LockBit 3.0 attacks and leaks reveal a number of similarities between the latest generation of the ransomware and the BlackMatter ransomware family, and how the malware has been developed.

The threat actors behind this ransomware also use a package from GitHub called Backstab. As the name implies, the primary function of Backstab is to sabotage the tooling analysts in security operations centers use to monitor suspicious activity in real-time. The utility uses Microsoft’s own Process Explorer driver (signed by Microsoft) to terminate protected anti-malware processes and disable EDR utilities.

The Backstab package was initially found on GitHub in early 2017, and more recently has been delivered via a large number of spam emails (Ransomware) that use the subject line “Your Data has been Exposed". In some cases, the email contains a Word document which contains an HTML page with malicious JavaScript and a link to the rogue download. The email is likely intended to trick the recipient into installing or launching the malicious email. Not surprisingly, this is linked to a wide campaign hitting mostly small and medium businesses located in the US with similar subject lines and payloads.

This new variant of the LockBit ransomware uses the same filename as a previous version, indicating that it was likely developed by the same threat actors behind the BlackMatter ransomware family. The use of a previously leaked code framework and other similarities between this attack and the BlackMatter ransomware operation show that there is a single threat actor behind both variants.

The majority of affected organizations have used Email as their preferred method to deliver malware, and interestingly, these attacks occurred primarily in the US rather than elsewhere in Europe or Asia where infection rates are typically much higher.

‍

Source: LockBit 3.0 attacks and leaks reveal wormable capabilities and tooling - AlienVault - Open Threat Exchange