Cybercriminals Exploit LockBit’s Notoriety to Intimidate Victims

Cybercriminals have started to use the fame of the LockBit ransomware brand to add intimidation to their attacks, even disguising their malware as the well-known LockBit to pressure victims into quick payment.

Researchers have observed ransomware operators abusing Amazon’s S3 Transfer Acceleration feature, allowing them to upload stolen data to Amazon S3 buckets under their control. This scheme is facilitated by embedded AWS credentials, enabling the malware to exfiltrate sensitive information with ease.

In this campaign, threat actors have embedded AWS Access Key IDs and Secret Access Keys directly within the ransomware code, which is capable of targeting both Windows and macOS systems.

Researchers have identified more than 30 samples containing these credentials, indicating ongoing development. After researchers disclosed the vulnerability to Amazon’s security team, the access keys and accounts were suspended.

Dubbed “NotLockBit” by analysts, this ransomware operates similarly to LockBit, adding pressure on victims by associating itself with the infamous variant. The malware collects the target device’s unique identifier (UUID), which it uses to generate encryption keys, then searches root directories to encrypt files with specified extensions.

Before encryption, it exfiltrates the files via Amazon S3 Transfer Acceleration for fast data transfer. After encryption, the files are renamed with a unique identifier, for example, changing “text.txt” to “text.txt.e5c331611dd7462f42a5e9776d2281d3.abcd.”

As a final intimidation tactic, the ransomware changes the infected device’s wallpaper to a message referencing LockBit 2.0, creating a more compelling scenario for victims to comply with ransom demands. By leveraging LockBit’s reputation, attackers amplify the fear factor and encourage faster payouts.

In recent months, there has been a surge in ransomware variety and sophistication. One notable development is a decryptor released for an older Mallox ransomware variant, made possible by exploiting a cryptographic flaw. However, this vulnerability was patched in March 2024, meaning more recent versions remain unaffected.

Additionally, ransomware affiliate operations, such as those behind the Mallox strain, have begun adopting complex toolsets and cross-platform variants.

For example, some affiliates now utilize a variant of Kryptina malware specifically targeting Linux systems, underscoring the evolving nature of ransomware codebases and the shift toward specialized attacks.

Ransomware incidents remain high, though a recent report shows a slight decline in ransomware attacks, from 1,325 in the second quarter of 2024 to 1,255 in the third. Yet, the human-operated attacks have surged by nearly threefold, highlighting a sustained threat level in the cybersecurity landscape.

While LockBit’s influence has waned following a major crackdown on its infrastructure earlier this year, emerging groups like RansomHub, Qilin (Agenda), and Akira are taking advantage.

To defend against such sophisticated ransomware tactics, organizations should focus on enhanced endpoint security and frequent backup practices. Minimizing exposure to compromised cloud service credentials and implementing multi-factor authentication can help prevent unauthorized access to sensitive data.