www.sentinelone.com
Open in
urlscan Pro
172.67.74.101
Public Scan
Submitted URL: https://sentinelone.com/blog/lolkek-unmasked-an-in-depth-analysis-of-new-samples-and-evolving-tactics/
Effective URL: https://www.sentinelone.com/blog/lolkek-unmasked-an-in-depth-analysis-of-new-samples-and-evolving-tactics/
Submission: On August 10 via api from DE — Scanned from DE
Effective URL: https://www.sentinelone.com/blog/lolkek-unmasked-an-in-depth-analysis-of-new-samples-and-evolving-tactics/
Submission: On August 10 via api from DE — Scanned from DE
Form analysis 6 forms found in the DOM
GET https://www.sentinelone.com
<form autocomplete="off" method="get" action="https://www.sentinelone.com">
<fieldset>
<input type="search" name="s" placeholder="Search ..." value="">
<button class="search" type="submit">
<span class="light">
<img class="icon-search" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon-white.svg">
<img class="icon-down" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close.svg">
</span>
<span class="dark">
<img class="icon-search" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon.svg">
<img class="icon-down" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close-dark.svg">
</span>
</button>
</fieldset>
</form>GET https://www.sentinelone.com/
<form role="search" method="get" class="search-form" action="https://www.sentinelone.com/">
<label>
<span class="screen-reader-text">Search ...</span>
<input type="search" class="search-field" placeholder="Search ..." value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form><form id="mktoForm_1985" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft bf_form_init" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" bf_offer_id="828702871">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
<div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="https://www.sentinelone.com/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties.</div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="1985"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form><form id="mktoForm_2816" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft bf_form_init" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" bf_offer_id="828731485">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 164px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
<div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
third parties.</div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="2816"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
Don’t miss OneCon23! SentinelOne’s annual Customer Conference. Early bird
available now. Register Now
Don’t miss OneCon23! SentinelOne’s annual Customer Conference. Early bird
available now.
Experiencing a Breach?
* 1-855-868-3733
* Contact
* Cybersecurity Blog
en
* English
* 日本語
* Deutsch
* Español
* Français
* Italiano
* Dutch
* 한국어
blog
* Platform
* Platform Overview
* Singularity Platform Welcome to Integrated
Enterprise Security
* Singularity XDR Native & Open Protection,
Detection, and Response
* XDR Ingestion One Home for All
Security Data
* How It Works The Singularity XDR Difference
* Singularity Marketplace One-Click Integrations to Unlock the Power of
XDR
* Surfaces
* Endpoint Autonomous Prevention, Detection, and Response
* Cloud Autonomous Runtime Protection for Workloads
* Identity Autonomous Identity & Credential Protection
* Platform Packages
* Singularity Complete The Standard for Enterprise Cybersecurity
* Singularity Control Organization-Wide
Protection and Control
* Singularity Core Cloud-Native NGAV
* Package Comparison Our Platform at a Glance
* Platform Products
* Singularity Cloud Container, VM, and Server Workload Security
* Singularity Mobile Mobile Threat Defense
* Singularity Cloud Data Security AI-Powered Threat Detection
* Singularity RemoteOps Orchestrate Forensics at Scale
* Singularity Identity Identity Threat Detection
and Response
* Singularity CloudFunnel Cloud-to-Cloud Telemetry Streaming
* Singularity Ranger AD Active Directory Attack Surface Reduction
* Singularity BinaryVault Automatic File Sample Collection
* Singularity Ranger Rogue Asset Discovery
* Singularity Hologram Deception Protection
* Why SentinelOne?
* Why SentinelOne?
* Why SentinelOne? Cybersecurity Built
for What’s Next
* Our Customers Trusted by the World’s Leading Enterprises
* Industry Recognition Tested and Proven
by the Experts
* About Us The Industry Leader in Autonomous Cybersecurity
* Compare SentinelOne
* CrowdStrike Cyber Dependent
on a Crowd
* McAfee Pale Performance,
More Maintenance
* Microsoft Platform Coverage
That Compromises
* Trend Micro The Risk of DevOps Disruption
* Palo Alto Networks Hard to Deploy,
Harder to Manage
* Carbon Black Adapt Only as Quickly
as Your Block Lists
* Symantec Security Limited
to Signatures
* Verticals
* Energy
* Federal Government
* Finance
* Healthcare
* Higher Education
* K-12 Education
* Manufacturing
* Retail
* Services
* Threat Services
* Vigilance Respond Pro
MDR + DFIR 24x7 MDR with Full-Scale Investigation & Response
* WatchTower Pro
Threat Hunting Dedicated Hunting & Compromise Assessment
* Vigilance Respond
MDR Dedicated SOC
Expertise & Analysis
* WatchTower
Threat Hunting Hunting for Emerging Threat Campaigns
Services Overview
* Support, Deployment, & Health
* Technical Account Management Customer Success with Personalized Service
* SentinelOne GO Guided Onboarding & Deployment Advisory
* SentinelOne University Live and On-Demand Training
* Support Services Tiered Support Options for Every Organization
* SentinelOne Community Community Login
* Partners
* Our Network
* Singularity Marketplace Extend the Power
of S1 Technology
* Cyber Risk
Partners Enlist Pro Response
and Advisory Teams
* Technology Alliances Integrated, Enterprise-Scale Solutions
* SentinelOne for AWS Hosted in AWS Regions Around the World
* Channel Partners Deliver the Right
Solutions, Together
Program Overview
* Resources
* Resource Center
* Case Studies
* Data Sheets
* eBooks
* Reports
* Videos
* Webinars
* White Papers
View All Resources
* Blog
* Cyber Response
* Feature Spotlight
* For CISO/CIO
* From the Front Lines
* Identity
* Cloud
* macOS
* SentinelOne Blog
Blog
* Tech Resources
* SentinelLABS
* Ransomware Anthology
* Cybersecurity 101
* About
* About SentinelOne
* About SentinelOne The Industry Leader in Cybersecurity
* Investor Relations Financial Information & Events
* SentinelLABS Threat Research for
the Modern Threat Hunter
* Careers The Latest Job Opportunities
* Press & News Company Announcements
* Cybersecurity Blog The Latest Cybersecurity Threats, News, & More
* F1 Racing SentinelOne &
Aston Martin F1 Team
* FAQ Get Answers to Our Most Frequently Asked Questions
* DataSet The Live Data Platform
* S Foundation Securing a Safer Future for All
* S Ventures Investing in the Next Generation
of Security and Data
* Brand SentinelOne Brand Guidelines
en
* English
* 日本語
* Deutsch
* Español
* Français
* Italiano
* Dutch
* 한국어
Get a Demo
blog
Back
* Platform
* Platform Overview
* Singularity Platform Welcome to Integrated
Enterprise Security
* Singularity XDR Native & Open Protection,
Detection, and Response
* XDR Ingestion One Home for All
Security Data
* How It Works The Singularity XDR Difference
* Singularity Marketplace One-Click Integrations to Unlock the Power of
XDR
* Surfaces
* Endpoint Autonomous Prevention, Detection, and Response
* Cloud Autonomous Runtime Protection for Workloads
* Identity Autonomous Identity & Credential Protection
* Platform Packages
* Singularity Complete The Standard for Enterprise Cybersecurity
* Singularity Control Organization-Wide
Protection and Control
* Singularity Core Cloud-Native NGAV
* Package Comparison Our Platform at a Glance
* Platform Products
* Singularity Cloud Container, VM, and Server Workload Security
* Singularity Mobile Mobile Threat Defense
* Singularity Cloud Data Security AI-Powered Threat Detection
* Singularity RemoteOps Orchestrate Forensics at Scale
* Singularity Identity Identity Threat Detection
and Response
* Singularity CloudFunnel Cloud-to-Cloud Telemetry Streaming
* Singularity Ranger AD Active Directory Attack Surface Reduction
* Singularity BinaryVault Automatic File Sample Collection
* Singularity Ranger Rogue Asset Discovery
* Singularity Hologram Deception Protection
* Why SentinelOne?
* Why SentinelOne?
* Why SentinelOne? Cybersecurity Built
for What’s Next
* Our Customers Trusted by the World’s Leading Enterprises
* Industry Recognition Tested and Proven
by the Experts
* About Us The Industry Leader in Autonomous Cybersecurity
* Compare SentinelOne
* CrowdStrike Cyber Dependent
on a Crowd
* McAfee Pale Performance,
More Maintenance
* Microsoft Platform Coverage
That Compromises
* Trend Micro The Risk of DevOps Disruption
* Palo Alto Networks Hard to Deploy,
Harder to Manage
* Carbon Black Adapt Only as Quickly
as Your Block Lists
* Symantec Security Limited
to Signatures
* Verticals
* Energy
* Federal Government
* Finance
* Healthcare
* Higher Education
* K-12 Education
* Manufacturing
* Retail
* Services
* Threat Services
* Vigilance Respond Pro
MDR + DFIR 24x7 MDR with Full-Scale Investigation & Response
* WatchTower Pro
Threat Hunting Dedicated Hunting & Compromise Assessment
* Vigilance Respond
MDR Dedicated SOC
Expertise & Analysis
* WatchTower
Threat Hunting Hunting for Emerging Threat Campaigns
Services Overview
* Support, Deployment, & Health
* Technical Account Management Customer Success with Personalized Service
* SentinelOne GO Guided Onboarding & Deployment Advisory
* SentinelOne University Live and On-Demand Training
* Support Services Tiered Support Options for Every Organization
* SentinelOne Community Community Login
* Partners
* Our Network
* Singularity Marketplace Extend the Power
of S1 Technology
* Cyber Risk
Partners Enlist Pro Response
and Advisory Teams
* Technology Alliances Integrated, Enterprise-Scale Solutions
* SentinelOne for AWS Hosted in AWS Regions Around the World
* Channel Partners Deliver the Right
Solutions, Together
Program Overview
* Resources
* Resource Center
* Case Studies
* Data Sheets
* eBooks
* Reports
* Videos
* Webinars
* White Papers
View All Resources
* Blog
* Cyber Response
* Feature Spotlight
* For CISO/CIO
* From the Front Lines
* Identity
* Cloud
* macOS
* SentinelOne Blog
Blog
* Tech Resources
* SentinelLABS
* Ransomware Anthology
* Cybersecurity 101
* About
* About SentinelOne
* About SentinelOne The Industry Leader in Cybersecurity
* Investor Relations Financial Information & Events
* SentinelLABS Threat Research for
the Modern Threat Hunter
* Careers The Latest Job Opportunities
* Press & News Company Announcements
* Cybersecurity Blog The Latest Cybersecurity Threats, News, & More
* F1 Racing SentinelOne &
Aston Martin F1 Team
* FAQ Get Answers to Our Most Frequently Asked Questions
* DataSet The Live Data Platform
* S Foundation Securing a Safer Future for All
* S Ventures Investing in the Next Generation
of Security and Data
* Brand SentinelOne Brand Guidelines
Get a Demo
* 1-855-868-3733
* Contact
* Cybersecurity Blog
Experiencing a Breach?
* 1-855-868-3733
* Contact
* Cybersecurity Blog
LOLKEK UNMASKED | AN IN-DEPTH ANALYSIS OF NEW SAMPLES AND EVOLVING TACTICS
August 9, 2023
by Jim Walter
PDF
Awareness of the newest shifts and patterns is vital in the fast-changing world
of cyber threats. This rings particularly true with ransomware, known for its
quick changes and intricate tactics. This past August, our MDR team at
SentinelOne stumbled upon something unusual in the wild: new instances of
LOLKEK, or GlobeImposter as it’s also known, signaling fresh changes within this
longstanding ransomware family.
This article takes you on an exploratory journey through the recent LOLKEK
payloads, spotlighting key features, alterations in strategies, and shrewd
observations in Indicators of Compromise (IoCs). We’ll also highlight a
persistent OPSEC mistake that keeps giving away the ransomware operators’ game.
The knowledge and real-world examples provided here paint a complete picture of
LOLKEK’s evolution and present-day situation. From its modest approach to ransom
demands to its occasional connection with more elaborate financial assaults,
comprehending LOLKEK provides insight into the wider landscape of ransomware.
LOLKEK | A BRIEF HISTORY
LOLKEK, also referred to as GlobeImposter, made its first appearance in 2016. In
the fast-paced world of ransomware, where things change in the blink of an eye,
this is like looking back to ancient history. This timeline even predates the
‘name-and-shame’ blogs that surfaced years later. To give you a perspective,
Maze ransomware didn’t see the light of day until 2019. The GlobeImposter tag
was a clever way to describe how this new ransomware imitated the methods of the
then-known Globe ransomware.
LOLKEK can be considered a sort of ‘off-the-shelf’ ransomware. It’s something
that’s frequently changed, tinkered with, and used, even by those with limited
skills or resources. It’s often associated with what we might call a
‘small-time’ approach, especially regarding its targets and the ransom demands.
In recent escapades, for example, the ransoms asked were often less than $2000
USD. Compare this to the eye-watering sums requested by heavyweights like Cl0p,
LockBit, and Royal, and you see a sharp contrast.
LOLKEK’s primary targets tend to be small to medium-sized businesses (SMBs) and
individual users. Despite this focus, there have been times when this ransomware
played a part in more complex and calculated financial attacks. 2017 for
example, the infamous TA505 (also known as G0092, GOLD TAHOE) group began
employing GlobeImposter, moving away from Jaff, GandCrab, and Snatch. This
allowed them to widen their net and boost the power of their operations,
showcasing LOLKEK’s adaptability and role in the broader ransomware landscape.
TECHNICAL DETAILS
We recently observed the following new LOLKEK samples in the wild:
08029396eb9aef9b413582d103b070c3f422e2b56e1326fe318bef60bdc382ed
58ac26d62653a648d69d1bcaed1b43d209e037e6d79f62a65eb5d059e8d0fc3f
These samples identify themselves as “W3CRYPTO LOCKER” while also directing
victims to a new TOR-based victim portal
mmcbkgua72og66w4jz3qcxkkhefax754pg6iknmtfujvkt2j65ffraad[.]onion
Both newly observed samples were compiled in May of 2023. It is worth noting
that only the 58AC26D62653A648D69D1BCAED1B43D209E037E6D79F62A65EB5D059E8D0FC3F
sample is fully functional. The
08029396eb9aef9b413582d103b070c3f422e2b56e1326fe318bef60bdc382ed sample does not
fully execute and appears to have some structural corruption.
08029396eb9aef9b413582d103b070c3f422e2b56e1326fe318bef60bdc382ed
(possibly corrupt)
Compile time: Thu May 11 06:15:13 2023
58AC26D62653A648D69D1BCAED1B43D209E037E6D79F62A65EB5D059E8D0FC3F
Compile time: Thu May 11 06:15:13 2023
When launched, the new LOLKEK payloads will discover and subsequently encrypt
any locally available drive including mounted network shares in sequence.
LOLKEK drive enumeration and discovery
The payloads also contain exclusions carried over from previous variants of the
ransomware. These include the Windows, System Volume Information, and
ProgramData folders.
These payloads appear to contain the functionality to discover and remove Volume
Shadow Copies (VSS). However, this behavior was not observed when dynamically
analyzing the sample
58ac26d62653a648d69d1bcaed1b43d209e037e6d79f62a65eb5d059e8d0fc3f. WMIC-formatted
calls to remove VSS are found in the samples’ code.
VSS Removal
Encrypted files, once fully processed, will have the “.MMM” extension appended
to them.
When looking deeper into the encrypted files themselves, we see another
identifying marker linking them to previous generations of LOLKEK/GlobeImposter.
Encrypted files contain the same “CRYPTO LOCKER” string seen in said prior
generations.
CRYPTO LOCKER string in
58ac26d62653a648d69d1bcaed1b43d209e037e6d79f62a65eb5d059e8d0fc3f
LOLKEK VICTIM PORTAL AND NOTES
The LOLKEK ransom notes are written as ReadMe.txt to all locations containing
encrypted files and data. The format and construction of the ransom notes is
identical to what we have seen previously with this ransomware family.
The supplied .ONION URIs all contain a string at the end, unique to each
execution of the ransomware.
