Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
LockBit 3.0 attacks and leaks reveal a number of similarities between the latest generation of the ransomware and the BlackMatter ransomware family, and how the malware has been developed.
The threat actors behind this ransomware also use a package from GitHub called Backstab. As the name implies, the primary function of Backstab is to sabotage the tooling analysts in security operations centers use to monitor suspicious activity in real-time. The utility uses Microsoft’s own Process Explorer driver (signed by Microsoft) to terminate protected anti-malware processes and disable EDR utilities.
This new variant of the LockBit ransomware uses the same filename as a previous version, indicating that it was likely developed by the same threat actors behind the BlackMatter ransomware family. The use of a previously leaked code framework and other similarities between this attack and the BlackMatter ransomware operation show that there is a single threat actor behind both variants.
The majority of affected organizations have used Email as their preferred method to deliver malware, and interestingly, these attacks occurred primarily in the US rather than elsewhere in Europe or Asia where infection rates are typically much higher.
Source: LockBit 3.0 attacks and leaks reveal wormable capabilities and tooling - AlienVault - Open Threat Exchange