Experts Find Similarities Between New LockBit 3.0 and BlackMatter Ransomware


Cybersecurity researchers have reiterated similarities between the latest version of the LockBit ransomware and BlackMatter, a rebranded variant of the DarkSide ransomware strain that closed shop in November 2021.

The new version of LockBit, called LockBit 3.0 aka LockBit Black, was released in June 2022 and launched a brand new leak site and which is the first-ever ransomware bug bounty program, alongside Zcash as a cryptocurrency payment option.

The encryption process involves adding the extension “HLJkNskOq” or “19MqZqZ0s” to each file and changing the icons of the locked files to those of the .ico file dropped by the LockBit sample to initiate the infection bring.

“The ransomware then drops its ransom note, which references ‘Ilon Musk’ and the European Union’s General Data Protection Regulation (GDPR),” said Trend Micro researchers. said in a Monday report. “Finally, it changes the background of the victim’s computer to inform them about the ransomware attack.”

LockBit’s extensive similarities to BlackMatter come from overlaps in the privilege escalation and harvest routines used to identify APIs needed to terminate processes and other functions, as well as the use of anti-debugging and threading techniques designed to thwart analysis.

Also notable is the use of a “-pass” argument to decrypt the main routine, a behavior seen in another defunct ransomware family called Egregor, which basically makes the binary harder to reverse if the parameter is not available.

Additionally, LockBit 3.0 is designed to control the victim machine’s display language to avoid compromising systems associated with the Commonwealth of Independent States (CIS) states.

One notable behavior for this third LockBit version is the file deletion technique: instead of using cmd.exe to run a batch file or command that will perform the deletion, a .tmp file is deleted and executed that was decrypted from the binary file,” the researchers said. said.

This .tmp file then overwrites the contents of the ransomware binary and renames the binary several times, with the new file names based on the length of the original file name, including the extension, in an attempt to recover by forensic tools and coverage prevent its traces.

The findings come as LockBit infections have emerged as the most active ransomware-as-a-service (RaaS) groups in 2022, the most recent reported being the Italian tax authorities (L’Agenzia delle Entrate).

According to Palo Alto Networks 2022 Unit 42 Incident Response Report Published today based on 600 cases settled between May 2021 and April 2022, the ransomware family was responsible for 14% of the intrusions, second only to Conti at 22%.

The development also highlights the continued success of the RaaS business model, lowering the barrier to entry for extortionists and increasing the reach of ransomware.

Check Point’s analysis of cyber attack trends for the second quarter of 2022 shows that the weekly average of organizations affected by ransomware reached one in 40, up 59% from one in 64 organizations in the second quarter of 2021.

“Latin America has seen the largest increase in attacks, with one in 23 organizations being hit on a weekly basis, up 43% year-over-year, compared to one in 33 in the second quarter of 2021, followed by the Asia region which had a year-on-year increase of 43%. has seen a 33% year-over-year increase to one in 17 organizations affected weekly,” the Israeli cybersecurity firm said.