LockBit Gang Money Flow Uncovered : New Strain Under Development

Over the past few years, LockBit, a ransomware-as-a-service (RaaS) operation, has been linked to multiple security incidents affecting organizations worldwide.

Yet, they appear to have experienced a lot of logistical, technological, and reputational issues recently. Due to this, LockBit had to decide to act and begin developing a much-needed version of their malware.

The new version of the ransomware that is still under development and is identified as LockBit-NG-Dev (NG for Next Generation) might ultimately be considered a true 4.0 version by the group.

Particularly, the NCA and FBI declared on Tuesday that the law enforcement operation, known as Operation Cronos, had taken over LockBit’s administration system and infrastructure, took its dark-web leak site, accessed its source code, seized approximately 11,000 domains and servers, and gathered member information.

Analyse Shopisticated Malware with ANY.RUN

Try ANY.RUN Yourself with a 14-day Free Trial

More than 300,000 analysts use ANY.RUN is a malware analysis sandbox worldwide. Join the community to conduct in-depth investigations into the top threats and collect detailed reports on their behavior..

The New LockBit-NG-Dev Version

Researchers at TrendMicro have obtained a sample that they believe to be the latest version of LockBit. This malware variant is distinct from other iterations and is still in development.

Since the sample appends a “locked_for_LockBit” suffix to encrypted files, it is believed that this is a forthcoming, undeployed version from the group because it is still subject to change as part of the configuration.

LockBit-NG-Dev, based on its current developmental condition, may serve as the foundation for a LockBit 4.0. 

At present, LockBit-NG-Dev is compiled using CoreRT and written in. NET. This enables additional platform independence for the code when it is deployed in conjunction with the.NET environment.

“While it has fewer capabilities compared to v2 (Red) and v3 (Black), these additional features are likely to be added as development continues. As it is, it is still a functional and powerful ransomware”, TrendMicro reports.

This version retains the same settings as v3 (Black), which includes flags for routines, a list of processes and service names to terminate, and files and folders to avoid.

Additionally, it can still change the filenames of encrypted files to random ones.

LockBit Versions

The ransomware developed by LockBit has been released in multiple versions: LockBit v1 (January 2020), LockBit 2.0 (June 2021), nicknamed “Red,” and LockBit 3.0, nicknamed “Black” (March 2022).

The threat actor released LockBit Linux in October 2021 to defend against attacks on Linux and VMware ESXi systems. Eventually, in January 2023, an intermediate version known as “Green” surfaced, which included code seemingly taken from the now-defunct Conti ransomware.

This version was not recognized as a new 4.0 version, though.

A complete technical study of the LockBit-NG-Dev by Trend Micro has been published, and it includes all of the LockBit-NG-Dev setup parameters.

Today, the FBI, NCA UK, and EUROPOL, in collaboration with blockchain analytics firm Chainalysis, disclosed detailed insights into the financial operations of the ransomware group Lockbit.

The information shared pertains to the flow of funds within the group’s network, including the sources of revenue, destinations of payments, and the methods used to launder illicit proceeds.

Final Words

It is unclear how long the group will be able to draw in top affiliates and maintain its position, given the apparent delay in releasing a stable version of LockBit and ongoing technical difficulties.

In the meantime, it is hoped that LockBit will be the next significant group to challenge the concept that an organization is too large to fail.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.