LockBit Ransomware is Back After Law Enforcement Takedown.

Following the rough takedown of all the Darknet sites that belong to LockBit ransomware, the gang representatives were mostly silent until February 24, 2024. At around 21:00 GMT, the chief of the cybercrime gang released a long PGP signed message with the explanation from the hackers’ point of view. In it, they describe the supposed way they were hacked and the future of LockBit. Spoiler – not a lot will change, except for LockBitSupp promises to be less lazy.

For the way the law enforcement agencies managed to access the servers, the PHP vulnerability is named. CVE-2023-3824 vulnerability, discovered back in August 2023, allows for remote code execution and received CVSS rating of 9.8/10. Well-deserved, considering how popular PHP is; LockBitSupp even supposes that other threat actors who were hacked recently suffered from this exact vulnerability.

Also, the hacker supposes that the FBI could have access to the network for quite some time. The reason why law enforcement decided to pull the trigger is the publication of data leaked from Fulton County court, specifically documents regarding Donald Trump’s court cases.

LockBit Takedown Aftermath

So, what do we see almost a week past the takedown of LockBit? Law enforcement agencies dealt quite a damage to both the group image and hardware. The amount of leaked information, including decryption keys and data stolen from companies’ networks seriously cuts the profits of the ransomware gang. And considering the detainments in Poland and Ukraine, the leaks were not only about operational information – personal data of malware operators was also exposed to some extent.

However, this was barely enough to force the LockBit gang to stop. Sure, they are now starting from scratch, with only a few listings present on the reborn of their leak page. But they will carry on, taking the past mistakes into account. The individuals captured in Eastern Europe are unlikely to be affiliates – more probably just server administrators or money mules. LockBit’s story keeps rolling, and I’m pretty sure they have a couple of aces up their sleeves.

The post LockBit is Back With New Claims and Victims appeared first on Gridinsoft Blog.

LockBit Taken Down by NCA

On February 19, 2024, analysts noticed that the LockBit leak site on the Darknet went offline. Some time after, a banner stating about the takedown appeared. On that banner, the UK National Crime Agency claims about this being the result of a successful multinational law enforcement cooperation, called Operation Cronos. The text also contains the offer to visit the page the next day – on February 20 – to get more information.

That is not the first network asset takeover from law enforcement that high-end ransomware group suffers. A couple of months ago, a similar story happened to ALPHV/BlackCat, another infamous ransomware group. In their case, however, not all Onion websites were down, and they managed to get the access back. That in fact turned into a comic story, where the access to the site was more like a reversed hot potatoes game.

Nonetheless, the current takedown appears to be as serious as it can be. All the mirrors of their main Darknet site are now having the said banner. Well, it is possible for any miraculous thing to happen, but in my humble opinion, their onion infrastructure is done. Either this, or NCA will be quite ashamed for announcing details disclosure on 11:30 GMT, and failing to fulfill the promise.

International Law Enforcement Blocks LockBit Infrastructure

Shortly after the original news release, the info from LockBit affiliates arrived. VX-Undeground team shares a unique info and a screenshot taken by one of the gang members upon the attempt to log into the system.

The text states the following:

Another piece of info comes from the gang’s Tox chat. In a short message, they say about the PHP servers being taken over, while the non-PHP reserve servers being OK. Considering the use of obscene language, non-typical for LockBit representatives, the situation is rather tense, to say the least.

LockBit Decryptor Coming Soon?

What is more exciting than the info that will be published tomorrow is the thing that will follow. The takedown supposes leaking the decryption keys along with their proprietary decryptor tool. Maybe not all of them are available that easily, but accessing such a large chunk of internal info is definitely a key for exposing it all.

The fact of the leak and the decryptor being available is just miraculous for the victims. Sure enough, this will not delete the data the frauds have stolen from the network. But getting all the files back at no cost is much more important. And since it will work even for victims that failed the payment deadline, the question arises once again – why would you pay the ransom? It may be a much more reasonable option to just wait, and it looks like more and more ransomware victims stick to that opinion.

