Contents:
A new version of the LockBit ransomware seems to be on the horizon. The developers of the file-encrypting malware were secretly working on a project dubbed LockBit-NG-Dev, believed to be the 4.0 version of the tool.
This information surfaced recently when law enforcement took down the cybercriminal’s infrastructure earlier this week.
The New LockBit Tool
While the previous installments of the malware were built in C/C++, the latest sample is a work-in-progress written in .NET that appears to be compiled with CoreRT, and packed with MPRESS.
A security company analysed a sample of the malware and found that it includes a configuration file in JSON format that outlines parameters such as the execution date range, ransom note details, RSA public key, unique IDs and other operational flags.
Despite the fact that the security company claims the new encryptor is missing some features from earlier versions (such as the capacity to self-proliferate on compromised networks and print ransom notes on victims’ printers), it looks to be nearing completion and already provides the majority of the anticipated functionality.
LockBit 4.0 supports three encryption modes using AES+RSA, fast, intermittent, and full. It can also randomize the file naming to make the restoration efforts harder, and it has custom file or directory exclusion. Additional features include a self-delete mechanism.
If you liked this piece, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.