Authorities dismantled LockBit before it could unleash revamped variant
New features aimed to stamp out problems of the past
Law enforcement's disruption of the LockBit ransomware crew comes as the criminal group was working on bringing a brand-new variant to market, research reveals.
As part of the daily LockBit leaks this week, Trend Micro's report on the group, published today, analyzed a cross-platform version researchers believe was being designed to succeed the most recent LockBit 3.0 iteration.
Unlike rivals ALPHV/BlackCat and others in the space, LockBit didn't opt for one of the trendier memory-safe languages like Rust for its latest locker. Instead, it chose .NET for the code and CoreRT for the compiler – a choice Trend Micro says would have allowed it to target more platforms with a single program.
It was also packed using MPRESS – a choice the developers "possibly" made to evade static file detection.
Before being taken down this week, LockBit had multiple different variants written in C/C++, including specific ones for Linux and VMware ESXi systems, so the switch to .NET was probably made to streamline operations.
Long-term infosec watchers among The Reg readership will remember the numerous times over the years when ransomware groups have dealt with disgruntled members leaking their code.
LockBit is no exception to this. In September 2022 its builder was leaked, believed to be caused by a developer within the group's ranks. The incident led to a number of copycat gangs that got their hands on LockBit's code to launch attacks pretending to be them.
The in-development variant showed signs of LockBit trying to counter this with a new expiry date. Each version shipped to affiliates would have a hardcoded date range within which the program would work, presumably to limit the effectiveness of the variant if it was leaked or stolen.
"This can also be considered an anti-analysis and anti-sandbox technique – however, it is relatively simple for an analyst to bypass this during reverse engineering," said the researchers in a technical breakdown [PDF].
"On the other hand, it would be more difficult for an affiliate to patch the binary before using it against a victim."
The variant is being tracked by researchers as "LockBit-NG-Dev" and features a completely rewritten codebase that would require defenders to develop new patterns to detect its activity.
- LockBit leaks expose nearly 200 affiliates and bespoke data-stealing malware
- Cops turn LockBit ransomware gang's countdown timers against them
- LockBit ransomware gang disrupted by global operation
- Infosys subsidiary named as source of Bank of America data leak
Given that LockBit-NG-Dev is still a work in progress, it isn't as fully featured as the official versions that came before it. Although some of the capabilities of previous LockBit variants are missing from LockBit-NG-Dev, such as its self-spreading mechanism and ability to print ransom notes from victim's printers, Trend Micro said it's still a "functional and powerful" ransomware program.
It also retains many features from the previous version, such as an embedded configuration to decide the executed routines and an ability to terminate processes and services that could prevent the payload from running or files from encrypting.
LockBit-NG-Dev supports multiple encryption modes, just like its predecessors. Most affiliates opt for the "fast" mode, which encrypts only the first 0x1000 bytes of a file, but an "intermittent" mode was introduced in LockBit 2.0 in 2021 as a way to evade detection.
Sophos said at the time that a partially encrypted document statistically looks very similar to a non-encrypted one, meaning some ransomware security solutions may not be alerted to ongoing encryption of files.
In LockBit-NG-Dev there is also a slower "full" encryption mode, which predictably encrypts the entire targeted file.
The latest variant is by no means considered the finished article, and although authorities did a comprehensive job dismantling LockBit, its leaders may likely continue to operate.
Three major arrests have been made this week and that shows great progress, but it doesn't make much of a dent into the near-200 list of affiliates LockBit had on its books.
Without arresting key leaders of the organized crime group, they may well return under a new brand name just as others have in the recent years, protected from the US's indictments by a Russian state that turns a blind eye to ransomware gangs, provided they don't turn on their own.
The .NET variant could well hint at the future of LockBit's leadership and the tools used by the next big ransomware gang on the scene. Trend Micro's researchers believe this new variant could have formed the basis of what would have been LockBit 4.0, so it's not a stretch to assume it may be used by another gang in years or even months to come. ®