UPD 20.02 – LockBit Darknet Site Filled With Leaks and Announcements

On the designated time of 11:30 GMT on February 20, all of the LockBit’s sites that were taken over started redirecting to what used to be their leak page. Now, it is filled with the information gathered by law enforcement agencies. In particular, the information about the backend structure of the cybercrime network was revealed, demonstrating the screenshots of seized servers.

Aside from that, law enforcement added a tempting one – the info about the admin of the group, known as LockBitSupp. “The $10m question” will be answered on February 23, 2024. Some of the lower-ranked staff have already been arrested in Poland and Ukraine. Well, LockBitSupp did not lie by saying their group is multi-national.

What is even better news is the confirmation of decryption keys release, as I’ve predicted in the original text. The keys, along with recovery tools, will be available to any victim upon contacting NCA for UK residents, IC3 for US and NoMoreRansom project for others.

What is LockBit Ransomware?

LockBit is one of the most successful ransomware groups that are currently active on the ransomware market. Its efficient software and meticulous attack planning rendered them dominant over the last few years. Their ransom sums are large, attacks are rapid and methods are as unprincipled as you can ever imagine. To be brief – nothing short of leaders in the cybercrime industry.

It is obvious that LockBit will eventually become a target for law enforcement, sooner or later. They were attacked before, but in a more mild form, that led to the temporal downtime or the urgent shift to a different software. Still, they were recognizing their mistakes and opening the entire bug bounty programs (!!) for people who can find issues in their software. This, along with continuous modernization of their software and updates to the online infrastructure is what made LockBit the image of unbreakable. And that is why the fact of the takedown set the community abuzz.

The post LockBit Ransomware Taken Down by NCA appeared first on Gridinsoft Blog.

LockBit Ransomware in action

The LockBit ransomware, known for its damaging impacts, has been observed to be distributed through Word files disguised as resumes. Also, this method was first noted in 2022 and has become a prevalent tactic for distributing this ransomware.

The primary tactic involves embedding harmful macros within Word documents. These documents, once opened, trigger the download of additional code from external URLs, which subsequently executes the LockBit ransomware. The filenames of these malicious Word files often resemble typical names or phrases associated with job applications.

Below is a list of the names of Word files that were found spreading malware:

• [[[231227_Yang**]]].docx
• 231227_Lee**.docx
• 231227Yu**,docx
• Kim**.docx
• SeonWoo**.docx
• Working meticulously! A leader in communication!.docx
• Candidate with a kind attitude and a big smile.docx
• I will work with an enthusiastic attitude.docx

When a user opens one of these Word files, the document connects to an external URL to download another document containing a malicious macro. Once this macro is executed, it triggers the deployment of the LockBit ransomware through PowerShell commands.

The downloaded document files contain obfuscated macro code which is similar to the cases of VBA macro identified in 2022. Ultimately, PowerShell is executed to download and run LockBit ransomware.

After finishing the encryption, ransomware alters the desktop so the user sees a notification. In addition, the ransomware creates a ransom note in each folder that states that all data in the system has been encrypted and stolen. The user is then threatened that the data will be leaked on the Internet if they refuse to pay the ransom.

Recommendations

Security professionals are advised to blacklist IP addresses associated with LockBit 3.0 ransomware.

• hxxps://viviendas8[.]com/bb/qhrx1h.dotm
• hxxps://learndash.825testsites[.]com/b/fgi5k8.dotm
• hxxps://neverlandserver.nn[.]pe/b/ck0zcn.dotm

Despite blocking these addresses, we recommend following these tips:

• Be wary of opening Word documents from unknown or unsolicited sources, especially those purporting to be resumes. Also, avoid allowing execution of macros or other exploitable Microsoft Office elements.
• Also, organizations should prioritize cybersecurity awareness training for their employees, emphasizing the risks associated with opening unsolicited email attachments.
• Regularly backup critical files to minimize the damage in case of a ransomware attack. Ideally, there should be an offline backup, inaccessible to the attackers.
• Utilize network monitoring tools to proactively detect suspicious activities and potential indicators of compromise. NDR solutions are capable of providing a comprehensive view of the event within the perimeter and protecting from pretty much any threat.

The post LockBit Ransomware Uses Resume Word Files to Spread appeared first on Gridinsoft Blog.

