Security News > 2022 > July > Experts Find Similarities Between New LockBit 3.0 and BlackMatter Ransomware

Cybersecurity researchers have reiterated similarities between the latest iteration of the LockBit ransomware and BlackMatter, a rebranded variant of the DarkSide ransomware strain that closed shop in November 2021.

The new version of LockBit, called LockBit 3.0 aka LockBit Black, was released in June 2022, launching a brand new leak site and what's the very first ransomware bug bounty program, alongside Zcash as a cryptocurrency payment option.

LockBit's extensive similarities to BlackMatter come from overlaps in the privilege escalation and harvesting routines used to identify APIs required to terminate processes and other functions as well as the use of anti-debugging and threading techniques designed to thwart analysis.

"One notable behavior for this third LockBit version is its file deletion technique: Instead of using cmd.exe to execute a batch file or command that will perform the deletion, it drops and executes a.tmp file decrypted from the binary," the researchers said.

This.tmp file then overwrites the contents of the ransomware binary and then renames the binary several times, with the new file names based on the length of the original file name, including the extension, in an attempt to prevent recovery by forensic tools and cover its tracks.

According to Palo Alto Networks 2022 Unit 42 Incident Response Report published today based on 600 cases handled between May 2021 and April 2022, the ransomware family accounted for 14% of the intrusions, second only to Conti at 22%. The development also highlights the continued success of the RaaS business model, lowering the barrier to entry for extortionists and expanding the reach of ransomware.

News URL

https://thehackernews.com/2022/07/experts-find-similarities-between.html