In collaboration with the UK's National Crime Agency (NCA), Trend Micro analyzed the in-development and unreleased version of the LockBit encryptor, rendering the entire product line unusable to cybercriminals in the future.
As a criminal group, LockBit was known for innovating and trying new things. In the course of this innovative development, LockBit has released several versions of its ransomware, from version v1 (January 2020) to LockBit 2.0 (nicknamed “Red”, from June 2021) to LockBit 3.0 (“Black”, from March 2022). In October 2021, the threat actor introduced Linux. Finally, an interim version “Green” appeared in January 2023, which contained code that was apparently taken from the defunct Conti ransomware. However, this version was not a new version 4.0.
Recent challenges and decline
Recently, the group has been struggling with issues both internally and externally that have threatened its position and reputation as one of the leading RaaS providers. These include fake posts from victims and unstable infrastructure in ransomware operations. Missing download files in alleged publications and new rules for partners have also further strained the group's relationships. Attempts to recruit partners from competing groups and a long overdue release of a new LockBit version also indicate the group's loss of attractiveness.
LockBit 4.0 intercepted
We were recently able to analyze a sample of what we believe to be an in-development version of a platform-independent malware from LockBit that differs from previous versions. The sample adds the suffix “locked_for_LockBit” to encrypted files, which is part of the configuration and can therefore still be changed. Due to the current state of development, we named this variant LockBit-NG-Dev, which we believe could form the basis for LockBit 4.0, which the group is certainly working on.
The fundamental changes include the following:
- LockBit-NG-Dev is written in .NET and compiled with CoreRT. When the code is used together with the .NET environment, it is platform independent.
- The code base is completely new due to the switch to this language, which means that new security patterns will likely need to be created to detect it.
- Although it has fewer features compared to v2 (Red) and v3 (Black), these are likely to be added as development continues. As it stands, it is still a functional and powerful ransomware.
- The ability to self-distribute and print ransom notes via the user's printers has been removed.
- The execution now has a validity period by checking the current date, which is likely to help operators maintain control over affiliate usage and make it harder for security companies' automated analysis systems.
- Similar to v3 (Black), this version still has a configuration that includes flags for routines, a list of processes and service names to kill, and files and directories to avoid.
- Additionally, the filenames of encrypted files can still be renamed to a random name.
Trend Micro also provides a detailed technical analysis of LockBit-NG-Dev online in its English blog article.
More at TrendMicro.com
About Trend Micro As one of the world's leading providers of IT security, Trend Micro helps create a secure world for digital data exchange. With over 30 years of security expertise, global threat research, and constant innovation, Trend Micro offers protection for businesses, government agencies, and consumers. Thanks to our XGen™ security strategy, our solutions benefit from a cross-generational combination of defense techniques optimized for leading-edge environments. Networked threat information enables better and faster protection. Optimized for cloud workloads, endpoints, email, the IIoT and networks, our connected solutions provide centralized visibility across the entire enterprise for faster threat detection and response.