afb-91a9bb922179"
strings:
$s1 = " is encrypted. Checksum after encryption "
$s2 = "~~~~~Hardware~~~~"
$s3 = "[+] Add directory to encrypt:"
$s4 = "][+] Launch parameters: "
condition:
2 of them
}
rule MAL_RANSOM_LockBit_ForensicArtifacts_Apr23_1 {
meta:
description = "Detects forensic artifacts found in LockBit intrusions"
author = "Florian Roth"
reference = "https://objective-see.org/blog/blog_0x75.html"
date = "2023-04-17"
score = 75
id = "e716030c-ee78-51dc-919c-cf59e93da976"
strings:
$x1 = "/tmp/locker.log" ascii fullword
$x2 = "Executable=LockBit/locker_" ascii
/* Tor Browser Links:\x0d\x0ahttp://lockbit */
$xc1 = { 54 6F 72 20 42 72 6F 77 73 65 72 20 4C 69 6E 6B 73 3A 0D 0A 68 74 74 70 3A 2F 2F 6C 6F 63 6B 62 69 74 }
condition:
1 of ($x*)
}
rule mal_lockbit4_packed_feb24
{
meta:
author = "0x0d4y"
description = "Detect the packer used by Lockbit4.0"
date = "2024-02-16"
score = 100
reference = "https://0x0d4y.blog/lockbit4-0-evasion-tales/"
hash = "15796971D60F9D71AD162060F0F76A02"
uuid = "3c2b2806-9dce-4dce-a7ca-89ebc9005695"
license = "CC BY 4.0"
rule_matching_tlp = "TLP:WHITE"
rule_sharing_tlp = "TLP:WHITE"
malpedia_family = "win.lockbit"
strings:
$unpacking_loop_64b = { 8b 1e 48 83 ee fc 11 db 8a 16 72 e5 8d 41 01 41 ff d3 11 c0 01 db 75 0a }
$jump_to_unpacked_code_64b = { 48 8b 2d 16 0f ?? ?? 48 8d be 00 f0 ?? ?? bb 00 ?? ?? ?? 50 49 89 e1 41 b8 04 ?? ?? ?? 53 5a 90 57 59 90 48 83 ec ?? ff d5 48 8d 87 ?? ?? ?? ?? 80 20 ?? 80 60 ?? ?? 4c 8d 4c 24 ?? 4d 8b 01 53 90 5a 90 57 59 ff d5 48 83 c4 ?? 5d 5f 5e 5b 48 8d 44 24 ?? 6a ?? 48 39 c4 75 f9 48 83 ec ?? e9 }
$unpacking_loop_32b = { 8A 06 46 88 07 47 01 DB 75 ?? 8B 1E 83 EE ?? 11 DB 72 ?? 9C 29 C0 40 9D 01 DB 75 ?? 8B 1E 83 EE ?? 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE ?? 11 DB 73 }
$jump_to_unpacked_code_32b = { 8b ae ?? ?? ?? ?? 8d be 00 f0 ?? ?? bb 00 ?? ?? ?? 50 54 6a 04 53 57 ff d5 8d 87 ?? ?? ?? ?? 80 20 ?? 80 60 ?? ?? 58 50 54 50 53 57 ff d5 58 8d 9e 00 f0 ?? ?? 8d bb ?? ?? ?? ?? 57 31 c0 aa 59 49 50 6a 01 53 ff d1 61 8d 44 24 ?? 6a ?? 39 c4 75 fa 83 ec ?? e9 }
condition:
uint16(0) == 0x5a4d and
1 of ($jump_to_unpacked_code_*) and
1 of ($unpacking_loop_*)
}