Monday, December 5, 2022
HomeCyber SecurityConsultants Discover Similarities Between New LockBit 3.0 and BlackMatter Ransomware

Consultants Discover Similarities Between New LockBit 3.0 and BlackMatter Ransomware

Cybersecurity researchers have reiterated similarities between the most recent iteration of the LockBit ransomware and BlackMatter, a rebranded variant of the DarkSide ransomware pressure that closed store in November 2021.

The brand new model of LockBit, known as LockBit 3.0 aka LockBit Black, was launched in June 2022, launching a model new leak website and what is the very first ransomware bug bounty program, alongside Zcash as a cryptocurrency fee choice.

Its encryption course of entails appending the extension “HLJkNskOq” or “19MqZqZ0s” to every file and altering the icons of the locked recordsdata to that of the .ico file that is dropped by the LockBit pattern to kick-start the an infection.

“The ransomware then drops its ransom be aware, which references ‘Ilon Musk’ and the European Union’s Basic Information Safety Regulation (GDPR),” Development Micro researchers stated in a Monday report. “Lastly, it adjustments the wallpaper of the sufferer’s machine to tell them of the ransomware assault.”


LockBit’s intensive similarities to BlackMatter come from overlaps within the privilege escalation and harvesting routines used to establish APIs required to terminate processes and different features in addition to the usage of anti-debugging and threading strategies designed to thwart evaluation.

Additionally of be aware is its use of a “-pass” argument to decrypt its foremost routine, a habits seen in one other defunct ransomware household named Egregor, successfully making the binary tougher to reverse if the parameter will not be accessible.

LockBit 3.0 Variant and BlackMatter Ransomware

As well as, LockBit 3.0 is designed to verify the sufferer machine’s show language to keep away from compromising methods related to the Commonwealth of Impartial States (CIS) states.

“One notable habits for this third LockBit model is its file deletion method: As an alternative of utilizing cmd.exe to execute a batch file or command that may carry out the deletion, it drops and executes a .tmp file decrypted from the binary,” the researchers stated.

This .tmp file then overwrites the contents of the ransomware binary after which renames the binary a number of instances, with the brand new file names primarily based on the size of the unique file title, together with the extension, in an try to forestall restoration by forensic instruments and canopy its tracks.

The findings come as LockBit infections have emerged because the most lively ransomware-as-a-service (RaaS) teams in 2022, the newest allegedly being the Italian Inside Income Service (L’Agenzia delle Entrate).


In keeping with Palo Alto Networks 2022 Unit 42 Incident Response Report printed at this time primarily based on 600 circumstances dealt with between Might 2021 and April 2022, the ransomware household accounted for 14% of the intrusions, second solely to Conti at 22%.

Ransomware Stats

The event additionally highlights the continued success of the RaaS enterprise mannequin, reducing the barrier to entry for extortionists and increasing the attain of ransomware.

Examine Level’s evaluation of cyberattack developments for Q2 2022 exhibits that the weekly common of impacted organizations by ransomware reached one out of 40, a 59% enhance YoY from one out of 64 organizations in Q2 2021.

“Latin America has seen the most important enhance in assaults, recognizing one out of 23 organizations impacted weekly, a 43% enhance YoY, in comparison with one out of 33 in Q2 2021, adopted by Asia area that has seen a 33% enhance YoY, reaching one out of 17 organizations impacted weekly,” the Israeli cybersecurity agency stated.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments