Law enforcement's disruption of the LockBit ransomware crew comes as the criminal group was working on bringing a brand-new variant to market, research reveals.
As part of the daily LockBit leaks this week, Trend Micro's report on the group, published today, analyzed a cross-platform version researchers believe was being designed to succeed the most recent LockBit 3.0 iteration.
Unlike rivals ALPHV/BlackCat and others in the space, LockBit didn't opt for one of the trendier memory-safe languages like Rust for its latest locker.
NET for the code and CoreRT for the compiler - a choice Trend Micro says would have allowed it to target more platforms with a single program.
Before being taken down this week, LockBit had multiple different variants written in C/C++, including specific ones for Linux and VMware ESXi systems, so the switch to.
Long-term infosec watchers among The Reg readership will remember the numerous times over the years when ransomware groups have dealt with disgruntled members leaking their code.
In September 2022 its builder was leaked, believed to be caused by a developer within the group's ranks.
The incident led to a number of copycat gangs that got their hands on LockBit's code to launch attacks pretending to be them.
The in-development variant showed signs of LockBit trying to counter this with a new expiry date.
Each version shipped to affiliates would have a hardcoded date range within which the program would work, presumably to limit the effectiveness of the variant if it was leaked or stolen.
Given that LockBit-NG-Dev is still a work in progress, it isn't as fully featured as the official versions that came before it.
It also retains many features from the previous version, such as an embedded configuration to decide the executed routines and an ability to terminate processes and services that could prevent the payload from running or files from encrypting.
LockBit-NG-Dev supports multiple encryption modes, just like its predecessors.
Sophos said at the time that a partially encrypted document statistically looks very similar to a non-encrypted one, meaning some ransomware security solutions may not be alerted to ongoing encryption of files.
The latest variant is by no means considered the finished article, and although authorities did a comprehensive job dismantling LockBit, its leaders may likely continue to operate.
Three major arrests have been made this week and that shows great progress, but it doesn't make much of a dent into the near-200 list of affiliates LockBit had on its books.
Without arresting key leaders of the organized crime group, they may well return under a new brand name just as others have in the recent years, protected from the US's indictments by a Russian state that turns a blind eye to ransomware gangs, provided they don't turn on their own.
The.NET variant could well hint at the future of LockBit's leadership and the tools used by the next big ransomware gang on the scene.
Trend Micro's researchers believe this new variant could have formed the basis of what would have been LockBit 4.0, so it's not a stretch to assume it may be used by another gang in years or even months to come.
This Cyber News was published on go.theregister.com. Publication date: Thu, 22 Feb 2024 20:13:06 +0000