Experts find similarities between new LockBit 3.0 and BlackMatter Ransomware

Cybersecurity researchers have reiterated the similarities between the latest iteration of LockBit ransomware and BlackMatter, a renamed variant of the DarkSide ransomware strain that shut down in November 2021.

The new version of LockBit, called LockBit 3.0 aka LockBit Black, was released in June 2022, launching an all-new leak site and what is the first-ever ransomware bug bounty program, alongside Zcash as an online payment option. cryptocurrency.

Its encryption process consists of adding the extension “HLJkNskOq” or “19MqZqZ0s” to each file and replacing the icons of the locked files with those of the .ico file dropped by the LockBit sample to launch the infection.

“The ransomware then drops its ransom note, which references ‘Ilon Musk’ and the European Union’s General Data Protection Regulation (GDPR),” Trend Micro researchers said in a report released on Monday. “Finally, it changes the desktop wallpaper of the victim’s machine to inform them about the ransomware attack.”

cyber security

The many similarities between LockBit and BlackMatter stem from overlaps in the privilege escalation and collection routines used to identify the APIs needed to terminate processes and other functions, as well as the use of anti-debugging techniques and threading designed to thwart parsing.

Also worth noting is its use of a “-pass” argument to crack its main routine, a behavior seen in another defunct ransomware family named Egregor, effectively making the binary harder to reverse if the parameter is unavailable. .

Variant LockBit 3.0 and BlackMatter Ransomware

Additionally, LockBit 3.0 is designed to verify the display language of the victim machine to avoid compromising state-associated systems in the Commonwealth of Independent States (CIS).

“A notable behavior for this third version of LockBit is its file removal technique: instead of using cmd.exe to run a batch file or a command that will perform the removal, it drops and runs a decrypted .tmp file at from binary,” the researchers said. said.

This .tmp file then overwrites the contents of the ransomware binary, then renames the binary multiple times, with the new filenames based on the length of the original filename, including the extension, in an effort to prevent recovery by forensic tools and cover his tracks.

The findings come as LockBit infections have become the most active ransomware-as-a-service (RaaS) groups in 2022, the newest allegedly being the Italian tax service (L’Agenzia delle Entrate).

cyber security

According to the Palo Alto Networks 2022 Unit 42 Incident Response Report released today based on 600 cases handled between May 2021 and April 2022, the ransomware family accounted for 14% of intrusions, second only to Conti with 22. %.

Ransomware statistics

The development also highlights the continued success of the RaaS business model, lowering the barrier to entry for extortionists and expanding the reach of ransomware.

Check Point’s analysis of cyber attack trends for the second quarter of 2022 shows that the weekly average of organizations hit by ransomware reached one in 40, a 59% year-over-year increase from one in 64 organizations in the second quarter of 2021.

“Latin America saw the largest increase in attacks, spotting one in 23 organizations impacted each week, a 43% year-on-year increase, from one in 33 in Q2 2021, followed by the Asia region which saw a 33% year-on-year increase, reaching one in 17 organizations affected each week,” the Israeli cybersecurity company said.

Comments are closed.