LockBit 3.0 Variant Generates Custom, Self-Propagating Malware

  /     /     /  
Publicated : 23/11/2024   Category : security


LockBit 3.0 Variant Generates Custom, Self-Propagating Malware


Kaspersky researchers discovered the new variant after responding to a critical incident targeting an organization in West Africa.



The LockBit ransomware-as-a-service (RaaS) group has struck another victim, this time using stolen credentials to launch a sophisticated attack against an unidentified organization in West Africa. The attackers used a new variant of the LockBit 3.0 builder, which was 
leaked in 2022
.
Kaspersky researchers discovered the latest variant at the end of March 2024 after responding to the incident in West Africa, describing it at the time as Trojan-Ransom.Win32.Lockbit.gen, Trojan.Multi.Crypmod.gen, and Trojan-Ransom.Win32.Generic. Particularly concerning about this variant is that it can generate custom, self-propagating ransomware that is difficult to defend against.
During the attack, threat actors impersonating an administrator infected multiple hosts with malware, aiming to spread it deeply into the victims network. According to Kaspersky, the customized ransomware performed various malicious actions, including disabling Windows Defender, encrypting network shares, and deleting Windows Event Logs to avoid discovery of its actions. 
The researchers discovered that the variant can also direct attacks on select systems and infect specific .docx or .xlsx files. The nature of this finding is rather critical since the use of leaked privileged credentials allows the attackers to have full control of the victims infrastructure, as well as covering their tracks, says Cristian Souza, an incident response specialist at Kaspersky. 
The organization in West Africa hit by the new LockBit variant is the only victim Kasperskys Global Emergency Response Team (GERT) has encountered in that area to date, according to Souza. However, we detected other incidents that used the leaked builder in other regions, he says. 
Since it was leaked in 2022, attackers have continued actively using LockBit 3.0 builder to create customized versions and variants. This opens up numerous possibilities for malicious actors to make their attacks more effective since it is possible to configure network spread options and defense-killing functionality, according to a
research brief on the attack
and a detailed description of the variant posted by Kaspersky. It becomes even more dangerous if the attacker has valid privileged credentials in the target infrastructure.
According to a recent Trend Micro report, the LockBit group was responsible for at least 25% of all ransomware attacks in 2023 and has hit thousands of victims since 2020. The LockBit 3.0 builder is a popular tool among threat actors because it doesnt require advanced programming skills.
In February 2024, the Cronos Group, an international law-enforcement group, claimed that it 
had taken down the groups infrastructure
, but less than a week later,
LockBit responded that it had recovered
 and was back in business.
As the debate continues over whether LockBit will remain the pervasive force in waging ransomware attacks, Kaspersky advises that organizations take the same steps they would undertake to prevent an attack from any group. Those steps include using properly configured antimalware and endpoint detection software, implementing a managed detection and response solution, conducting vulnerability assessments and penetration tests, and performing and testing backups of critical data.
Further, Sousa recommends network administrators employ network segmentation, enforce multifactor authentication (MFA), whitelist permitted applications, and have a well-defined incident response plan.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
LockBit 3.0 Variant Generates Custom, Self-Propagating Malware