www.trendmicro.com
Open in
urlscan Pro
23.211.8.153
Public Scan
URL:
https://www.trendmicro.com/en_us/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version.html
Submission: On February 22 via api from TR — Scanned from DE
Submission: On February 22 via api from TR — Scanned from DE
Form analysis
1 forms found in the DOM<form class="main-menu-search" aria-label="Search Trend Micro" data-equally-id="equally_ai___OxXgC">
<div class="main-menu-search__field-wrapper" id="cludo-search-form">
<table class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" class="gsc-input-field" name="search" title="search" placeholder="Search" autocomplete="off" aria-label="search">
</td>
</tr>
</tbody>
</table>
</div>
</form>
Text Content
Business search close * Solutions * By Challenge * By Challenge * By Challenge Learn more * Understand, Prioritize & Mitigate Risks * Understand, Prioritize & Mitigate Risks Improve your risk posture with attack surface management Learn more * Protect Cloud-Native Apps * Protect Cloud-Native Apps Security that enables business outcomes Learn more * Protect Your Hybrid World * Protect Your Hybrid, Multi-Cloud World Gain visibility and meet business needs with security Learn more * Securing Your Borderless Workforce * Securing Your Borderless Workforce Connect with confidence from anywhere, on any device Learn more * Eliminate Network Blind Spots * Eliminate Network Blind Spots Secure users and key operations throughout your environment Learn more * See More. Respond Faster. * See More. Respond Faster. Move faster than your adversaries with powerful purpose-built XDR, attack surface risk management, and zero trust capabilities Learn more * Extend Your Team * Extend Your Team. Respond to Threats Agilely Maximize effectiveness with proactive risk reduction and managed services Learn more * Operationalizing Zero Trust * Operationalizing Zero Trust Understand your attack surface, assess your risk in real time, and adjust policies across network, workloads, and devices from a single console Learn more * By Role * By Role * By Role Learn more * CISO * CISO Drive business value with measurable cybersecurity outcomes Learn more * SOC Manager * SOC Manager See more, act faster Learn more * Infrastructure Manager * Infrastructure Manager Evolve your security to mitigate threats quickly and effectively Learn more * Cloud Builder and Developer * Cloud Builder and Developer Ensure code runs only as intended Learn more * Cloud Security Ops * Cloud Security Ops Gain visibility and control with security designed for cloud environments Learn more * By Industry * By Industry * By Industry Learn more * Healthcare * Healthcare Protect patient data, devices, and networks while meeting regulations Learn more * Manufacturing * Manufacturing Protecting your factory environments – from traditional devices to state-of-the-art infrastructures Learn more * Oil & Gas * Oil & Gas ICS/OT Security for the oil and gas utility industry Learn more * Electric Utility * Electric Utility ICS/OT Security for the electric utility Learn more * Federal * Federal Learn more * Automotive * Automotive Learn more * 5G Networks * 5G Networks Learn more * Small & Midsized Business Security * Small & Midsized Business Security Stop threats with comprehensive, set-it-and-forget-it protection Learn more * Platform * Vision One Platform * Vision One Platform * Trend Vision One Our Unified Platform Bridge threat protection and cyber risk management Learn more * AI Companion * Trend Vision One Companion Your generative AI cybersecurity assistant Learn more * Attack Surface Management * Attack Surface Management Stop breaches before they happen Learn more * XDR (Extended Detection & Response) * XDR (Extended Detection & Response) Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform Learn more * Cloud Security * Cloud Security * Trend Vision One™ Cloud Security Overview The most trusted cloud security platform for developers, security teams, and businesses Learn more * Attack Surface Risk Management for Cloud * Attack Surface Risk Management for Cloud Cloud asset discovery, vulnerability prioritization, Cloud Security Posture Management, and Attack Surface Management all in one Learn more * XDR for Cloud * XDR for Cloud Extend visibility to the cloud and streamline SOC investigations Learn more * Workload Security * Workload Security Secure your data center, cloud, and containers without compromising performance by leveraging a cloud security platform with CNAPP capabilities Learn more * Container Security * Container Security Simplify security for your cloud-native applications with advanced container image scanning, policy-based admission control, and container runtime protection Learn more * File Storage Security * File Storage Security Security for cloud file/object storage services leveraging cloud-native application architectures Learn more * Endpoint Security * Endpoint