{"id":7226,"date":"2024-03-07T10:04:27","date_gmt":"2024-03-07T10:04:27","guid":{"rendered":"\/cybersecurity-blog\/?p=7226"},"modified":"2025-01-31T06:53:19","modified_gmt":"2025-01-31T06:53:19","slug":"lockbit-resurges","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/lockbit-resurges\/","title":{"rendered":"LockBit is Back from the Dead. Here\u2019s How to Prepare For its Return"},"content":{"rendered":"\n

In February, The FBI and international law enforcement allies claimed<\/a> a big victory. They\u2019ve seized the operations of LockBit, got hold of the gang\u2019s source code, and took over their website:<\/p>\n\n\n

\n
\"\"
This screenshot has been all over cybersecurity news sites <\/figcaption><\/figure><\/div>\n\n\n

Unfortunately, it seems the win was only temporary. The core members of the gang weren\u2019t arrested, and the takedown by Operation Cronos was short-lived, as the gang recovered within days. <\/p>\n\n\n\n

At ANY.RUN, we noted a period of inactivity followed by a spike, as LockBit<\/a> detections in our sandbox reached 0 and then began to grow, starting a few days after the takedown. <\/p>\n\n\n\n

The LockBit ransomware gang has resumed its attacks, then. Now they\u2019re employing<\/a> updated encryptors and ransom notes that lead to new servers. <\/p>\n\n\n\n

Rather than rebranding, LockBit gang promised to return with enhanced infrastructure and updated security measures to prevent the law enforcement from accessing their descriptors again. <\/p>\n\n\n\n

We’ve seen this pattern before. Shortly after GandCrab was taken down in June 2019, REvil<\/a> \u2014 also known as Sodinokibi \u2014 ransomware emerged, and it was based on GandCrab\u2019s source code at least partially. Security researchers who took the opportunity to study GandCrab\u2019s code during the quiet period were better prepared to deal with REvil when it appeared. <\/p>\n\n\n\n

History repeats iself. <\/a>Read about the rise and fall of REvil<\/a> <\/p>\n\n\n\n

What is LockBit? <\/h2>\n\n\n\n

LockBit is both a ransomware and an APT group with the same name. The group has claimed responsibility for many high-profile attacks. LockBit has extorted over $120 million from 2,000 victims. <\/p>\n\n\n\n

LockBit ransomware primarily targets Windows systems, but it’s also capable of encrypting files on Linux and MacOS. The group operates using a Ransomware-as-a-Service (RaaS) model, wherein the core members develop the ransomware and then sell it to affiliates who carry out the actual attacks. <\/p>\n\n\n\n

Analyzing LockBit in ANY.RUN <\/h2>\n\n\n\n

Similar to the story of GandCrab’s demise and resurrection as REvil, it’s likely that LockBit creators will modify the code of this threat. Even if they don\u2019t, ransomware activity as a whole has been climbing<\/a> since 2023, and LockBit is one of the most widely deployed strains you’re likely to encounter. <\/p>\n\n\n\n

That’s why it’s important to study its behavioral patterns, TTPs, and collect Lockbit IOCs to set up your TIP and SIEM systems. With ANY.RUN, you can run extensive LockBit ransomware analysis in seconds and just with a couple of clicks. This way, you can detect and isolate an intrusion before LockBit encrypts your files and causes damage to your infrastructure.\u00a0<\/p>\n\n\n

\n
\"\"
LockBit\u2019s ransom note in ANY.RUN <\/figcaption><\/figure><\/div>\n\n\n

The primary function of this ransomware is still the same: it encrypts files and deposits a ransom note with contact information and instructions \u2014 like we see in this task<\/a>. <\/p>\n\n\n\n

The latest version is LockBit 4.0, and it’s a bit different from the previous 3.0 version. In 4.0, it doesn’t change the wallpaper anymore, and it takes a lot longer to decrypt all the files on the infected system. Unlike 3.0 which deleted itself after encrypting, version 4.0 doesn’t do that. <\/p>\n\n\n\n

Wrapping up <\/h2>\n\n\n\n