iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Developers for the now crippled LockBit ransomware group were reportedly developing a secret new encryptor that would have bolstered its future capabilities.
LockBit ransomware was taken down this week when a campaign by a global alliance of law enforcement agencies dubbed Operation Cronos, led by the UK’s National Crime Agency and the FBI, took control of the group’s dark web leak site, following which arrests were made, servers and crypto accounts were seized and more.
What would have been the new encryptor was known as LockBit-NG-Dev and would later likely have been renamed LockBit 4.0, marking the group’s evolution from its current LockBit 3.0 and former LockBit 2.0 and so forth.
The new encryptor is written in .NET, compiled with CoreRT and packed with MPRESS, unlike 3.0, which was built in C/C++.
According to a report by Trend Micro, observed by BleepingComputer, the new encryptor was still lacking some of the features in the previous malware versions, such as printing ransomware notes on victim printers and being able to self-propagate on affected networks; it was in its final development stages and offered most functions.
“Like past versions, it still has an embedded configuration that dictates the routines it can perform,” wrote Trend Micro in its technical report.
“The configuration, which is in JSON format, is decrypted at runtime and includes information like date range for execution, the ransom note filename and content, unique IDs for the ransomware, the RSA public key, and some other flags and lists for its other routines.”
The report added that the malware supports three types of encryption:
With the discovery of the new encryptor, LockBit’s chances at recovery take another blow. Many industry experts believe the group will be forced into a rebrand.
Be the first to hear the latest developments in the cyber industry.
