The most recent version of the LockBit ransomware shares characteristics with BlackMatter, a renamed form of the DarkSide ransomware strain that went out of business in November 2021, according to cybersecurity analysts.
In addition to the first ransomware bug bounty programme and a brand-new leak site, LockBit 3.0, also known as LockBit Black, was released in June 2022. Zcash was also made available as a cryptocurrency payment method.
Every file must have the extensions “HLJkNskOq” or “19MqZqZ0s” added as part of the encryption process, and the icons of the locked files must be changed to those of the.ico file that is dropped by the LockBit sample to start the infection.
The malware then releases its ransom note, which makes references to “Ilon Musk” and the General Data Protection Regulation (GDPR) of the European Union, according to a report released on Monday by Trend Micro researchers. Finally, it modifies the victim’s computer’s wallpaper to alert them to the ransomware attack.
LockBit and BlackMatter share a great deal in common, including the use of anti-debugging and threading techniques to frustrate analysis as well as privilege escalation and harvesting algorithms used to find APIs needed to terminate processes and other functions.
Its usage of the “-pass” argument to decrypt its main routine is also noteworthy; this feature was shared by the Egregor ransomware family, which is now defunct. This makes the binary more difficult to reverse if the parameter is not present.
In addition, LockBit 3.0 is designed to check the victim machine’s display language to avoid compromising systems associated with the Commonwealth of Independent States (CIS) states.
“One notable behavior for this third LockBit version is its file deletion technique: Instead of using cmd.exe to execute a batch file or command that will perform the deletion, it drops and executes a .tmp file decrypted from the binary,” the researchers said.
This .tmp file then overwrites the contents of the ransomware binary and then renames the binary several times, with the new file names based on the length of the original file name, including the extension, in an attempt to prevent recovery by forensic tools and cover its tracks.
The findings coincide with LockBit attacks becoming the most active ransomware-as-a-service (RaaS) gangs in 2022, with the Italian Internal Revenue Service (L’Agenzia delle Entrate) being the most recent target.
The development also demonstrates the RaaS business model’s ongoing success, which lowers the entry hurdle for extortionists and broadens the reach of ransomware.