Attack Flow Steps:

: Blue Locker ransomware is commonly spread through targeted emails that appear legitimate, pretending to be a legitimate business or service, and includes an attachment or a malicious link. : Malware uses social engineering techniques to convince the target to trigger the malware's execution after opening malicious attachments or links. : Malicious software designed to encrypt files on infected systems and demand ransom payments in exchange for the decryption key. : PowerShell-based loader used to disable security defenses, escalate privileges, and load ransomware payload. : The ransomware inserts itself into KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Run to achieve persistence and execute after system reboot. : Modifies system services for persistence and privilege escalation. : Bypasses UAC via registry manipulation, elevating privileges without user consent. : Implements obfuscation and deobfuscation to evade detection by security tools and analysts. : Timestomping technique is used to alter file timestamps, making it difficult to detect during forensic analysis. : Disables UAC to avoid detection and remain persistent without being interrupted by security controls. : Used to delete backup snapshots that could help restore files. : Performs registry queries to gather system configuration and installed software information. : Enumerates running processes to identify which processes to target for exploitation or injection. : Discovers user accounts for credential harvesting or lateral movement across systems. : Detects virtualized or sandboxed environments to avoid detection during dynamic analysis. : Explores file and directory structures to find valuable files for encryption or exfiltration. : Prepares collected data in temporary or known directories before exfiltration or further exploitation. : Uses raw input capture to steal user credentials or session data during active sessions. : Inhibits system recovery by disabling or deleting backup systems, ensuring that victims cannot restore their encrypted files. : Stops system services to ensure the encryption process is not interrupted and maximizes the damage. : Blue Locker ransomware uses a combination of AES and RSA encryption algorithms to lock files and appends .Blue extension to encrypted files. : Major enterprise in Pakistan's oil and gas sector that was severely impacted by the Blue Locker ransomware attack. : 39 key ministries and institutions including Cabinet Division, ministries of Interior, Foreign Affairs, Finance, and other critical government bodies. : Ransom note dropped by Blue Locker ransomware on victim's desktop and in directories where files were encrypted. : Protonmail email address used by attackers for anonymous secure communications with victims. : Jabber IM account used by attackers for anonymous secure communications with victims

MITRE ATT&CK Techniques:

T1566

T1204

T1547.001

T1543

T1548.002

T1140

T1070.006

T1562.001

T1012

T1057

T1087

T1497

T1083

T1074

T1056

T1490

T1489

T1486

Back to Gallery

Blue Locker Ransomware

Anonymous

3 months ago

182 views

26 nodes

This flow details the Blue Locker ransomware campaign targeting Pakistan's oil and gas sector through phishing emails with malicious attachments. The attack employs a PowerShell-based loader to establish persistence via registry modification, escalate privileges by bypassing UAC, and evade detection through obfuscation and timestomping techniques. The ransomware ultimately encrypts victim files with a '.Blue' extension after deleting system backups using WMIC commands.

React Flow