Early last year marked the emergence of the LockBit3.0 RaaS (Ransomware-as-a-Service) malware, ever since the source-code was leaked, rivals and competitors have taken advantage of the opportunity to use the malware for their own purpose.
The research and analysis conducted by Kaspersky made a discovery, indicating that numerous threat groups seized the opportunity of the malware source-code leakage, to customized their own version of the ransomware in their extorting campaigns.
A team of Kaspersky’s Global Emergency Response Team (GERT) by the names Eduardo Ovalle and Francesco Figurelli published a post in August 2023, on how new variation of the malware were discovered in the wild, shortly after the source-code of the malware was leaked, in September, 2022.
In a note issued by GERT of the ransomware; the malicious hackers called themselves National Hazard Agency, a formerly known threat group. The note also contains information on the ransom demands of a figure amounting up to ($3-million USD).
If the demands are met, decryption keys are sent to the victims, in an email and chat contact provided by the affected individual; to decrypt their files.
The malware has also been found to be used by a list of other threat groups: GetLucky, Blacktail’s Buhti ransomware operation, and Bloody ransomware gang.
Modifications made to the leaked malware:
In an analysis of over 396-distinct samples, by Kaspersky we can have an overview of the modification done to the leaked malware.
This shows and gave an in-depth understanding, how the parameters of the malware are linked to various threat actors, and the configuration samples found.
In a discovery made, over 77 out of the 396 samples analysed did not make reference to the “LockBit” in ransom notes. In a statement by the researchers, it is noted that:
“Such an omission of the name would be quite unexpected in terms of the gang’s usual TTP (Techniques, Tactics, and Procedures).”
The malware variant, in its ransom note had no reference to the LockBit or with a different contact Email address/link, revealing probably misuse of the build file by threat actors, other than the original malware author.
Other detected parameters, still correspond to the default configuration of the original author, and a few minor changes. This gave an insight that the malware modification was either done by a Lazy threat actor or those who intend to use it for urgent needs.
Further disclosed information by Eduardo Ovalle and Francesco Figurelli:
“No suspicious or malicious domains were identified in the analysed samples, showing there’s no interest for establishing C2 communications using the leaked payloads.”
Other results obtained from the analysis, shows that there were no suspicious or malicious domain indicated in establishing a C2 communications using the payloads.
Please do let us know in the comment section what are your thoughts about this.