Who is the LockBit Ransomware Gang?

LockBit, operating as a ransomware-as-a-service (RaaS) entity, has been a persistent threat for over four years. With a track record of targeting diverse sectors, including Continental, the UK Royal Mail, the Italian Internal Revenue Service, and the previously known Boeing leak from October 27th., LockBit has extorted approximately $91 million since 2020 in nearly 1,700 attacks against US organizations.

LockBit Leaks Boeing Data on the Darknet

Before the data leak unfolded, LockBit hackers issued stern warnings, accusing Boeing of neglect and threatening to expose a sample of 4GB of the most recent files. Boeing, a cornerstone in aviation and defense, stood steadfast against the ransom demands.

On November 10, LockBit carried out its threat, publishing over 43 GB of files from Boeing on the Darknet. The leaked data includes backups for various systems, with the most recent backups timestamped on October 22. Notably, the files encompass configuration backups for IT management software, logs for monitoring and auditing tools, and backups from Citrix appliances, raising concerns about the exploitation of the Citrix Bleed vulnerability.

While Boeing confirmed the cyberattack, it has yet to divulge details on the breach’s specifics. The leaked data, however, does not compromise flight safety, according to Boeing statements. However the decision not to pay the ransom suggests that the stolen data may not hold critical relevance to Boeing’s information security or its clients.

The exposed data allegedly includes names, locations, and contact details of Boeing’s suppliers and distributors across Europe and North America. Details about the supported functions within Boeing’s structure. It including airframe manufacturing, structural mechanics, computer and electronics, are also part of the compromised information.

Navigating the Aftermath

Boeing’s breach serves as a stark reminder for organizations to reassess their cybersecurity posture continually. The imperative to implement proactive measures, including employee cybersecurity training, network fortification, and timely security patches, is underscored by the evolving tactics of ransomware groups like LockBit.

As Boeing grapples with the fallout of this unprecedented cyberattack, the incident serves as a clarion call for heightened vigilance across industries. Also the exposed vulnerabilities highlight the critical need for organizations to invest in robust cybersecurity frameworks to mitigate the ever-growing threat landscape. In the wake of LockBit’s audacious move against Boeing, the imperative for international collaboration to combat cyber threats becomes more evident than ever.

The post LockBit Ransomware Exposes Boeing’s 50GB of Data Leaked appeared first on Gridinsoft Blog.

Boeing Hacked by LockBit

On October 27, 2023, LockBit cybercrime group added a record of the Boeing company on their Darknet website. Hackers use this page to claim the successful attacks; they keep the listings until the victim pays the ransom. Further, if the bill is not paid off, hackers publish the leaked data or negotiate its re-selling to a third party.

This model though has a couple of features to talk about. There were enough cases when LockBit was listing the company they have never actually hacked into, and instead hacked one of the subsidiaries or contractors. Once researchers noticed the Boeing company listed on the Darknet leak site, they were hoping that this is exactly what happened. But, as it turned out, things are less optimistic.

A couple of days later, Boeing’s listing disappeared from the negotiation website. Soon after, VX-Underground researchers got confirmation from LockBit representatives that they began negotiations with the company. And in several days on, Boeing themselves claimed about the “cyber incident”. This is a doubtless confirmation that the company itself was the target.

Boeing Confirms Ransomware Attack

On Wednesday, November 1, 2023, the Boeing company officially claimed the investigation of a cyberattack that touched several of its divisions. The company particularly names distribution and parts businesses being main points of impact. From the other side, LockBit claims to possess a huge amount of sensitive data stolen from the hacked network.

Well, there is a silver lining – Boeing says there’s no threat to flight security. Other things are less promising, especially considering Boeing’s massive contracts with the US military. Uncle Sam will not be happy to see blueprints and documents to the military equipment and weapons leaked. This becomes especially sour once we remember about possible relations of the LockBit gang to Russia.

Either way, the leak of such information would be a disaster, so it is clear why the company agreed upon paying the ransom. Actually, they did not claim it, but the deadline for the payment was on November 2, and the listing on the LockBit Darknet site did not reappear. And for sure, these hackers are not those who would kick the can and delay the publication of such a leak.

What then?

Over the last few months, Boeing hack has become one of a few hacked companies. A lot of ransomware groups switched to attacks on educational orgs, and keep going in this streamline so far. The Boeing hack should become a cold shower for companies who may have thought that they are not in the reticle anymore, and there’s no need to enhance their cybersecurity.

Passive protection measures like network monitors and security solutions are helpful, that is out of the doubt. But keep in mind that preventing the most common attack vectors is what can provide the best security. Cybersecurity training for personnel, network architecture that excludes most common entry points, latest security patches implementation – all this will save money, image and time.

The post Boeing Hack Confirmed, LockBit Group Resposible appeared first on Gridinsoft Blog.

3AM Ransomware – The Fallback Variant of LockBit

According to a recent report, cybersecurity experts have discovered a new type of ransomware known as 3AM. Since this ransomware has not been used before and its use is still limited, experts agree that this is a relatively new malware. The attackers used 3AM as a backup to LockBit, as the attempt to infect a LockBit victim was blocked. By the way, although the attacker installed the ransomware on three machines on the organization’s network, it was blocked on two.

What is LockBit Ransomware?

In a nutshell, LockBit is a type of ransomware that was first seen in September 2021. It is a modular ransomware, meaning attackers can customize it with different components. It makes it a versatile and powerful tool to target many victims. LockBit encrypts files on the victim’s computer and then demands a ransom payment to get the files back. The ransom amount is typically $1 million or more, based on the victim.

In addition to requiring payment, LockBit threatens to sell the victim’s data on the Dark web if the ransom is unpaid. LockBit has been used to attack various organizations, including healthcare providers, government agencies, and businesses, causing significant disruptions in some cases. In fact, is it one of predominant ransomware gangs active in 2023. After the Conti shutdown, it quickly gained the vacated market share, and became #1 threat for companies.

3AM Ransomware Overview

3AM is written in Rust, and once infected, it tries to stop several services on the infected computer before it starts encrypting. The attackers also use Cobalt Strike to try to escalate privileges and then number other servers for further horizontal movement. The attackers also created a new user to save and transfer the victim’s files to their FTP server.

The program then scans the entire disk, encrypts files matching the pre-defined criteria, and deletes the original files. Ultimately, the encrypted files have the extension *.threeamtime. In addition, the malware attempts to delete shadow copies of volumes. In each folder with encrypted files, the program leaves a text file called “RECOVER-FILES.txt,” a ransom note.

Although the emergence of new families of ransomware programs is frequent, most of them never gain significant popularity, and some disappear just as quickly. However, since 3AM was used by a LockBit affiliate as an alternative, experts suggest that it may be of interest to attackers and could be seen again in the future.

How to protect against ransomware?

Ransomware is a severe threat to companies of all sizes. Unfortunately, there is no ultimate protection against it. However, there are preventative measures organizations can take to mitigate the risk:

• Keep your software up to date. Software updates include essential security patches that protect against ransomware attacks. Most software programs have an option for automatic updates. This will ensure your software is always updated with the latest security patches.
• Back up your data regularly. The best way to protect data` is an offline backup of data stored on hard disks. An offline backup is a backup located on a device not connected to your computer or network. This means the ransomware cannot encrypt the backup files, so you can restore them without paying the ransom.
• Cloud-based backup solutions will be superior to classic ones. This method can also protect data from encryption as an alternative to the traditional way of storing data backups. It also makes it easier to restore your data if it is encrypted by ransomware.
• Educate your employees. It’s no secret that the weakest link in the line of defense is the human factor. Educating employees on the basics of cyber hygiene and conducting hands-on training to identify red flags is critical. For example, you can show them examples of phishing emails and ask them to determine what is wrong with them.
• Use a managed security service provider. An MSSP can help you to implement and maintain security measures to protect your company from ransomware attacks. In addition, you can free up your internal IT staff to focus on their tasks and be confident that experts are handling your security.

In addition to the above, there are some universal recommendations to help prevent a ransomware infection. These include using strong passwords, multi-factor authentication, and a firewall.

The post 3AM Ransomware Backs Up LockBit In Cyberattacks appeared first on Gridinsoft Blog.