Security * Endpoint Security Overview Defend the endpoint through every stage of an attack Learn more * XDR for Endpoint * XDR for Endpoint Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform Learn more * Workload Security * Workload Security Optimized prevention, detection, and response for endpoints, servers, and cloud workloads Learn more * Industrial Endpoint Security * Industrial Endpoint Security Learn more * Mobile Security * Mobile Security On-premises and cloud protection against malware, malicious applications, and other mobile threats Learn more * Network Security * Network Security * Network Security Overview Expand the power of XDR with network detection and response Learn more * XDR for Network * XDR for Network Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform Learn more * Network Intrusion Prevention (IPS) * Network Intrusion Prevention (IPS) Protect against known, unknown, and undisclosed vulnerabilities in your network Learn more * Breach Detection System (BDS) * Breach Detection System (BDS) Detect and respond to targeted attacks moving inbound, outbound, and laterally Learn more * Secure Service Edge (SSE) * Secure Service Edge (SSE) Redefine trust and secure digital transformation with continuous risk assessments Learn more * Industrial Network Security * Industrial Network Security Learn more * 5G Network Security * 5G Network Security Learn more * Email Security * Email Security * Email Security Stop phishing, malware, ransomware, fraud, and targeted attacks from infiltrating your enterprise Learn more * Email and Collaboration Security * Trend Vision One™ Email and Collaboration Security Stop phishing, ransomware, and targeted attacks on any email service including Microsoft 365 and Google Workspace Learn more * OT Security * OT Security * OT Security Learn about solutions for ICS / OT security. Learn more * XDR for OT * XDR for OT Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform Learn more * Industrial Network Security * Industrial Network Security Industrial Network Security * Industrial Endpoint Security * Industrial Endpoint Security Learn more * Threat Intelligence * Threat Intelligence Keep ahead of the latest threats and protect your critical data with ongoing threat prevention and analysis Learn more * All Products, Services, and Trials * All Products, Services, and Trials Learn more * Research * Research * Research * Research Learn more * Research, News, and Perspectives * Research, News, and Perspectives Learn more * Research and Analysis * Research and Analysis Learn more * Security News * Security News Learn more * Zero Day Initiatives (ZDI) * Zero Day Initiatives (ZDI) Learn more * Services * Our Services * Our Services * Our Services Learn more * Service Packages * Service Packages Augment security teams with 24/7/365 managed detection, response, and support Learn more * Managed XDR * Managed XDR Augment threat detection with expertly managed detection and response (MDR) for email, endpoints, servers, cloud workloads, and networks Learn more * Incident Response * Incident Response * Incident Response Our trusted experts are on call whether you're experiencing a breach or looking to proactively improve your IR plans Learn more * Insurance Carriers and Law Firms * Insurance Carriers and Law Firms Stop breaches with the best response and detection technology on the market and reduce clients’ downtime and claim costs Learn more * Support Services * Support Services Learn more * Partners * Partner Program * Partner Program * Partner Program Overview Grow your business and protect your customers with the best-in-class complete, multilayered security Learn more * Managed Security Service Provider * Managed Security Service Provider Deliver modern security operations services with our industry-leading XDR Learn more * Managed Service Provider * Managed Service Provider Partner with a leading expert in cybersecurity, leverage proven solutions designed for MSPs Learn more * Cloud Service Provider * Cloud Service Provider Add market-leading security to your cloud service offerings – no matter which platform you use Learn more * Professional Services * Professional Services Increase revenue with industry-leading security Learn more * Resellers * Resellers Discover the possibilities Learn more * Marketplace * Marketplace Learn more * System Integrators * System Integrators Learn more * Alliance Partners * Alliance Partners * Alliance Overview We work with the best to help you optimize performance and value Learn more * Technology Alliance Partners * Technology Alliance Partners Learn more * Our Alliance Partners * Our Alliance Partners Learn more * Partner Tools * Partner Tools * Partner Tools Learn more * Partner Login * Partner Login Login * Education and Certification * Education and Certification Learn more * Partner Successes * Partner Successes Learn more * Distributors * Distributors Learn more * Find