Cybercriminals have become increasingly sophisticated, complete with Ransomware-as-a-Service models and coveted proprietary software. Now, one of the problems that legitimate organizations face has also surfaced for criminal enterprises: IP theft. The source code of the prominent LockBit 3.0 leaked last September, after which other groups developed their own variants.
A research team at Kaspersky took a close look at 396 recent cyberattacks attributed to LockBit. It was discovered that 77 (nearly 20 percent) of these investigated incidents had no reference to LockBit in the ransom note, indicating that another criminal organization was behind the attack.
LockBit 3.0: distinctive aspects
We have previously highlighted how the criminal gang behind LockBit operates: like other ransomware vendors, they rely on a sensitive location within an organization. This can be an exploitation of software weaknesses or negligence by failing to update applications. In addition, it could simply be an employee trusting an email a little too much and thus accidentally downloading the ransomware.
Read more: LockBit 3.0, the market leader in ransomware
At Kaspersky, researchers highlight three distinctive aspects of the software. First, it supports encrypted executables protected with randomly generated passwords. This allows attackers to choose when the ransomware is triggered via a command-line prompt. In addition, the payload has strong protections against reverse engineering, which hinders research and should prevent criminal competitors from simply getting away with LockBit 3.0. It also has many kernel-level Windows features not used by the operating system. These would normally define what LockBit entails, but this definition now covers ransomware variants beyond the LockBit software made by the original criminal organization.
Back to basics
In September 2022, a so-called builder tool for LockBit was leaked, allowing anyone to create their own variant of the ransomware. Two versions appeared to have been released, after which an unusual LockBit incident was immediately discovered by the Kaspersky Global Emergency Response Team (GERT). Although it resembled LockBit 3.0 in many ways, the ransom note targeted at the victim was different than before.
Within the builder, no similar defense mechanisms against reverse-engineering existed, allowing other criminals to get their hands on the source code. Other gangs also seem to handle LockBit’s capabilities differently. The original group uses “double extortion,” that is, encrypting and siphoning off data with the threat of leaking that information to apply further pressure for payment by the victim. Other groups keep it simple: they mostly just encrypt the data and demand a ransom to release it again. In theory, this is a lot less of a concern if a deployable backup exists within the affected organization.
While other cybercriminals can make their move with LockBit, there are also benefits for investigative agencies worldwide now that the code is out in the open. By having the source code leak, it is clearer to see how the hackers operate, which in time will allow security firms to develop better protections against infiltration. LockBit thus has competition that builds on its self-created software, while being increasingly in the crosshairs of authorities.