Hit but not sunk. This is in essence the message from the LockBit cybercriminals, whose infrastructure was seized last week by an international police task force, in which French gendarmes participated. This weekend, the ransomware gang put a new data leak site back online and published a long message to give their version of the facts.
The group, through the mysterious LockBitSupp, its spokesperson, admitted negligence, with the forgetting of a critical PHP update. And he linked the police operation to an ongoing cyber attack on a US county, which allegedly resulted in the leak of court documents relating to Donald Trump. A curious allegation given that the police response to LockBit must certainly have been prepared for months, if not years.
In an interview with the AEF press agency, the head of the cyber gendarmes of the C3N (Center for the Fight against Digital Crime) also points out that the decision to carry out this shutdown of LockBit was taken collectively “there is two months”, after the various police partners have made sufficient progress in identifying the criminal group’s infrastructure.
New ransomware leak
These LockBit bluster may be intended to mask one of the gang’s big current problems. In documents posted online in the wake of the police operation, the cybersecurity company Trend Micro has in fact revealed the face of the new version of the malicious program under development.
This LockBit 4.0 should probably have succeeded the first version of the ransomware, which appeared in January 2020, the second, nicknamed “Red”, and the third, “Black”. There is also a fourth version, “Green”, which took over portions of the code from the Conti ransomware.
According to Trend Micro, which worked on the study of the malicious program with the National Crime Agency, the British police agency, the new version of LockBit in preparation was to be based on .Net and compiled with CoreRT. In detail, the ransomware in development has three encryption modes: fast, intermittent and complete.
Creation of new models
The new malware appears to have fewer capabilities than previous versions, such as self-propagation or printing ransom notes via victim’s printers. But new features will probably be added later.
“As it stands, this is still a functional and powerful ransomware,” Trend Micro warns. While pointing out that with this programming language change, “the code base is completely new, which means new security models will likely need to be created to detect it.”
However, with the publication of the first indicators of compromise by the company, this work has already begun. Good news for IT security professionals, who will be able to update their defenses.