a Partner * Find a Partner Learn more * Company * Why Trend Micro * Why Trend Micro * Why Trend Micro Learn more * Customer Success Stories * Customer Success Stories Learn more * The Human Connection * The Human Connection Learn more * Industry Accolades * Industry Accolades Learn more * Strategic Alliances * Strategic Alliances Learn more * Compare Trend Micro * Compare Trend Micro Learn more * About Us * About Us * About Us Learn more * Trust Center * Trust Center Learn more * History * History Learn more * Diversity, Equity and Inclusion * Diversity, Equity and Inclusion Learn more * Corporate Social Responsibility * Corporate Social Responsibility Learn more * Leadership * Leadership Learn more * Security Experts * Security Experts Learn more * Internet Safety and Cybersecurity Education * Internet Safety and Cybersecurity Education Learn more * Legal * Legal Learn more * Investors * Investors Learn more * Formula E Racing * Formula E Racing Learn more * Latest News * Latest News * Latest News Learn more * Newsroom * Newsroom Learn more * Events * Events Learn more * Careers * Careers Learn more * Webinars * Webinars Learn more Back Back Back Back * Free Trials * Contact Us Looking for home solutions? Under Attack? 6 Alerts Back Unread All * Trend helps shield the world from Ransomware Threat Group LockBit close Learn more > * Webinar: The SmartScreen Vulnerability close In-depth insights and protection strategies > * The Microsoft Defender SmartScreen Vulnerability close The facts, and why our customers are safe > * 2024 Security Predictions for the Cloud close Exploring cloud threats in 2024 from data poisoning of machine learning data to securing APIs > * Global Security Trends: AI, Geopolitical Risks, and Zero Trust close Trend Micro's Chief Technology Strategy Officer explores what to watch for in 2024 > * Understanding what generative AI means for cybersecurity close How bad actors can use AI for key fraud opportunities > Folio (0) Support * Business Support Portal * Business Community * Virus and Threat Help * Education and Certification * Contact Support * Find a Support Partner Resources * Cyber Risk Index/Assessment * CISO Resource Center * DevOps Resource Center * What Is? * Threat Encyclopedia * Cloud Health Assessment * Cyber Insurance * Glossary of Terms * Webinars Log In * Support * Partner Portal * Cloud One * Product Activation and Management * Referral Affililate Back arrow_back search close Content has been added to your Folio Go to Folio (0) close Ransomware LOCKBIT ATTEMPTS TO STAY AFLOAT WITH A NEW VERSION This research is the result of our collaboration with the National Crime Agency in the United Kingdom, who took action against LockBit as part of Operation Cronos, an international effort resulting in the undermining of its operations. By: Trend Micro Research February 22, 2024 Read time: 12 min (3194 words) Save to Folio Subscribe -------------------------------------------------------------------------------- This research is the result of our collaboration with the National Crime Agency in the United Kingdom, who recently took action against LockBit as part of an international effort resulting in the disruption of the group's infrastructure and undermining of its operations. More details can be found on their website here. Introduction LockBit is a Ransomware-as-a-Service operation (RaaS) that has been involved in numerous security incidents for organizations globally over the years. By offering LockBit as a RaaS, its developers can provide it to other criminals for their own operations. In a typical RaaS setup, earnings are split between both the developers and their affiliates after the ransom has been negotiated and paid. LockBit normally charges a 20% share of the ransom per paying victim, with the remaining 80% going to the affiliate. However, if LockBit itself is the one carrying out the negotiations, this fee goes up to 30 to 50%. In November 2023, the group introduced new recommendations for ransom values based on the revenue of the victim, forbidding discounts above 50%. From a purely technical side, what made LockBit special compared to other competing ransomware packages was that it used to have self-spreading capabilities. Once a host in the network becomes infected, LockBit is able to search for other nearby targets and to try and infect them as well, a technique that was not common in this kind of malware. From a criminal group perspective, LockBit was known to be innovative and willing to try new things (though less so in recent times, as we will see in this entry). For instance, they came up with a public contest — a “bug bounty” — to find new ideas from the cybercriminal community to improve their ransomware. This group also developed and maintained a simple point-and-click interface that allowed a cybercriminal to choose various options before compiling the final binary for the attack, therefore