Law enforcement disrupted LockBit ransomware operations in February, seizing infrastructure and their website.
Regretfully, the victory appears to have been temporary. The gang’s leading members were not detained, and Operation Cronos’s defeat was only temporary since the group bounced back in a matter of days.
A surge in LockBit activity days after the takedown indicated renewed attacks while the gang utilized updated encryption tools and directed victims to new servers.
All over cybersecurity news sites
About LockBit
Operating as a Ransomware-as-a-Service (RaaS), LockBit developers sell their tools and infrastructure to affiliates, who then launch the attacks, which allows them to remain anonymous while profiting from a broader range of attackers.
The group has claimed responsibility for numerous high-profile incidents, extorting over $120 million from victims.
Document
Incorporate ANY.RUN into your company for fast and simple malware analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
-
Real-time Detection
-
Interactive Malware Analysis
-
Easy to Learn by New Security Team members
-
Get detailed reports with maximum data
-
Set Up Virtual Machine in Linux & all Windows OS Versions
-
Interact with Malware Safely
It highlights the importance of utilizing temporary disruptions to study seized infrastructure and prepare for potential evolutions of the threat.
Back from Dead
The LockBit ransomware gang has resumed its attacks. Now, they’re employing updated encryptors and ransom notes that lead to new servers.
Analyzing LockBit in ANY.RUN
A prevalent strain, LockBit ransomware, is actively being developed. Despite a recent takedown by law enforcement, its creators are likely to modify the code to evade detection. Organizations should be prepared, as the LockBit infection remains a significant threat.
Studying LockBit’s attack patterns (TTPs) and Indicators of Compromise (IOCs) is crucial for Security Information and Event Management (SIEM) and Threat Intelligence Platform (TIP) systems to identify and isolate intrusions before file encryption occurs.
The latest variant, LockBit 4.0, exhibits changes: it no longer modifies the desktop wallpaper, and the decryption process is significantly slower. Also, unlike its predecessor, version 4.0 does not self-delete after encryption.
LockBit ransomware, which is known for targeting Windows primarily but is also capable of compromising Linux and MacOS systems, has re-emerged with updated tools and infrastructure after a recent takedown.
This notorious ransomware group is responsible for extorting over $120 million from 2,000 victims, and understanding LockBit’s attack patterns, tactics, techniques, and procedures (TTPs) along with collecting Indicators of Compromise (IOCs) is crucial to effectively configuring security systems for defense.
What is ANY.RUN?
The intuitive interface is well-suited for onboarding new security personnel, allowing even junior analysts to swiftly grasp malware analysis and extract Indicators of Compromise (IOCs).
