Security News > 2023 > February > New Exfiltrator-22 post-exploitation kit linked to LockBit ransomware
Threat actors are promoting a new 'Exfiltrator-22' post-exploitation framework designed to spread ransomware in corporate networks while evading detection.
Threat analysts at CYFIRMA claim that this new framework was created by former Lockbit 3.0 affiliates who are experts in anti-analysis and defense evasion, offering a robust solution in exchange for a subscription fee.
Buyers of the framework are given an admin panel hosted on a bulletproof VPS from where they can control the framework's malware and issue commands to compromised systems.
By the end of the year, the threat actors announced new features that helped conceal traffic on compromised devices, indicating that the framework was under active development.
Through the service's web panel, cybercriminals can also set scheduled tasks, update agents to a new version, change a campaign's configuration, or create new campaigns.
The CYFIRMA team has found evidence that LockBit 3.0 affiliates or members of the ransomware operation's development team are behind EX-22.
- LockBit ransomware goes 'Green,' uses new Conti-based encryptor (source)
- LockBit brags it pumped ION full of ransomware (source)
- LockBit ransomware gang claims Royal Mail cyberattack (source)
- The Prolificacy of LockBit Ransomware (source)
- LockBit ransomware claims Essendant attack, company says “network outage” (source)
- LockBit 3.0 Ransomware: Inside the Cyberthreat That's Costing Millions (source)