Ransomware, Threat Intelligence

LockBit copycat DarkVault spurs rebranding rumor

DarkVault, a new ransomware group with a website resembling LockBit’s, may be the latest in a string of copycats mimicking the notorious ransomware-as-a-service (RaaS) gang.  

Security researcher Dominic Alvieri called attention to a redesign of DarkVault’s website on Wednesday. Alvieri’s post on X included a screenshot of a new homepage sporting LockBit’s distinctive style, including a red and white color scheme and similar page headings.

LockBit’s logo was also found on the DarkVault blog. The group’s older website features an image of a black cat lying on a vault, potentially a reference to another ransomware gang, ALPHV/BlackCat.

Cybernews reported that DarkVault may be an attempt by LockBit to rebrand, but Alvieri later clarified that the intention of his post was to make fun of the “copycats.”

DarkVault had posted nine alleged victims on its LockBit imitation site as of Thursday, according to Dark Web Informer, which previously discovered the older DarkVault website with no victims listed on March 29.

LockBit imposters leverage leaked 2022 RaaS builder

DarkVault would not be the first cybercrime group to imitate LockBit, with several using LockBit’s name, branding and leaked ransomware builder in their own attacks.

Trellix noted this trend in a blog published Thursday, which also described the partial revival of the original LockBit since its infrastructure was disrupted by law enforcement in February.  

The builder for the LockBit 3.0 ransomware, also known as LockBit Black, was leaked by one of the gang’s own developers in 2022 – since then, many threat actors have used the builder in their own attacks.

Some use the code as-is with minimal changes, such as the addition of their own version of the ransom note, while others have used the builder as a foundation for new ransomware strains, the researchers from Trellix’s Advanced Research Center wrote.

Dragonforce and Werewolves are two ransomware groups that emerged in 2023 using LockBit Black in their attacks. Dragonforce was found to be using the LockBit code as-is last September, with the exception of the ransom note, while Werewolves is believed to potentially have LockBit affiliates on its team due to overlap between victims claimed by both Werewolves and LockBit, according to Trellix.

Some impersonators not only use LockBit’s leaked code, but also copy the RaaS group’s website in a similar fashion to DarkVault. In November 2023, a group called Spacecolon set up a fake LockBit leak site on the surface web and used the LockBit name in its contact details when attempting to extort victims, according to Trend Micro.

LockBit’s name was also used in an attack on Russian security company AN-Security in January, which was later disputed by LockBit admin “LockBitSupp,” who pointed out that the group doesn’t target Russian companies.

LockBitSupp ultimately blamed the attack on Cl0p RaaS owner “Signature,” claiming the rival threat actor was attempting to besmirch LockBit’s name in retaliation for a recent feud.  

“The emergence of imposters of LockBit and opportunistic ransomware groups utilizing the leaked LockBit builder highlighted the complexities of threat actor attribution and ongoing challenges posed by the widespread availability of ransomware,” the Trellix researchers stated.

LockBit gang returns with limited capabilities

Since its February takedown, LockBit has reemerged with a limited restoration of its infrastructure, most recently being observed by the Trellix Advanced Research Center attempting to exploit ScreenConnect vulnerabilities.

The group has disabled RaaS panel access for some of its less profitable affiliates, requiring a fee of 1 or 2 BTC (about $70,000 to $140,000 USD) from those who want to rejoin in order to help prevent law enforcement, journalists and competing threat actors from gaining access, according to Trellix.

LockBit has also split its affiliate panel into multiple servers to minimize the impact of further law enforcement interference after the source code for the panel was seized as part of international takedown operation.  

Signs that the gang has yet to fully recover from the takedown include adding and removing several unconfirmed victims to its leak site, which may be done to artificially inflate the group’s activity, as well as the apparent removal of anti-DDoS protection from its site, “suggesting a potential lapse in LockBit’s defensive capabilities,” Trellix said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.