New LockBit Variant Exploits Self-Spreading Features

Written by

A recent incident in West Africa has once again brought attention to the persistent threat posed by the LockBit ransomware. 

Cybercriminals, armed with stolen administrator credentials, have deployed a customized variant of the encryption malware equipped with self-propagation capabilities. 

Exploiting privileged access, they breached corporate infrastructure, demonstrating the ongoing risk posed by the leaked LockBit 3.0 builder, despite its previous exposure. 

“The LockBit 3.0 builder was leaked in 2022, but attackers still actively use it to create customized versions – and it doesn’t even require advanced programming skills,” commented Cristian Souza, an incident response specialist at Kaspersky.

“This flexibility gives adversaries many opportunities to enhance the effectiveness of their attacks, as the recent case shows. It makes these kinds of attacks even more dangerous, considering the escalating frequency of corporate credential leaks.”

According to a new report by Kaspersky, the incident also highlights a concerning trend where attackers craft sophisticated ransomware capable of spreading autonomously within networks.

The malware variant, identified by the security firm, exhibits unprecedented features, including impersonation of system administrators and adaptive self-spreading across networks. 

Leveraging highly privileged domain credentials, the ransomware can also turn off security measures, encrypt network shares and erase event logs to conceal its actions. Each infected host becomes a vector for further infection, amplifying the impact within the victim’s network.

Custom configuration files allow the malware to adapt to specific network environments, enhancing its efficacy and evasiveness. This flexibility, coupled with the ease of use of the leaked builder, presents significant challenges for cybersecurity professionals. 

Kaspersky’s research also uncovered the use of the SessionGopher script by attackers to extract saved passwords from affected systems. While incidents lacking some advanced capabilities have been observed in various industries and regions, the geographical scope of attacks may be expanding.

According to the cybersecurity firm, international law enforcement’s recent takedown of the LockBit ransomware group underscores the collaborative efforts required to combat such threats. 

Read more on the operation: LockBit Takedown: What You Need to Know about Operation Cronos

To mitigate ransomware attacks, Kaspersky recommends implementing frequent backups, deploying robust security solutions and providing regular cybersecurity training to employees.

What’s hot on Infosecurity Magazine?