Getty Images/iStockphoto
The latest version of the LockBit ransomware strain contains new capabilities and utilizes features of another prominent ransomware, BlackMatter, according to Sophos research published Wednesday.
Sophos said it analyzed multiple incidents utilizing the latest version of LockBit, referred to as LockBit 3.0 or “LockBit Black.” The original LockBit ransomware was first observed in mid-2019, with an upgraded 2.0 version discovered last year. Version 3.0 was initially tracked earlier this year. Most recently, source code for the new variant was leaked in September.
Perhaps most notably, LockBit 3.0 appears to have multiple features originally present in BlackMatter, another ransomware-as-a-service strain that was first tracked last year. SophosLabs principal researcher Andrew Brandt, who authored Sophos’ research blog, wrote that the security vendor “found a number of similarities which strongly suggest that LockBit 3.0 reuses code from BlackMatter.”
Among them include the ability to send ransom notes to a network printer, the ability to delete Volume Shadow Copy files, a method for determining which version a victim operating system uses and multiple anti-debugging features.
Brandt noted that other researchers have speculated about a BlackMatter coder being recruited by LockBit, but that whatever the case, “it’s not uncommon for ransomware groups to interact, either inadvertently or deliberately.”
“These findings are further evidence that the ransomware ecosystem is complex, and fluid,” Brandt wrote. “Groups reuse, borrow, or steal each other’s ideas, code, and tactics as it suits them. And, as the LockBit 3.0 leak site (containing, among other things, a bug bounty and a reward for ‘brilliant ideas’) suggests, that gang in particular is not averse to paying for innovation.”
Other LockBit 3.0 features include experimentation with wormable capabilities. allowing it to self-spread and move laterally across victim computers without any actions from affiliate hackers. The blog post highlighted leaked data from the LockBit operation that showed how the latest version used Windows Group Policy Objects or the PSExec utility tool to potentially move through an environment without manual operations. Sophos discovered additional features designed to make it difficult for researchers to analyze the code.
“In some cases, it now requires the affiliate to use a 32-character ‘password’ in the command line of the ransomware binary when launched, or else it won’t run, though not all the samples we looked at required the password,” Brandt wrote.
It’s unclear how the BlackMatter code ended up in LockBit 3.0. Brandt told TechTarget Editorial in an email that there’s no way to know for sure.
“We can’t know whether the code was stolen or sold or if a programmer who worked for one team picked up their library of tricks and moved to another team,” he wrote. “What’s pretty clear is that not only are the functions really close to one another in behavior, but that they look almost identical (with some minor improvements, in some cases) in the source code themselves. That isn’t an accident. But there’s no way for us to know how it ended up in the hands of the newer ransomware.”
Regarding LockBit 3.0 deployment, the blog post also noted that threat actors are “becoming very difficult to distinguish from the work of a legitimate penetration tester” thanks to the use of Cobalt Strike and other tools, like the security monitoring-sabotaging tool Backstab.
Google recently introduced new YARA rules intended to combat malicious Cobalt Strike use. Brandt said that while they are helpful to combat penetration testing-like behavior, YARA rules are not enough on their own.
“Long term, YARA rules are just one tool in the defender’s toolbox but the rules are just rules, and you’d need to have software that can interpret those rules and use them to find malicious activity,” he told TechTarget Editorial. “They also are very good but aren’t perfect, and threat actors have the advantage of being able to download them as well, and look for ways to get around those rules. Defenders, unfortunately, are going to always play a bit of ‘catch-up’ with these folks.”
LockBit has grown to be one of the most prominent strains in recent years in part thanks to it being a popular ransomware-as-a-service choice for affiliates. According to research published this month by Intel 471, LockBit was the most prominent strain tracked this quarter, with 3.0 becoming the dominant variant.
Brandt told TechTarget Editorial that LockBit 3.0 is the only version of the ransomware currently being used and that “we’re not seeing any other older versions in use right now.
Alexander Culafi is a writer, journalist and podcaster based in Boston.
Wireless networking skills are in high demand. Having a top-notch wireless network certification can help networking newbies and …
This history of enterprise wireless takes you from WLAN development inside the enterprise to cellular data services outside the …
Enterprises must choose between single- or multivendor SASE approaches, as well as DIY or managed service options. Experts …
A growing space industry is creating business opportunities in space, ranging from Earth observation and communications to space …
The potential for metaverse projects exist across a range use cases. Here are enterprise-focused and consumer-focused examples …
Bayer global head of compliance and data privacy Thomas Pfennig discusses LPC Express, an automation project for law, patents and…
Monitoring files on Windows systems is critical to detect suspicious activities, but there are so many files and folders to keep …
While Microsoft Loop is not yet generally available, Microsoft has released details about how Loop can connect users and projects…
The latest Windows 11 update offers a tabbed File Explorer for rearranging files and switching between folders. The OS also …
Nutanix revenues jumped 15%, thanks to more users renewing their subscriptions. The company also reported positive revenues …
Secrets require a certain level of upkeep such as storage, delivery and management. Compare services in these criteria and learn …
AWS found that the core reason companies find supply chains challenging to manage is the lack of visibility across complicated …
Aruba SpA secures funding to help realise ambitions to further grow mega-datacentre campus in Italy
Former UK spy boss Richard Dearlove leaked names of MI6 secret agent recruiters in China to back an aggressive right-wing US …
The August 2022 cyber attack on LastPass seems to have begat another incident, according to company CEO Karim Toubba
All Rights Reserved, Copyright 2000 – 2022, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info
source
—
Note that any programming tips and code writing requires some knowledge of computer programming. Please, be careful if you do not know what you are doing…