Sean Gallagher, a senior threat researcher at security firm Sophos, said in a detailed blog post that the attackers behind LockBit were calling scripts from a remote Google document using renamed copies of the PowerShell executable to evade detection in a bid to create a persistent backdoor.
The scripts also tried to bypass the built-in anti-malware interface on Windows 10 by applying patches to it directly in memory, earning the name PSRename for this technique.
"Based on some artifacts, we believe some components of the attack were based on PowerShell Empire, the PowerShell-based penetration testing post-exploitation tool," Gallagher wrote in the report to which Vikas Singh, Felix Weyne, Richard Cohen and Anand Ajjan also contributed.
"The series of attack scripts only deploys ransomware if the fingerprint of the target matches attractive targets."
This kind of sophistication mean that there was not much left behind after an attack for forensics. The attacks were also carried out swiftly, with Gallagher noting that in one case LockBit was executed across a targeted network within five minutes with the use of administrative tools found in Windows.
"LockBit's interest in specific business applications and keywords indicates the attackers were clearly looking to identify systems that are valuable to smaller companies — the systems that store financial information and handle daily business — in order to pressure victims to pay, and pay faster," said Gallagher.
"We've seen ransomware shut down business applications upon execution, but this is the first time we've seen attackers looking for certain types of applications in an automated approach to score potential targets.
"The LockBit gang appears to be following other ransomware groups, including Ryuk — which Sophos recently found using Cobalt Strike — that are adapting tools developed for penetration testing to automate and accelerate their attacks," said Gallagher.
"In this case, the PowerShell scripts help the attackers identify systems that have applications with particularly valuable data, so that they don't waste their time encrypting or 'supporting' victims who are less likely to pay.
"They're using these tools in an automated fashion to cast as wide a net as possible, while limiting their actual hands-on-keyboard activity, to track down the most promising victims."