Authorities dismantled LockBit before it could unleash revamped variant

New features aimed to stamp out problems of the past

Law enforcement's disruption of the LockBit ransomware crew comes as the criminal group was working on bringing a brand-new variant to market, research reveals.

As part of the daily LockBit leaks this week, Trend Micro's report on the group, published today, analyzed a cross-platform version researchers believe was being designed to succeed the most recent LockBit 3.0 iteration.

Unlike rivals ALPHV/BlackCat and others in the space, LockBit didn't opt for one of the trendier memory-safe languages like Rust for its latest locker. Instead, it chose .NET for the code and CoreRT for the compiler – a choice Trend Micro says would have allowed it to target more platforms with a single program.

It was also packed using MPRESS – a choice the developers "possibly" made to evade static file detection.

Before being taken down this week, LockBit had multiple different variants written in C/C++, including specific ones for Linux and VMware ESXi systems, so the switch to .NET was probably made to streamline operations.

Long-term infosec watchers among The Reg readership will remember the numerous times over the years when ransomware groups have dealt with disgruntled members leaking their code.

LockBit is no exception to this. In September 2022 its builder was leaked, believed to be caused by a developer within the group's ranks. The incident led to a number of copycat gangs that got their hands on LockBit's code to launch attacks pretending to be them.

The in-development variant showed signs of LockBit trying to counter this with a new expiry date. Each version shipped to affiliates would have a hardcoded date range within which the program would work, presumably to limit the effectiveness of the variant if it was leaked or stolen.

"This can also be considered an anti-analysis and anti-sandbox technique – however, it is relatively simple for an analyst to bypass this during reverse engineering," said the researchers in a technical breakdown [PDF].

"On the other hand, it would be more difficult for an affiliate to patch the binary before using it against a victim."

The variant is being tracked by researchers as "LockBit-NG-Dev" and features a completely rewritten codebase that would require defenders to develop new patterns to detect its activity.

Given that LockBit-NG-Dev is still a work in progress, it isn't as fully featured as the official versions that came before it. Although some of the capabilities of previous LockBit variants are missing from LockBit-NG-Dev, such as its self-spreading mechanism and ability to print ransom notes from victim's printers, Trend Micro said it's still a "functional and powerful" ransomware program.

It also retains many features from the previous version, such as an embedded configuration to decide the executed routines and an ability to terminate processes and services that could prevent the payload from running or files from encrypting.

LockBit-NG-Dev supports multiple encryption modes, just like its predecessors. Most affiliates opt for the "fast" mode, which encrypts only the first 0x1000 bytes of a file, but an "intermittent" mode was introduced in LockBit 2.0 in 2021 as a way to evade detection.

Sophos said at the time that a partially encrypted document statistically looks very similar to a non-encrypted one, meaning some ransomware security solutions may not be alerted to ongoing encryption of files.

In LockBit-NG-Dev there is also a slower "full" encryption mode, which predictably encrypts the entire targeted file.

The latest variant is by no means considered the finished article, and although authorities did a comprehensive job dismantling LockBit, its leaders may likely continue to operate.

Three major arrests have been made this week and that shows great progress, but it doesn't make much of a dent into the near-200 list of affiliates LockBit had on its books. 

Without arresting key leaders of the organized crime group, they may well return under a new brand name just as others have in the recent years, protected from the US's indictments by a Russian state that turns a blind eye to ransomware gangs, provided they don't turn on their own.

The .NET variant could well hint at the future of LockBit's leadership and the tools used by the next big ransomware gang on the scene. Trend Micro's researchers believe this new variant could have formed the basis of what would have been LockBit 4.0, so it's not a stretch to assume it may be used by another gang in years or even months to come. ®

Send us news

With ransomware whales becoming so dominant, would-be challengers ask 'what's the point?'

Fewer rivals on the scene as big-gang success soars

Cybersec chiefs team up with insurers to say 'no' to ransomware bullies

Guidebook aims to undermine the criminal business model

LockBit dethroned as leading ransomware gang for first time post-takedown

Rivals ready to swoop in but drop in overall attacks illustrates LockBit’s influence

Uncle Sam urges action after Black Basta ransomware infects Ascension

Emergency ambulances diverted while techies restore systems

British Library's candid ransomware comms driven by 'emotional intelligence'

It quickly realized ‘dry’ progress updates weren’t cutting it

Ransomware negotiator weighs in on the extortion payment debate with El Reg

As gang tactics get nastier while attacks hit all-time highs

Aussie cops probe MediSecure's 'large-scale ransomware data breach'

Throw another healthcare biz on the barby, mate

Canada's London Drugs confirms ransomware attack after LockBit demands $25M

Pharmacy says it's 'unwilling and unable to pay ransom'

Cybercriminals hit jackpot as 500k+ Ohio Lottery lovers lose out on their personal data

Not a lotto luck for these powerball hunters

Crims abusing Microsoft Quick Assist to deploy Black Basta ransomware

Spoiler alert: it's not really IT support controlling your device

Cops finally unmask 'LockBit kingpin' after two-month tease

Dmitry Yuryevich Khoroshev's $10M question is answered at last

Suspected supply chain attack backdoors courtroom recording software

An open and shut case, but the perps remain at large – whoever they are