Fullerton, LockBit – who are they?

Fullerton India Credit Company, or shortly Fullerton India, is a major lending company that operates in almost all the country. It offers a wide range of lending programs, targeted at both individuals and businesses. The company has almost 700 branches all over India, which allows it to outreach even small towns and villages. Latest reports issued by the company say about ~2.3 million of customers, net assets of over 2.5 billion, and around 13,000 employees. Such companies – pretty large and related to the financial sector – always were in scope of cybercriminals.

LockBit gang is an infamous hacker group, active since 2019. They passed 3 major “epochs” since then, expanding their operations and offering new solutions for their “product”. Gang uses ransomware-as-a-service operation form and offers a wide range of supplementary services to their “main” product – ransomware. Specific approaches used in malware design, together with the mentioned services, allow this malware to be the fastest among the massively used ones. All that made LockBit gang the most successful ransomware on the market: its share in total attacks is over 40%. Seems that at some point, they decided to have a break from ransoming American companies and try out something new.

LockBit Publishes Data Leaked From Fullerton India

Files encryption is not the only problem created by threat actors. Before launching the ciphering process, crooks often steal all the data they can reach. LockBit applies a specific tool that allows them to extract more data for shorter periods of time. Then, hackers ask for the additional ransom – otherwise, the data will be published or sold to the third party. Such a practice is known as double extortion. LockBit, however, is known for applying another way to press on their victims. Aside from threatening to publish data, they launch a DDoS attack upon the victim’s network, and keep it going until the ransom is paid. It is not clear if hackers used that trick as well.

Bearing on the data available in the surface and dark Web, I can assume that the exact breach happened around late March – early April. First deadline was set on April 29, which means Fullerton was listed ~2 weeks before. Now, however, the final date is set to May 3 – four days past the previous date. Hackers also specified that the company can delay the deadline for $1,000/day. Simple maths suppose that the company already spent $4,000, and it is not clear whether they paid a ransom for data decryption. The cybercriminals’ demand for avoiding data publishing – $3 million – is definitely not paid. Fullerton themselves reported about the cyberattack only on April 24.

In the note present among other information about the attacked company, LockBit specifies the amount of leaked data – 600 gigabytes. They also shared some details regarding data categories available in the leak:

How Dangerous is Fullerton Leak?

Most data LockBit gang got their hands on is related to company operations. Thus, the key danger and damage there goes towards the company’s image. Fullerton is not a publicly-traded company, thus info about the hacks cannot harm someone because of share price shed. Nonetheless, ransom amounts typically asked by the LockBit group are tangible – much more tangible in fact than the cost of cybersecurity improvements that could prevent the attacks in future.

The risk of any cyberattack is the fact that hackers can have a peek into a company’s internal architecture. Considering tight relationships between ransomware gangs, especially ones from Russia, it is logical to suppose that another group of hackers may be interested in attacking companies like Fullerton. And instead of doing a long research in order to find the entry point, they can simply ask their “colleagues” – and get all the information immediately. Security measures should be taken as quickly as possible – and that is true for any cybersecurity incident.

How to protect against LockBit ransomware?

Despite having advanced payload and auxiliary software, LockBit shares spreading ways with other ransomware. Email spam is the king of the hill, used in over 60% of all cyber attacks around the world. Though more target-specific approaches may be used – like RDP exploitation or using other network vulnerabilities. Protecting against them requires a multi-directional approach that is quite hard to implement in one step.

First of all, guide your personnel regarding spam emails. Detecting the fake email may be obvious for a knowing person, though not all people know how to do that. The easiest way to uncover the fraud is to check the email address – it will differ from the genuine one. Still, there were cases where hackers have been using compromised business emails to perform further attacks. For that reason, I’d recommend having a peek into a dedicated article about email phishing and ways to recognize it.

Counteracting network breaches requires the use of specific software. Passive approach is possible – yet far less effective than the use of proactive software solutions. The latter, actually, are represented as Network Detection and Response systems. They combine properties of network monitors, firewalls and (partially) anti-malware programs, giving out a secure shield over the entire network.

