Researchers came up with a warning about a new wave of LockBit ransomware variants in the wild following a leak of the source code used by the prolific ransomware gang last year.
The LockBit ransomware gang came into emergence since 2020 and operates on a ransomware-as-a-service model where affiliates use already-developed ransomware to execute attacks.
The latest version of the group’s ransomware, LockBit 3.0 — also known as LockBit Black — was launched in June 2022 with a promise to make ransomware great again. But, the source code for the release was stolen and shared online last September.
The stolen code is now being used by other ransomware gangs to create their own customized versions of the ransomware.
In one of the incident analyzed by the researchers “Immediately after the builder leak, during an incident response by our GERT team, we managed to find an intrusion that leveraged the encryption of critical systems with a variant of Lockbit 3 ransomware. Our protection system confirmed and detected the threat as “Trojan.Win32.Inject.aokvy.”
The variant was confirmed as LockBit, but the ransom demand procedure differed from the ones known to be used by LockBit itself. The group behind the variant identified itself as a previously unknown group going by the name of “National Hazard Agency” and included a specific ransom and contact details, also not typical of LockBit attacks.
The researchers analyzed 396 samples of recent attacks attributed to LockBit and found that 77 of the 396 samples did not include any reference to LockBit in the ransom note, something the gang typically has in their attacks. The modified ransom note without reference to Lockbit or with a different contact address (mail/URL) reveals probable misuse of the builder by actors other than the ‘original’ Lockbit.
- Many of the detected parameters correspond to the default configuration of the builder, only some contain minor changes. This indicates the samples were likely developed for urgent needs or possibly by lazy actors.
- The most recurrent encryption targets are local disks and network shares, avoiding hidden folders.
- The samples generally run a single instance and enable the following parameters:
- kill service
- kill process
- kill defender
- delete logs
- Most of the samples identified do not enable the system shutdown option.
- Network deployment by PSEXEC is configured in 90% of the samples, while deployment by GPO is configured in 72%.
- Very few samples enable communication to C2
Most of the LockBit variants did not have the C2 communication function enabled, suggesting that the code was being used for only encryption attacks versus more modern ransomware attacks that not only encrypt data but steal it for extra leverage over victims.