LockBit ransomware operators were in the midst of developing a new iteration of their file encrypting malware, tentatively named LockBit-NG-Dev, possibly set to become LockBit 4.0, when law enforcement dismantled their infrastructure recently.
Following a collaborative effort with the UK’s National Crime Agency, cybersecurity firm analyzed a sample of the latest LockBit development, revealing plans for a version capable of operating across multiple operating systems.
Unlike previous iterations built in C/C++, this latest sample is a work-in-progress crafted in .NET, compiled with CoreRT, and packed with MPRESS. It includes a configuration file in JSON format detailing execution parameters like date ranges, ransom note specifics, unique IDs, RSA public keys, and operational flags.
Although this new encryptor lacks some features found in earlier versions, such as self-propagation on breached networks and printing ransom notes on victims’ printers, it appears to be nearing completion, already offering most expected functionalities.
The encryptor supports three encryption modes (AES+RSA): “fast,” “intermittent,” and “full,” includes custom file or directory exclusion capabilities, and can randomize file naming to hinder restoration efforts. Additional options include a self-delete mechanism that overwrites LockBit’s file contents with null bytes.
Trend Micro has released a detailed technical analysis of the malware, revealing comprehensive configuration parameters for LockBit-NG-Dev.
The discovery of this new encryptor marks another setback for LockBit operators following Operation Cronos. Even if the gang still controls backup servers, restoring their cybercriminal operations will be challenging with security researchers now familiar with the encryptor’s source code.
To safeguard against LockBit and other ransomware, implement a comprehensive cybersecurity strategy. This includes regular backups of important data stored offline, strong password policies, and regular software updates to patch vulnerabilities. Use reputable antivirus software and email filtering solutions to detect and block malicious activity. Implement network segmentation to limit the spread of ransomware in case of an infection.