Adhere to the latest news regarding vulnerabilities. Top-rated security is possible only in an environment which is hard to exploit. When cybersecurity researchers uncover vulnerabilities, or hackers use a new one in the wild, it is recommended to find and fix these breaches. Consider having several cybersecurity blogs on a quick dial – and the numbers of your software vendors as well. Nothing saves you more than a fast reaction.

The post Fullerton India Hacked, LockBit Leaks 600GB of Data appeared first on Gridinsoft Blog.

AuKill malware uses malicious device drivers to infiltrate systems. Recently, researchers from Sophos discovered an attacker using AuKill before deploying Medusa Locker ransomware and another attacker using it on an already compromised system before installing the LockBit ransomware. The trend is a response to the growing effectiveness of EDR tools, which provide security vendors with a significant advantage in spotting attacks. Threat actors are targeting the tools, causing them the most trouble.

AuKill drops a driver named PROCEXP.SYS from release version 16.32 of Process Explorer into the exact location as the legitimate version of the Process Explorer driver (PROCEXP152.sys). Once on a system, the tool abuses the legitimate driver to execute instructions to shut down EDR and other security controls on the compromised computer. Sophos has analyzed six different versions of AuKill and noticed some substantial changes with each new version. Newer versions now target more EDR processes and services for termination.

These attacks are similar to a series of incidents reported by Sophos, Microsoft, Mandiant, and SentinelOne in December. In those attacks, threat actors used custom-built drivers to disable security products on already compromised systems, leaving them open to other exploits. Like other drivers, the vulnerable Process Explorer driver that AuKill leverages has privileged access to installed systems and can interact with and terminate running processes.

The post Ransomware Attacks Increasingly Using AuKill Malware to Disable EDR appeared first on Gridinsoft Blog.

Microsoft has linked recent attacks on PaperCut servers to ransomware operations by Clop and LockBit, which used vulnerabilities to steal corporate data.

In March 2023, print management solutions provider PaperCut fixed vulnerabilities CVE-2023-27350 (9.8 out of 10 on the CVSS scale, equalling the recently-discovered MSMQ vulnerability) and CVE-2023-27351 (8.2 out of 10). on the CVSS scale).

They allowed to bypass authentication and execute arbitrary code on compromised PaperCut servers with SYSTEM privileges, as well as extract usernames, full names, email addresses, and other sensitive data. It was emphasized that such attacks do not require user interaction.

In mid-April, it became known that hackers were already exploiting vulnerabilities, and a PoC exploit for the most dangerous of them appeared in the public domain.

Clop and LockBit ransomware is behind these attacks on PaperCut servers, Microsoft analysts now report, using bugs to steal corporate data from vulnerable servers.

According to the researchers, hackers have been using vulnerabilities in PaperCut since April 13, 2023, and with their help they gain access to corporate networks. After gaining access to the server, the attackers deploy the TrueBot malware in the system, which is associated with Clop extortionate operations, as well as the Cobalt Strike “beacon”, which is used to traverse the victim’s network sideways and steal data using the MegaSync file-sharing application.

Microsoft says some of the incidents ended with LockBit ransomware attacks, but it’s not clear if these attacks started before or after the exploits were published.

By the way, the media wrote that Canadian Polices Arrests Russian Man Involved in LockBit Ransomware Attacks.

Experts urge all administrators to install the available patches as soon as possible, since other attackers are likely to soon take on fresh bugs as well. For example, PaperCut MF and NG are strongly recommended to upgrade to versions 20.1.7, 21.2.11 and 22.0.9.

The post Clop and LockBit Ransomware Exploit Fresh Vulnerabilities in PaperCut appeared first on Gridinsoft Blog.

What is the LockBit gang?

LockBit group is a currently leading gang of threat actors that have spread eponymous ransomware since 2019. Through their entire lifetime, they are constantly updating their malware, making it more resistant to any countermeasures. The group is also significant for their media personality – they are never shy of giving interviews and discussing something on forums. After the Conti group dissolution in 2022, LockBit became a leader on the market, scoring a share of over 40% of all attacks at some point. This number fluctuates, but the nomination of the most successful cybercrime gang remains.

