February 22, 2024 at 02:56PM
Law enforcement’s disruption of the LockBit ransomware crew revealed they were developing a new variant. Unlike competitors, LockBit chose .NET and CoreRT instead of Rust for its latest locker. The in-development variant aimed to counter code leaks with a new expiry date but lacked some capabilities of previous versions. The future use of this variant by other ransomware groups is indicated.
Key takeaways from the meeting notes:
1. Law enforcement disrupted the LockBit ransomware crew as they were working on a new variant for the market, using .NET and CoreRT for the code and compiler, and MPRESS for packing to evade static file detection.
2. LockBit had previously dealt with code leaks, with the builder being leaked in September 2022, leading to copycat attacks and the development of a new variant, LockBit-NG-Dev, with anti-analysis and anti-sandbox features.
3. LockBit-NG-Dev is still a work in progress and lacks some capabilities of the official versions but is considered functional and powerful as a ransomware program, supporting multiple encryption modes.
4. Although progress has been made with three major arrests, the dismantling of LockBit does not significantly impact the near-200 list of affiliates, and without arresting key leaders, the group may continue operations under a new brand name.
5. The use of .NET in the new variant hints at the future tools used by ransomware groups, potentially forming the basis of future variants used by other groups.
Let me know if there’s anything else you’d like to discuss further.