[MART] - Daily Diary #315 - LockBit Ransomware Advertises New Version.

CTAS-MAT ctas-mat at appgate.com
Thu Jul 29 22:13:22 UTC 2021

I hope everyone is doing well!

Below is the entry for today.

07/29/2021 - Diary entry #315

First discovered in 2019, LockBit is a ransomware that operates in the Ransomware-as-a-Service business model, exfiltrating data before encrypting it and threatening to publish online if they do not pay the ransom. For the encryption process, LokiBit uses AES + ECC. Elliptic Curve Cryptography (ECC) is found on a few ransomware samples as a more efficient alternative to RSA. The malware is developed in C and ASM without the usage of external libraries. This shows how much effort the cyber crime gang put into developing this threat. That's why it's considered one of the most dangerous active ransomware families nowadays.

In the past days a new version of LockBit, LockBit 2.0, was found being advertised in the group wall-of-shame website. In our Daily Diary #313 we covered the struggle on Babuk ransomware to advertise their ransomware in hacking forums. A few posts from this new version were spotted on a few forums frequented by cyber crime gans, but they were quickly removed.

Our team got access to LokiBit's deep-web site, where the advertisement is published along with the data from victims that refused to pay the ransom. Among the advertised capabilities is a new dangerous feature to encrypt entire windows domains through group policies. After infecting a domain controller, the malware creates new group policies and pushes them to every device connected on the network. Those policies disable antivirus protections and execute the ransomware. Also, LockBit seems to have copied a feature from Egregor ransomware, that after a successful infection it sends to all connected printers a command to repeatedly print the ransom note.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Security Researcher

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210729/3f439b80/attachment.htm>

More information about the MART mailing list