The key thing that gives LockBit its success is its ransomware and auxiliary software used in cyberattacks. In complex, these programs provide a safe, fast and reliable way to encrypt and exfiltrate the files. At the very beginning, their ransomware and data exfiltration software already were the fastest. But with time and updates, hackers made it even more rapid. In fact, no massively-used ransomware examples are even nearly compatible, and only one known sample – Rorschach ransomware – can boast of faster encryption. Updates bring not only faster encryption & exfiltration, but also updates to network infrastructure and bug bounty programs.

LockBit’s First-in-Kind macOS Ransomware

For a long time, macOS was considered a space safe from malware. Surely, there were minor things like adware or browser hijackers, that resided in browsers – but they do not rely on the operating system. “Serious” malware, like spyware, backdoors and ransomware were non-existent. Theoretically, some malware samples aimed at *NIX systems could run on macOS (as it is compatible), but they were not specifically designed to attack it. But on April 16, 2023, the news stating about macOS-targeted variant of LockBit appeared.

"locker_Apple_M1_64": 3e4bbd21756ae30c24ff7d6942656be024139f8180b7bddd4e5c62a9dfbd8c79
As much as I can tell, this is the first Apple's Mac devices targeting build of LockBit ransomware sample seen…
Also is this a first for the "big name" gangs?
@patrickwardle
cc @cyb3rops pic.twitter.com/SMuN3Rmodl

— MalwareHunterTeam (@malwrhunterteam) April 15, 2023

The fact that the previously invincible system descended from the pantheon and is now along with the mortals initiated a hurricane of discussions. On weekends when it happened people went mad in their expectancies, creating more and more versions of what it is capable of and how that works. LockBit themselves, however, only confirmed having a newly developed macOS variant of their ransomware.

What actually happens?

Behind the huge media backlash, a lot of interesting details slipped away. They generally get available during the analysis of the sample. The latter appears to be completely undetected by vendors listed on VirusTotal, and aims at ARM systems. In just a day they’ve corrected this fault – at least some of them, though. However, further analysis of the sample shows that LockBit managed to compile it for multiple other platforms – like PowerPC, ARMv5/v6/v7, Linux, FreeBSD and even SPARC. Actually, the entire lineup of Apple products is at risk now – from computers to tablets and cell phones. Even the legacy, PowerPC-based systems, are not safe.

The exact sample refuses to be run in a normal way, as it lacks a valid signature of Apple Developer ID. To make it run, hackers most probably use a specific console command, that allows them to circumnavigate the restrictions. Sample is XOR-encrypted and features a couple of anti-analysis tricks. In particular, it forces the debug environment to stop if malware detects one. Still, after a deep analysis analysts noticed a lot of flaws present in this LockBit version. Malware is prone to buffer overflow errors, and most of its anti-analysis measures may easily be blocked.

Is LockBit ransomware for macOS dangerous?

For sure, it is. Despite being less than ideal at its current iteration, it will become so in future – I have no doubts about that. LockBit gang never overestimates their malware capabilities and will do their best to fix all the things analysts have found by now. Moreover, other gangs may have this case as an example and release their own ports. It is a pretty small threat for macOS at the moment, but may end up in a completely new paradigm.

Having macOS-based malware is threatening not only because of the novelty of such threats, but also because of absence of any countermeasures. Actually, they’re not totally absent – there are several anti-malware software solutions for macOS. Yet they have low coverage that makes no obstacle for malware. Additionally, these solutions have low capability against advanced threats, like LockBit ransomware, making protection even less effective. The only advice now is to implement proactive measures of counteraction – ones that will not allow malware to get to the system at all.

How to protect yourself?

Fortunately, counteractions against LockBit ransomware are cross-platform. LockBit hackers commonly utilise network vulnerabilities to make their way to the network and infect it. You can practise with firewalls or other restrictive measures, but crooks found the way to circumvent them. Advanced solutions, like Network Detection and Response, will fit best for that case. They do not always require having the client part installed on each system, bearing on overall network traffic monitoring. Detection systems and extensive logging make it much easier to stop the threat and prepare for possible intrusions in future.

The post LockBit Releases World’s First macOS Ransomware appeared first on Gridinsoft Blog.