Examples (defanged):
http[:]//mmcbkgua72og66w4jz3qcxkkhefax754pg6iknmtfujvkt2j65ffraad[.]onion/[?]M01YOOOOOOO
http[:]//mmcbkgua72og66w4jz3qcxkkhefax754pg6iknmtfujvkt2j65ffraad[.]onion/[?]m01TGRFBRRRR
http[:]//mmcbkgua72og66w4jz3qcxkkhefax754pg6iknmtfujvkt2j65ffraad[.]onion/[?]M01VXOQRTKM
LOLKEK ransom note construction LOLKEK ransom note (May 2023) Legacy
GlobeImposter (TZW) ransom note
Current LOLKEK victims are instructed to navigate to the TOR-based victim portal
where they must register an account to engage in a ‘private’ chat session with
the attackers. Again, we note that the newly staged portal is functionally
identical to previous victim portals staged by this operation. The look, feel,
and process has not changed.
LOLKEK victim portal – TZW variation (February 2023) LOLKEK victim portal (May
2023)
At this point, victims are able to chat with their attacker. Small files can be
decrypted for free as ‘proof’ of functional decryption. Should the victim choose
to comply, they will receive details on how and where to pay via a
ticketing-like interface.
Upon ticket creation, the ransom details are automatically provided in the
victim chat. As we see in this example, the ransom demanded is $1350 USD.
Payments must be made via Bitcoin (BTC).
LOLKEK support
A LOLKEK OPSEC MISSTEP
The operators behind this campaign appear to have followed the same steps,
process, and template as their pre-existing counterparts with regards to
misconfiguration of Apache. The status page of the server is visible on the
TOR-based victim page.
Apache service status
From here, we can see that the server went live on May 23, 2023; just a short
time after the related samples’ compilation date on May 11, 2023. When analyzing
these threats, it is always worthwhile to examine these surface-level
misconfigurations. A great deal can be learned about a campaign and threat actor
just through this step alone. In this case, this detail pointed to the same
configuration misstep that helps us solidify the link of relation between
previous TZW and GlobeImposter campaigns.
CONCLUSION
The journey of LOLKEK, or GlobeImposter, through the ever-shifting landscape of
commodity ransomware is fascinating. While giants like LockBit and Cl0p dominate
the headlines with their sophisticated schemes, it’s essential not to overlook
the small-scale but persistent operations like LOLKEK. These lesser-known
threats continue to evolve, find new ways to attack, and pose very real risks.
What we’re observing with LOLKEK is not a stagnant picture. Its operators are
relentlessly exploring new strategies, pivoting to fresh infrastructure, and
experimenting with innovative payloads. The examples we’ve highlighted may very
well be the first stirrings of a new chapter for this adaptable threat. Although
smaller in scale, it has shown the potential to align with more targeted,
sophisticated campaigns. It’s not unthinkable that we could see LOLKEK targeting
larger organizations and demanding higher ransoms in the future.
Protection against ever-adaptive threats like LOLKEK demands a robust defense.
The SentinelOne Singularity XDR Platform is designed to recognize, counter, and
eliminate all malicious behaviors and elements associated with
LOLKEK/GlobeImposter-based attacks. If you wish to arm yourself with the
technology that stays one step ahead of threats like these, contact us today or
book a demo. We’re here to help ensure that the next chapter in the ransomware
story doesn’t include you.
INDICATORS OF COMPROMISE
SHA1
ed247b58c0680b7c92632209181733e92f1b0721
768b8d81a6b0f779394e4af48755ca3ad77ed951
SHA256
08029396eb9aef9b413582d103b070c3f422e2b56e1326fe318bef60bdc382ed
58ac26d62653a648d69d1bcaed1b43d209e037e6d79f62a65eb5d059e8d0fc3f
Ransom Notes SHA256
2c66e5f96470526219f40c6adfd6990cc28d520975da1fdb6bb5497d55a54117
0b179973dc267d9c300e9b7d3c27c67a18d7c79b2cc34927cbe5a465f83c6190
Ransom Notes SHA1
88baff4e1751bd364cdb1a4bb5fda4a37ee127c4
456b0bda3f6d9ec9a874daac050b75fc28174510
IPs/URLs/Domains
Mmcbkgua72og66w4jz3qcxkkhefax754pg6iknmtfujvkt2j65ffraad[.]onion
https[:]//yip[.]su/2QstD5
filessupport@onionmail[.]org
MITRE ATT&CK
T1005 – Data from Local System
T1202 – Indirect Command Execution
T1486 – Data Encrypted for Impact
T1070.004 – Indicator Removal: File Deletion
T1112 – Modify Registry
T1012 – Query Registry
T1083 – File and Directory Discovery
T1027.002 – Obfuscated Files or Information: Software Packing
T1082 – System Information Discovery
T1490 – Inhibit System Recovery
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup
Folder
--------------------------------------------------------------------------------
Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see
the content we post.