lowering the technical barrier of entry for their criminal affiliates. The group also promoted themselves through stunts in the cybercriminal community, such as paying people to get LockBit tattoos and even offering a US$1 million bounty for anyone who could find out the real-world identity of LockBit’s gang leader (an individual or group known by the online nickname “LockBitSupp”). As part of this innovative streak, LockBit has published several versions of their ransomware, from the initial v1 (January 2020) to LockBit 2.0 (nicknamed “Red”, from June 2021), then to LockBit 3.0 (nicknamed “Black”, from March 2022). In October 2021, the threat actor introduced LockBit Linux to accommodate attacks on Linux and VMWare ESXi systems. Finally, an intermediate version, nicknamed “Green,” that incorporated code apparently inherited from the defunct Conti ransomware, emerged in January 2023. However, this version was not identified as a new 4.0 version. In recent times, the group has experienced issues, both internally and externally, that have threatened its position and reputation as one of the top RaaS providers. This blog entry touches on these issues and provides a look into our data, which shows the group’s seeming decline over the past couple of years. Furthermore, we will examine an in-development version of the ransomware we track as LockBit-NG-Dev (NG for Next Generation), which could be an upcoming version the group might consider as a true 4.0 version once complete. We will examine its capabilities in relation to other LockBit versions, such as the “Green” version from 2023. A detailed technical analysis of LockBit-NG-Dev can be accessed in the appendix. RECENT LOCKBIT ISSUES AND DIFFICULTIES The LockBit group has had internal security incidents, due to the distributed semi-anonymous structure of the group itself and the interactions between the affiliate program members and the LockBit operators. Information leaks by disgruntled developers or group members have occurred in the past. In September 2022, the builder for the ransomware was leaked by a developer associated with the group This leaked build had significant impact on the cybercriminal scene by lowering the threshold for criminals to start their own RaaS enterprise via clones of the LockBit operation. When builds are leaked, it can also muddy the waters with regards to attribution. For example, in August 2023, we observed a group that called itself the Flamingo group using a leaked LockBit payload bundled with the Rhadamanthys stealer. In November 2023, we found another group, going by the moniker Spacecolon, impersonating LockBit. The group used email addresses and URLs that gave victims the impression that they were dealing with LockBit. Figure 1. A fake LockBit leak notice coming from a rival group, not from LockBit themselves download This LockBit knock-off group even used a leak site similar to LockBit (Figure 2). This further demonstrates how the leaked build has diluted the skill needed to operate a RaaS. Events like these might even cause doubt for legitimate LockBit victims as to whether they are dealing with LockBit or an impostor. Figure 2. A false LockBit leak site made by another threat actor download The leaked build was a serious blow to the LockBit operation for several reasons: 1. The fact that it was leaked in the first place by a disgruntled developer shows that it’s not all smooth sailing for the LockBit operation. Anything that signals internal discontent will undoubtedly be concerning for current or prospective affiliates. 2. A leak like this should be called out for what it is — a security failure. If their core build can be leaked, then affiliates might wonder if there are other security concerns. An incident like this in a software company would be seen as a complete failure of internal processes and controls, or worse, the absence of them. 3. Any technical advantage that LockBit may have had in the past is severely diluted due to the leaked build. Other groups that want to start up their own RaaS now have a level playing field without having to go through months of development and costs associated with building up an operation from scratch. 