LockBit Ransomware is Back From the Dead : Is Your SOC/DFIR Team Prepared?

Law enforcement disrupted LockBit ransomware operations in February, seizing infrastructure and their website.

Regretfully, the victory appears to have been temporary. The gang’s leading members were not detained, and Operation Cronos’s defeat was only temporary since the group bounced back in a matter of days.

A surge in LockBit activity days after the takedown indicated renewed attacks while the gang utilized updated encryption tools and directed victims to new servers. 

Researchers from ANY.RUN observed via the Interactive Malware Sandbox Tool that the incident mirrors past events in which dismantled ransomware groups re-emerged with improved tools. REvil emerged shortly after GandCrab’s takedown, likely utilizing the latter’s source code. 

All over cybersecurity news sites

About LockBit

LockBit is a cybercriminal organization offering ransomware and advanced persistent threat (APT) capabilities. Their ransomware encrypts victim systems, primarily targeting Windows, and can also hit Linux and MacOS.  

Operating as a Ransomware-as-a-Service (RaaS), LockBit developers sell their tools and infrastructure to affiliates, who then launch the attacks, which allows them to remain anonymous while profiting from a broader range of attackers.  

The group has claimed responsibility for numerous high-profile incidents, extorting over $120 million from victims. 


Incorporate ANY.RUN into your company for fast and simple malware analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

Get a personalized demo of ANY.RUN for your security team:

It highlights the importance of utilizing temporary disruptions to study seized infrastructure and prepare for potential evolutions of the threat. 

Back from Dead

According to ANY.RUN study that was shared with Cyber Security News noted a period of inactivity followed by a spike, as LockBit detections in our sandbox reached 0 and then began to grow, starting a few days after the takedown. 

The LockBit ransomware gang has resumed its attacks. Now, they’re employing updated encryptors and ransom notes that lead to new servers. 

Based on the ANY.RUN Sandbox Analysis, Rather than rebranding, the LockBit gang promised to return with enhanced infrastructure and updated security measures to prevent law enforcement from reaccessing their descriptors. 

Analyzing LockBit in ANY.RUN 

A prevalent strain, LockBit ransomware, is actively being developed. Despite a recent takedown by law enforcement, its creators are likely to modify the code to evade detection. Organizations should be prepared, as the LockBit infection remains a significant threat. 

Studying LockBit’s attack patterns (TTPs) and Indicators of Compromise (IOCs) is crucial for Security Information and Event Management (SIEM) and Threat Intelligence Platform (TIP) systems to identify and isolate intrusions before file encryption occurs. 

The latest variant, LockBit 4.0, exhibits changes: it no longer modifies the desktop wallpaper, and the decryption process is significantly slower. Also, unlike its predecessor, version 4.0 does not self-delete after encryption. 

LockBit’s ransom note in ANY.RUN 

LockBit ransomware, which is known for targeting Windows primarily but is also capable of compromising Linux and MacOS systems, has re-emerged with updated tools and infrastructure after a recent takedown. 

This notorious ransomware group is responsible for extorting over $120 million from 2,000 victims, and understanding LockBit’s attack patterns, tactics, techniques, and procedures (TTPs) along with collecting Indicators of Compromise (IOCs) is crucial to effectively configuring security systems for defense. 

What is ANY.RUN? 

ANY.RUN is a cloud-based malware sandbox designed to expedite threat analysis for security teams, using YARA rules and Suricata for prompt malware detection (around 40 seconds) and automatic family identification. 

Unlike solely automated solutions, ANY.RUN offers real-time interaction with the virtual machine through a browser interface, which is crucial for countering zero-day exploits and advanced malware that can bypass signature-based detection.  

ANY.RUN’s cloud-based nature also eliminates setup and maintenance burdens for DevOps teams, making it cost-effective for businesses. 

The intuitive interface is well-suited for onboarding new security personnel, allowing even junior analysts to swiftly grasp malware analysis and extract Indicators of Compromise (IOCs).

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.