LockBit 3.0 Variant Generates Custom, Self-Propagating Malware

The LockBit ransomware-as-a-service (RaaS) group has struck another victim, this time using stolen credentials to launch a sophisticated attack against an unidentified organization in West Africa. The attackers used a new variant of the LockBit 3.0 builder, which was leaked in 2022.

Kaspersky researchers discovered the latest variant at the end of March 2024 after responding to the incident in West Africa, describing it at the time as Trojan-Ransom.Win32.Lockbit.gen, Trojan.Multi.Crypmod.gen, and Trojan-Ransom.Win32.Generic. Particularly concerning about this variant is that it can generate custom, self-propagating ransomware that is difficult to defend against.

During the attack, threat actors impersonating an administrator infected multiple hosts with malware, aiming to spread it deeply into the victim's network. According to Kaspersky, the customized ransomware performed various malicious actions, including disabling Windows Defender, encrypting network shares, and deleting Windows Event Logs to avoid discovery of its actions. 

The researchers discovered that the variant can also direct attacks on select systems and infect specific .docx or .xlsx files. "The nature of this finding is rather critical since the use of leaked privileged credentials allows the attackers to have full control of the victim's infrastructure, as well as covering their tracks," says Cristian Souza, an incident response specialist at Kaspersky. 

The organization in West Africa hit by the new LockBit variant is the only victim Kaspersky's Global Emergency Response Team (GERT) has encountered in that area to date, according to Souza. "However, we detected other incidents that used the leaked builder in other regions," he says. 

The Appeal of LockBit 3.0 to Attackers

Since it was leaked in 2022, attackers have continued actively using LockBit 3.0 builder to create customized versions and variants. "This opens up numerous possibilities for malicious actors to make their attacks more effective since it is possible to configure network spread options and defense-killing functionality," according to a research brief on the attack and a detailed description of the variant posted by Kaspersky. "It becomes even more dangerous if the attacker has valid privileged credentials in the target infrastructure."

According to a recent Trend Micro report, the LockBit group was responsible for at least 25% of all ransomware attacks in 2023 and has hit thousands of victims since 2020. The LockBit 3.0 builder is a popular tool among threat actors because it doesn't require advanced programming skills.

In February 2024, the Cronos Group, an international law-enforcement group, claimed that it had taken down the group's infrastructure, but less than a week later, LockBit responded that it had recovered and was back in business.

Protecting Against LockBit Attacks

As the debate continues over whether LockBit will remain the pervasive force in waging ransomware attacks, Kaspersky advises that organizations take the same steps they would undertake to prevent an attack from any group. Those steps include using properly configured antimalware and endpoint detection software, implementing a managed detection and response solution, conducting vulnerability assessments and penetration tests, and performing and testing backups of critical data.

Further, Sousa recommends network administrators employ network segmentation, enforce multifactor authentication (MFA), whitelist permitted applications, "and have a well-defined incident response plan."