Attack Flow Steps:
: Blue Locker ransomware is commonly spread through targeted emails that appear legitimate, pretending to be a legitimate business or service, and includes an attachment or a malicious link. : Malware uses social engineering techniques to convince the target to trigger the malware's execution after opening malicious attachments or links. : Malicious software designed to encrypt files on infected systems and demand ransom payments in exchange for the decryption key. : PowerShell-based loader used to disable security defenses, escalate privileges, and load ransomware payload. : The ransomware inserts itself into KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Run to achieve persistence and execute after system reboot. : Modifies system services for persistence and privilege escalation. : Bypasses UAC via registry manipulation, elevating privileges without user consent. : Implements obfuscation and deobfuscation to evade detection by security tools and analysts. : Timestomping technique is used to alter file timestamps, making it difficult to detect during forensic analysis. : Disables UAC to avoid detection and remain persistent without being interrupted by security controls. : Used to delete backup snapshots that could help restore files. : Performs registry queries to gather system configuration and installed software information. : Enumerates running processes to identify which processes to target for exploitation or injection. : Discovers user accounts for credential harvesting or lateral movement across systems. : Detects virtualized or sandboxed environments to avoid detection during dynamic analysis. : Explores file and directory structures to find valuable files for encryption or exfiltration. : Prepares collected data in temporary or known directories before exfiltration or further exploitation. : Uses raw input capture to steal user credentials or session data during active sessions. : Inhibits system recovery by disabling or deleting backup systems, ensuring that victims cannot restore their encrypted files. : Stops system services to ensure the encryption process is not interrupted and maximizes the damage. : Blue Locker ransomware uses a combination of AES and RSA encryption algorithms to lock files and appends .Blue extension to encrypted files. : Major enterprise in Pakistan's oil and gas sector that was severely impacted by the Blue Locker ransomware attack. : 39 key ministries and institutions including Cabinet Division, ministries of Interior, Foreign Affairs, Finance, and other critical government bodies. : Ransom note dropped by Blue Locker ransomware on victim's desktop and in directories where files were encrypted. : Protonmail email address used by attackers for anonymous secure communications with victims. : Jabber IM account used by attackers for anonymous secure communications with victims
MITRE ATT&CK Techniques:
- T1566
- T1204
- T1547.001
- T1543
- T1548.002
- T1140
- T1070.006
- T1562.001
- T1012
- T1057
- T1087
- T1497
- T1083
- T1074
- T1056
- T1490
- T1489
- T1486