READ MORE ABOUT CYBER SECURITY
* Breaking Down the SEO Poisoning Attack | How Attackers Are Hijacking Search
Results
* Gotta Catch ‘Em All | Understanding the NetSupport RAT Campaigns Hiding
Behind Pokemon Lures
* Lazarus ‘Operation In(ter)ception’ Targets macOS Users Dreaming of Jobs in
Crypto
* BlueSky Ransomware | AD Lateral Movement, Evasion and Fast Encryption Put
Threat on the Radar
* Ransoms Without Ransomware, Data Corruption and Other New Tactics in Cyber
Extortion
* From the Front Lines | Slam! Anatomy of a Publicly-Available Ransomware
Builder
READ MORE
Get a demo
Defeat every attack, at every stage of the threat lifecycle with SentinelOne
Book a demo and see the world’s most advanced cybersecurity platform in action.
Get Demo
SentinelLabs
SentinelLabs: Threat Intel & Malware Analysis
We are hunters, reversers, exploit developers, & tinkerers shedding light on the
vast world of malware, exploits, APTs, & cybercrime across all platforms.
VISIT SITE
Wizard Spider and Sandworm
MITRE Engenuity ATT&CK Evaluation Results
SentinelOne leads in the latest Evaluation with 100% prevention. Leading
analytic coverage. Leading visibility. Zero detection delays.
SEE RESULTS
LISTEN TO THIS POST
Table of Contents
LOLKEK | A Brief History
* LOLKEK | A Brief History
* Technical Details
* LOLKEK Victim Portal and Notes
* A LOLKEK OPSEC Misstep
* Conclusion
* Indicators of Compromise
SEARCH
Search ...
SIGN UP
Keep up to date with our weekly digest of articles.
*
Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Policy. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties.
Thanks! Keep an eye out for new content!
RECENT POSTS
* Day 1 of Black Hat USA 2023 | Generative AI, Automation & The Security
Landscape of Tomorrow
August 10, 2023
* Enterprise Security Essentials | Top 12 Most Routinely Exploited
Vulnerabilities
August 8, 2023
* The Good, the Bad and the Ugly in Cybersecurity – Week 31
August 4, 2023
BLOG CATEGORIES
* Cloud
* Company
* Cyber Response
* Data Platform
* Feature Spotlight
* For CISO/CIO
* From the Front Lines
* Identity
* Integrations & Partners
* macOS
* The Good, the Bad and the Ugly
Company
* Our Customers
* Why SentinelOne
* Platform
* About
* Partners
* Support
* Careers
* Legal & Compliance
* Security & Compliance
* Contact Us
* Investor Relations
Resources
* Blog
* Labs
* Hack Chat
* Press
* News
* FAQ
* Resources
* Ransomware Anthology
Global Headquarters
444 Castro Street
Suite 400
Mountain View, CA 94041
+1-855-868-3733
sales@sentinelone.com
Sign Up For Our Newsletter
*
Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Policy. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties.
Thank you! You will now receive our weekly newsletter with all recent blog
posts. See you soon!
English
* English
* 日本語
* Deutsch
* Español
* Français
* Italiano
* Dutch
* 한국어
©2023 SentinelOne, All Rights Reserved.
Privacy Policy Master Subscription Agreement
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Back Button Back
Vendor Search Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Confirm My Choices
By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts.
Cookies Settings Accept All Cookies
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
We'd like to show you notifications for the latest news and updates.
AllowCancel