4. The LockBit “brand” has likely suffered a blow, even though the operators would like to let on that everything is running smoothly. It would have been expected that following the leak, LockBit would have tried to change their build and add something innovative to strengthen their position as a leading RaaS provider. However, the development of LockBit seems to have stagnated. This possibly leads back to the source of the leak: Was the disgruntled employee one of the core developers who they have struggled to replace? The ransomware affiliate model is essentially a partnership, and just like any business relationship, any partner should be questioning the long-term viability of an organization with such questionable internal security. Over the past few months, we’ve seen a downshift in confidence towards LockBit. There have been several factors causing concern for affiliates. In April 2023, the group began to add several posts to the leak site, which contained fake victims with made-up leaked data. It’s possible that this was part of internal testing. However, it’s highly likely that this could have been an attempt to artificially inflate the number of victims to give the impression that the threat actor was maintaining their success. One of the most notable concerns is the apparent instability of the threat actor’s infrastructure. During a ransomware operation, the negotiation phase is highly dependent on the threat of data being released. If the leaked data is not available, then it becomes more difficult for affiliates to apply the pressure required for a successful negotiation. Back in August 2023, we observed unusual behavior in LockBit’s leak site, with victims being added and removed within minutes, resulting in an error message. Figure 3. LockBit leak site error message download Throughout the first half of 2023, there were also numerous claims by the group that they had released data following an organization’s failure to pay a ransom demand. What’s interesting is that there was no way to download the data that was “published” — there was simply a post saying the files were published. This topic is thoroughly covered in the Ransomware Diaries Volume 3 series by Jon DiMaggio. In September 2023, LockBitSupp issued a proposal via a Tox message to implement new rules for affiliates in an effort to improve negotiations. The decline in successful negotiations and increased frustration with negotiators could signal that the quality of affiliates that the operation attracts has been impacted by the lack of innovation and continued technical issues. The proposal included a minimum payment along with a fixed discount of 50%. It also proposed that payment should not be less than that of the amount covered by the victim’s insurance policy. Shortly after, the actor Bassterlord (an affiliate of LockBit and the leader of a group called the National Hazard Agency) published a tweet suggesting that these rules were being applied. Figure 4. Translated version of the proposed rules from LockBitSupp download Figure 5. Tweet by Bassterlord endorsing LockBit’s new rules download In early November, we also observed some unusual behavior in the leak site mirrors. For several days, there were inconsistencies when trying to access them, and a lot of the site mirrors would redirect to the victim chat page. This is yet another example of the litany of technical issues the group seems to be suffering from while trying to maintain a stable operational infrastructure. Figure 6. What users see when they are redirected from the leak site to the victim chat site download It’s clear that LockBit has been having issues throughout 2023, and it stands to reason that this is having a negative impact on their ability to attract or retain affiliates. There are several factors at play that may dissuade a potential affiliate from joining the group: 1. Affiliates seem to be losing faith in the program. To compound LockBit’s technical issues, there also seems to be a shortage of staff for the operators. They’re not as responsive as they used to be, sometimes taking days or even weeks to reply to inquiries. 2. The new affiliate rules standardize ransom demands and constrain the amount an affiliate can earn may not go down well and could result in further migration of affiliates. 3. The delay in an updated release of LockBit, combined with the attempts to attain rival builds suggest there’s a brain drain in the operation and their core developer(s) may have privately moved on (as opposed to the very public departure of the person who leaked the LockBit build). 4. The recent public call to ALPHV (BlackCat) and NoEscape affiliates to join the LockBit group has an air of desperation around it. In the past, threat actors were clamoring to join the group. In more recent times, however, it looks like the LockBit operators are desperate for fresh affiliates and actively looking for opportunities to capitalize on the misfortunes of rival groups. At the end of January 2024, a malicious actor using the moniker “michon” on the XSS forum opened a thread for arbitration against LockBitSupp. The malicious actor claimed that LockBitSupp refused to pay for access they provided that led to a ransomware payout. In the beginning of the thread, it appears that this malicious actor was somewhat inexperienced and did not outline conditions for the sale at the time. However, as the thread progressed and private chat logs were provided, there was a clear shift in sentiment from observers. There emerged a negative reaction to LockBitSupp’s attitude towards the malicious actor and the nature of the transaction, with a number of observers giving LockBitSupp’s responses a thumbs down. As the thread ended, LockBitSupp was directed to pay 10% of the ransom payment to the claimant within 24 hours. There are a couple of key observations to be made after examining the contents of the forum thread; 1. LockBitSupp displayed a degree of arrogance when responding to both the claimant and other supporters who weighed in on the topic. The actor came across as someone who was “too big to fail” and even showed disdain to the arbitrator who would make the decision on the outcome of the claim. 