Hackers exploit LockBit 3.0 ransomware for its advanced encryption, successfully locking victims’ files for ransom. Its stealthiness aids in unauthorized system access, enhancing deployment chances.
Kaspersky Labs’ cybersecurity researchers uncovered active hacker exploitation of customized LockBit 3.0 ransomware targeting global organizations.
LockBit 3.0 Ransomware
In a recent incident response engagement, threat actors demonstrated their ability to acquire unencrypted administrator logins. These credentials were then utilized to create the latest variant of LockBit 3.0 ransomware.
The customized malware executed lateral movement by leveraging stolen passwords, disabling Windows Defender, erasing event logs, and ultimately encrypting data network-wide.
A simplified LockBit 3.0 builder streamlines options for threat actors, including impersonation, network share encryption, process termination, and network propagation via PsExec.
This incident underscores the risks of identity theft and the ease with which threat actors weaponize tools like LockBit 3.0 into highly personalized and evasive ransomware threats.
The builder enables attackers to tailor ransomware by choosing which files, directories, and systems to encrypt or exclude, based on the target’s network architecture.
Custom-built malware, featuring LB3.exe for delivery, a decryptor, password-protected variants, and injection techniques, is created.
Using this customized build showcases its ransomware functionality, but paying the ransom is ill-advised and unlikely to restore files.
Files decrypted successfully in a secure lab using researchers’ decryptor for the ransomware sample. However, after Operation Cronos in February 2024, law enforcement confiscated infrastructure and decryption keys, temporarily halting LockBit group activity.
Despite this, LockBit resumed operations shortly. The check_decryption_id utility lets users confirm if they possess correct keys for known victims.
The check_decrypt tool evaluates decryptability based on various conditions, generating a CSV file listing decryptable files and an email address for further restoration instructions.
This toolset piqued our interest due to prior investigations into LockBit threat cases. Researchers tested victim IDs and encrypted files, with “check_decrypt” often confirming decryption impossibility using known keys.
The leaked builder was utilized by LockBit competitors to target companies in the Commonwealth of Independent States, breaching LockBit’s policy against compromising CIS nationals. This sparked a dark web discussion where LockBit operators distanced themselves from the incident.
Recommendations
Below are all the recommendations:
- Use robust antimalware.
- Implement Managed Detection and Response (MDR).
- Disable unused services and ports.
- Keep all systems and software updated.
- Conduct regular penetration tests and vulnerability scans.
- Provide cybersecurity training for staff awareness.
- Perform frequent backups and test them.
Indicators Of Compromise
Host-based:
- 8138f1af1dc51cde924aa2360f12d650
- decd6b94792a22119e1b5a1ed99e8961
Network-based:
- update.centos-yum[.]com (199.231.211[.]19)
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment