"LockBit Ransomware Secretly Building Next-Gen Encryptor Before Takedown"

According to security researchers at Trend Micro, LockBit ransomware developers were secretly building a new version of their file encrypting malware, dubbed LockBit-NG-Dev, likely to become LockBit 4.0, when law enforcement took down the cybercriminal's infrastructure earlier this week.  Trend Micro analyzed a sample of the latest LockBit development that can work on multiple operating systems.  The researchers noted that while previous LockBit malware is built in C/C++, the latest sample is a work-in-progress written in .NET that appears to be compiled with CoreRT, and packed with MPRESS.  The researchers noted that the malware includes a configuration file in JSON format that outlines the execution parameters such as execution date range, ransom note details, unique IDs, RSA public key, and other operational flags.  Although the researchers said the new encryptor lacks some features present in previous iterations, it appears to be in its final development stages, already offering most of the expected functionality.  It supports three encryption modes (using AES+RSA), namely "fast," "intermittent," and "full," has custom file or directory exclusion, and can randomize the file naming to complicate restoration efforts.  Additional options include a self-delete mechanism that overwrites LockBit's own file contents with null bytes.

 

BleepingComputer reports: "LockBit Ransomware Secretly Building Next-Gen Encryptor Before Takedown"

Submitted by Adam Ekwall on