This new version of malware uses advanced anti-analysis and obfuscation techniques
Researchers from SentinelSentinelOne Lab, SentinelOne’s research division, recently published the results of LockBit 3.0 malware analysis. LockBit 3.0 ransomware (also known as LockBit Black) is an evolution of the wider ransomware-as-a-Service (RaaS) family, which has its roots in BlackMatter and related malware. After a critical bug was discovered in LockBit 2.0 in March 2022, malware authors began updating their encryption processes and adding a number of new features to deceive security researchers.
A few weeks ago, the ransomware group responsible for the malware was also buoyed by an uproar in the information technology media landscape, when threat actors announced a so-called “bug bounty” program to “Make ransomware great again!” With the slogan of It is an initiative for contributors to identify errors in the program in exchange for cash rewards. Arguably, the goal is to improve the quality of malware by outsourcing debugging to ethically resilient members of the cyber community.
Here are the main innovations and technical aspects of the new version of LockBit:
leak and mirror servers
The threat actors behind the Lockbit ransomware began migrating to Lockbit 3.0 in June 2022. The change quickly caught the attention of cybercriminals, and several victims were identified on the new “Version 3.0” leak site. In addition, threat actors set up multiple similar servers for retrieved data and published website URLs to enhance the robustness of their operations.
Payload and Encryption
The initial delivery of the LockBit ransomware payload is usually handled by third-party frameworks such as Cobalt Strike. As with LockBit 2.0, comments suggest that infection also occurs through other malware components, for example B. Sokgolish transition that leads to the Cobalt strike. The payload itself is a standard Windows PE file, and bears a strong resemblance to previous generations of the LockBit and BlackMatter ransomware families. It is designed to be run with administrative privileges and persistence is achieved by installing system services.
Anti-analysis and theft
Lockbit 3.0 ransomware uses various anti-analysis techniques to prevent static and dynamic analysis and shares similarities with Blackmatter ransomware in this regard. These techniques include code filling, activity obfuscation, dynamic function address accuracy, trampoline functions, and anti-debugging techniques.
The group behind LockBit has quickly become one of the most prolific RAS providers and has established itself as the successor to the Conti ransomware group. Hazard representatives have proven they respond quickly to problems with their products and have the technical know-how to keep evolving. The recent announcement of a bounty offering for finding software bugs also demonstrates a keen understanding of the target audience and the media landscape, which is currently filled with news about software criminals and institutional compromises.
Unless law enforcement takes action, this race will continue to flourish for the foreseeable future, as will undoubtedly be the case with many other iterations of a very successful assault genre. Like ransomware, proactive defense is more effective than reacting to compromise. Therefore, the security team must ensure that they have comprehensive protection against ransomware.
For more details, see the full Lockbit 3.0 SentinelLabs report: https://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques/