Threat Management

BlackMatter ransomware capabilities found in LockBit 3.0

The Hacker News reports that the latest LockBit ransomware version, LockBit 3.0, also known as LockBit Black, has been discovered by Trend Micro researchers to have similarities with the BlackMatter ransomware strain. Aside from leveraging privilege escalation and harvesting techniques of BlackMatter for determining necessary APIs for process termination, LockBit 3.0 also uses the same tactics to evade analysis, a Trend Micro report showed. LockBit 3.0 also uses a "-pass" argument for main routine decryption, similar to the now-defunct Egregor ransomware, and seeks to prevent attacking systems based in the Commonwealth of Independent States. "One notable behavior for this third LockBit version is its file deletion technique: Instead of using cmd.exe to execute a batch file or command that will perform the deletion, it drops and executes a .tmp file decrypted from the binary," said researchers, who added that the ransomware binary's contents are being overwritten by the .tmp file in an effort to thwart recovery and detection.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.