The LockBit gang has released a new version of its ransomware with improved ESXi drive encryption speed. However, a security researcher who has talked to senior gang members in the past says LockBit 5.0 is more “fine tuning some basic features … and a lot of propaganda” than a major leap in capabilities.
In 2023, Jon DiMaggio, chief security strategist at US-based Analyst1, revealed in a series of reports how he spent months developing several online personas to gain access to the gang’s operation, and then got leaders to give up details of how it worked. And while the February 2024 takedown of much of the gang’s IT infrastructure in Operation Cronos didn’t put the ransomware as a service operation out of business, it did much to damage gang’s credibility among crooks, he said in an interview.
So launching a new version, as well as broadening the gang’s profit sharing with affiliates, is a way of getting some of that reputation back.
LockBit 5.0 “is not a massive undertaking,” he said. “It does encrypt faster, which will make attacks a little bit smoother” for subscribing crooks. “It is better at evading detection — but so is every new ransomware variant,” he added. “But what is an accomplishment is that LockBit has always been good at self-branding, and that’s why there’s some noise” about this new version.
DiMaggio was commenting on this week’s report from Trend Micro on LockBit 5.0, which has Windows, Linux and Vmware ESXi variants.
What’s new in LockBit 5.0
In its analysis, Trend Micro discovered that:
the Windows binary uses heavy obfuscation and packing: it loads its payload through DLL reflection while implementing anti-analysis techniques like Event Tracing for Windows (ETW) patching and terminating security services;
the Linux variant maintains similar functionality with command-line options for targeting specific directories and file types;
the ESXi variant specifically targets VMware virtualization environments, and is designed to encrypt entire virtual machine infrastructures in a single attack.
Damage done to an ESXi drive can be significant for an organization. Trend Micro notes that a single ESXi host often runs dozens of critical servers. Encrypting at the hypervisor level can take many business services down at once.
These new LockBit versions share key behaviors, including randomized 16-character file extensions, Russian language system avoidance through geolocation checks, and event log clearing post-encryption, Trend Micro says. The 5.0 version also shares code characteristics with LockBit 4.0, including identical hashing algorithms and API resolution methods, confirming this is an evolution of the original codebase rather than an imitation.
“Ransomware actors and their affiliates are regularly changing their TTPs [tactics, techniques, and procedures] nowadays to stay ahead of defenses as well as law enforcement,” said Jon Clay, Trend Micro’s vice-president of threat intelligence. “Organizations need to consider adopting newer cybersecurity models that get ahead of an attack by implementing a proactive approach versus the traditional detection and response reactive approach. Implementing a risk-based approach that can discover their entire attack surface, identify and prioritize the risks associated with these attack surfaces, and enabling mitigating controls that can minimize their risk will go a long way in improving their security posture.”
After the February 2024 takedown of the LockBit infrastructure, a Russian national alleged to have been the administrator was indicted in the US, but is still at large.
Five days later, the crew brought back new servers, and restored admin panels for subscribers. “But what happened behind the scenes is everybody bailed on them. The top affiliates don’t trust them, won’t work with them. It was really hard to work for LockBit. It got so bad he (the leader) was giving away access,” DiMaggio said, noting that a subscription that used to cost $10,000 plunged to $700. “He started lying and putting out fake victims [on the gang’s dark web site]” to show the gang’s reach hadn’t diminished.
It didn’t help that, earlier this year, someone leaked a file from LockBit’s affiliate panel database with details including over 4,400 victim negotiation messages.
Even the few victims that now get hit by LockBit aren’t paying out the way they used to. DiMaggio cited a case this year where a victim paid a mere $800 to get access back.
“It is not business as usual” for the gang, DiMaggio said. “Those $100 million years are long gone. But he’s trying to rebuild. That’s what this effort is. He’s trying to restore trust and lure people to come back and work for him, which is why he’s trying to make the profit-sharing with affiliates better and making the malware work a little bit faster.”
What should CSOs do now?
Asked what mistakes CSOs are making in the fight against ransomware, DiMaggio said many still believe that attacks start with phishing and social engineering. However, today gangs are focusing more on compromising IT infrastructure through poorly-patched publicly-available servers and applications, as well as by getting into applications through brute-forced or stolen credentials.
Trend Micro says to better protect ESXi drives, CSOs should treat virtualization as critical and follow these guidelines:
remove ESXi hosts from direct internet exposure. Management consoles should be behind a VPN, backed up by strong role-based access control.
keep ESXi patched and only use supported versions.
require anyone who has access to the vCenter management console to log in with multi-factor authentication.
disable unused services like SSH and follow the vSphere Security Configuration Guide and VMware ransomware defense guidance.
have teams hunt for hypervisor and lateral movement attack precursors such as unusual admin logins, mass process termination, or snapshot manipulation.
No Responses