Customization Of LockBit 3.0 Ransomware By Attackers To Hack Orgs Globally

Hackers use LockBit 3.0 ransomware because of the powerful encryption capabilities that it has. It allows them to effectively encrypt victims' data. Along with this, you can also demand payment to provide decryption keys.

The stealthiness of LockBit 3.0 improves attack tactics. Apart from this, it also gives threat actors a higher chance of successfully installing ransomware. Furthermore, it also allows them to enter computers without authorization.

Kaspersky Labs cybersecurity experts have revealed that hackers are aggressively attacking enterprises throughout the world. For this, they prefer to use modified LockBit 3.0 ransomware.

Modify LockBit 3.0 Malware

Recently, threat actors proved their ability to gain unencrypted administrator logins. They declared that they could do it during an incident response engagement.

Such details are helpful in creating the current version of LockBit 3.0 malware.

To conduct lateral movement, this modified malware used stolen passwords. Additionally, it disabled Windows Defender, deleted event logs, and encrypted data over the network.

A streamlined LockBit 3.0 constructor allows threat actors to more easily pick features. These features include mimicry, network share encryption, program dismissal, and network replication via PsExec.

This incident demonstrates the dangers of identity theft. Plus, you can also have an idea about how easily threat actors may weaponize technologies like LockBit 3.0. This way, you can know how they use it to create highly personalized and elusive ransomware threats.

The builder enables attackers to personalize ransomware. For this, it specifies which files, folders, and computers are encrypted. Besides, it is also helpful in excluding based on the target's network architecture.

Tailored malware is created, including the primary executable (LB3.exe) for several aspects. These aspects include - distribution, a decryptor, password-protected variations, and injecting methods.

Launching this custom build reveals its ransomware capability. Nevertheless, paying the ransom is not recommended. It is so because you have to face uncertain results in file recovery.

Files have been securely decrypted in a safe laboratory. In such circumstances, researchers create a decryptor so that they can use it for their ransomware strain.

A few Operation Cronos occurred in February 2024, which resulted in the seizure of their computer systems. Not only this but also it will acquire keys for decryption. In such a scenario a few governmental agencies, the actual LockBit organization temporarily ceased operations.

Aside from that, LockBit announced that they will restart operations shortly. The check_decryption_id program allows users to check if they have the correct keys for identified victims.

The check_decrypt tool evaluates the decrypt ability. To be honest, the result is dependent on several circumstances. One of the best things is that this utility just verifies which conditions are satisfied in the investigated systems.

A CSV file is produced, which lists decryptable files. Furthermore, it also includes an email address for additional restoration instructions.

This toolbox piqued our interest after we studied multiple LockBit threat incidents.

Researchers put victim IDs and encrypted files through the decryption program. But the matter of worry is that the majority had the same result: "check_decryp." It proved that decryption was impossible with known keys.

The LockBit rivals used this code to target organizations in the Commonwealth. The main purpose of doing so was to not compromise CIS nationals. While doing a job in the app, I pointed out, resulting in a dark web conversation. You might be surprised to know that LockBit operators claimed their lack of participation in that dark web conversation.