2. This discourse demonstrated that LockBitSupp is likely using their reputation to carry more weight when negotiating payment for access or the share of ransom payouts with affiliates. This is probably not the first time that someone has tried to begin a working relationship with LockBitSupp and has been dealt unfavourable terms. The fact that this was played out in public may also dissuade others from dealing with LockBitSupp in the future. 3. The type of behavior exhibited by LockBitSupp is similar to those observed with other operators of RaaS groups that have overstepped the line and inevitably ended up disbanding. There are no positives for LockBitSupp with regards to this arbitration. The malicious actor has quite likely alienated their peers, potential access suppliers, and affiliates. On January 30, 2024, LockBitSupp was banned from the XSS forum and assigned the status ripper/scammer. The actor was also subsequently banned from the Exploit forum. download Figure 7. LockBitSupp banned from the XSS and Exploit forums download LOCKBIT’S DECLINE According to our confirmed breach data, there are some indications that although LockBit has maintained its position as the intrusion set with the largest number of attacks, it’s overall share of ransomware impact has seen a steady decline over the last two years. There is a clear decline in numbers when we look at the figures for LockBit 2.0 and the shift to LockBit 3.0, although there was a slight rise during the fourth quarter of 2023, which may be attributed to the increased law enforcement activity against rival groups. LockBit offered affiliates the chance to migrate to their operation during this period. Figure 8. Breach data from Q1 2022 to Q4 2023 shows that LockBit’s market share (among the major groups we track) as the RaaS with the highest number of attacks suffered a decline in late 2022 and throughout most of 2023 (click the image to enlarge) download THREAT ACTORS ASSOCIATED WITH LOCKBIT This section will examine the people behind the LockBit group. There are several nicknames and online personas that are frequently associated with LockBit, including LockBit (forum user) and LockBitSupp (forum user). The official online presence from the group was through “LockBitSupp” — the username used by the user/s offering LockBit support, and “LockBit,” a more generic account that, through multiple conversations, has shown a direct involvement with the LockBit affiliate program. Notably, the LockBit user ran a publicity stunt on the XSS forum, where they offered to pay US$1,000 to anyone getting LockBit tattoos. Public information shows that LockBit spent US$20,000 to pay people who got tattoos done. However, some forum members complained about being scammed by LockBit after they got the tattoo but were not paid for it. Another prominent member of the criminal underground, Bassterlord, is believed to be associated with the LockBit group. Bassterlord is a criminal who claims to be from Ukraine (LDNR, according to their response in a public interview) and has previously worked with the REvil RaaS group. Bassterlord is famous within the cybercrime community for selling the second edition of their manual for attacking corporate networks. Bassterlord’s handle on the XSS forum was renamed to “National Hazard Agency,” which is believed to be a sub-group within the LockBit operation. This group has claimed responsibility for high-profile attacks such as the one launched against the Taiwan Semiconductor Manufacturing Company (TSMC) in June 2023. A known handle used by Bassterlord on Twitter (“AL3xL7”) has openly mentioned their affiliation to the LockBit group. Yet another prominent member of the cybercrime underground who has previous ties to LockBit is the malicious actor “wazawaka” (identified by the FBI as Mikhail Matveev), who was known to be an affiliate throughout 2020 and 2021. Matveev was indicted by the US Department of Justice in May 2023. It should be noted that this malicious actor communicates regularly with Bassterlord and has made references to rejoining the LockBit affiliate program. An unknown actor, “Ali_qushji” claimed to have compromised the LockBit server infrastructure. However, LockBitSupp contradicted this information, mentioning that the leak actually originated from a disgruntled developer. This person uses the handle “protonleaks” and is thought to be a former employee of the group and the individual who leaked the build. Figure 9. A user claiming to have leaked the LockBit build download THE NEW LOCKBIT-NG-DEV VERSION Recently, we came into possession of a sample that we believe represents a new evolution of LockBit: an in-development version of a platform-agnostic malware-in-testing that is different from previous versions. The sample appends a “locked_for_LockBit” suffix to encrypted files which, being part of the configuration and therefore still subject to change, leads us to conclude that this is an undeployed upcoming version from the group. Based on its current developmental state, we are tracking this variant as LockBit-NG-Dev, which we further believe could form the basis of a LockBit 4.0 that the group is almost certainly working on. A detailed analysis follows in the technical appendix, but some key changes include: * LockBit-NG-Dev is now written in .NET and compiled using CoreRT. When deployed alongside the .NET environment, this allows the code to be more platform-agnostic. * The code base is completely new in relation to the move to this new language, which means that new security patterns will likely need to be created to detect it. * While it has fewer capabilities compared to v2 (Red) and v3 (Black), these additional features are likely to be added as development continues. As it is, it is still a functional and powerful ransomware. * It removed the self-propagating capabilities and the ability to print ransom notes via the user’s printers. * The execution now has a validity period by checking the current date, likely to help the operators assert control over affiliate use and make it harder for automated analysis systems by security companies. * Similar to v3 (Black), this version still has a configuration that contains flags for routines, a list of processes and service names to terminate, and files and directories to avoid. * It also still has the ability to rename the filenames of encrypted files to a random one. As mentioned in the introduction, those looking for a detailed analysis of LockBit-NG-Dev can refer to the technical appendix. CONCLUSION The criminal group behind the LockBit ransomware has proven to be successful in the past, having consistently been among the top impactful ransomware groups during their whole operation. In the last couple years, however, they seem to have had a number of logistical, technical, and reputational problems. This has forced LockBit to take action by working on a new much-awaited version of their malware. However, with the seeming delay in the ability to get a robust version of LockBit to the market, compounded with continued technical issues — it remains to be seen how long this group will retain their ability to attract top affiliates and hold its position. In the meantime, it is our hope that LockBit is the next major group to disprove the notion of an organization being too big to fail. More information on LockBit can be found in this link. Tags Malware | Endpoints | Cyber Crime | Ransomware | Research | Articles, News, Reports AUTHORS * Trend Micro Research Trend Micro Contact Us Subscribe RELATED ARTICLES * Earth Preta Campaign Uses DOPLUGS to Target Asia * Exploring Changing SOC Landscapes * Decoding Digital Transformation: AI, ML, and RPA in the Modern Era See all articles Try our services free for 30 days * Start your free trial today * * * * * RESOURCES * Blog * Newsroom * Threat Reports * DevOps Resource Center * CISO Resource Center * Find a Partner SUPPORT * Business Support Portal * Contact Us * Downloads * Free Trials * * ABOUT TREND * About Us * Careers * Locations * Upcoming Events * Trust Center * Select a country / region United States expand_more close THE AMERICAS * United States * Brasil * Canada * México MIDDLE EAST & AFRICA * South Africa * Middle East and North Africa EUROPE * België (Belgium) * Česká Republika * Danmark * Deutschland, Österreich Schweiz * España * France * Ireland * Italia * Nederland * Norge (Norway) * Polska (Poland) * Suomi (Finland) * Sverige (Sweden) * Türkiye (Turkey) * United Kingdom ASIA & PACIFIC * Australia * Центральная Азия (Central Asia) * Hong Kong (English) * 香港 (中文) (Hong Kong) * भारत गणराज्य (India) * Indonesia * 日本 (Japan) * 대한민국 (South Korea) * Malaysia * Монголия (Mongolia) and рузия (Georgia) * New Zealand * Philippines * Singapore * 台灣 (Taiwan) * ประเทศไทย (Thailand) * Việt Nam Privacy | Legal | Accessibility | Site map Copyright ©2024 Trend Micro Incorporated. All rights reserved sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk This website uses cookies for website functionality, traffic analytics, personalization, social media functionality and advertising. Our Cookie Notice provides more information and explains how to amend your cookie settings.Learn more Cookies Settings Accept word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 Sumo