1. Lockbit 3.0

BlackMatterの機能で強化されたランサムウェア最新バージョンLockBit 3.0 https://www.trendmicro.com/ja_jp/research/22/h/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html

https://twitter.com/mbsdnews/status/1572657832981569538?s=20&t=tzVkKIgrvs9Dr37FfhJbMw

攻撃グループ「LockBit3.0」をハッキングしたと主張する人物が出現し
公開した「ビルダー」とされる流出ツール一式について、
検体の生成と暗号化の動作が可能である事、
LockBit3.0と酷似する挙動などを確認、簡易的な調査結果を共有します。

LockBit 3.0の検体が未知のパッカーでパックされた複数のセクションを持つWin32 .exeファイルであることがわかりました

LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html

被害: https://www.bleepingcomputer.com/news/security/french-hospital-hit-by-10m-ransomware-attack-sends-patients-elsewhere/#.YwVda20FmXU.twitter

1.1. 解説

LockBitランサムウェアとは https://www.kaspersky.co.jp/resource-center/threats/lockbit-ransomware

What kind of malware is LockBit 3.0? https://www.pcrisk.com/removal-guides/24242-lockbit-3-0-ransomware

LockBit 3.0 と BlackMatter の関係を分析 https://iototsecnews.jp/2022/07/27/experts-find-similarities-between-new-lockbit-3-0-and-blackmatter-ransomware/

英語班 https://thehackernews.com/2022/07/experts-find-similarities-between.html

「この LockBit 3.0 の注目すべき動作は、そのファイル削除技術である。
削除のためのバッチやコマンドを cmd.exe で実行する代わりに、
バイナリから復号化された .tmp ファイルをドロップして実行する。
この .tmp ファイルは、フォレンジック・ツールによる復元を防ぎ、痕跡を消すために、
元のファイル名の長さ (拡張子を含む) をベースにした新しいファイル名で、
ランサムウェアのバイナリの内容を上書きし、バイナリの名前を何度も変更する」

What Is the LockBit 3.0 Ransomware and What Can You Do About It? https://www.makeuseof.com/what-is-lockbit-ransomware-what-can-you-do-about-it/

https://www.darkreading.com/attacks-breaches/lockbit-3.0-improved-malware-gang-top

LockBit 3.0: Significantly Improved Ransomware Helps the Gang Stay on Top

Robert Lemos Contributing Writer, Dark Reading July 27, 2022

Reverse-engineering the latest ransomware executables from the group behind LockBit shows that the developers have added capabilities from other popular attack tools and are actively working to improve LockBit's anti-analysis capabilities, according to researchers.

Major Improvements for LockBit 3.0

The changes to the latest version of the LockBit ransomware includes functions that collect system APIs as a way to use legitimate functions as part of its attack and extensive — albeit fairly simple — encryption of configuration data and code, according to Trend Micro's advisory.

Perhaps most notably, a major addition to LockBit 3.0 is a set of features to slow down or prevent reverse engineering. The program includes, for example, a password required to decrypt the main body of executable code and a feature that attempts to crash debuggers.

"They pride themselves on their ability to regularly update their ransomware and ransomware-as-a-service offerings," says Trend Micro's Clay. "There are a lot more obfuscation capabilities in 3.0, and they put in a lot of features that try to minimize how much analysts and researchers can discover about their code."

Meanwhile, the adoption of BlackMatter tactics is unsurprising, given that both LockBit and BlackMatter are Russia-linked groups and cybercriminals are increasingly moving between groups.

2.0から3.0へバージョンアップしたLockBitランサムウェア

https://cybersecurity-info.com/column/2-0%E3%81%8B%E3%82%893-0%E3%81%B8%E3%83%90%E3%83%BC%E3%82%B8%E3%83%A7%E3%83%B3%E3%82%A2%E3%83%83%E3%83%97%E3%81%97%E3%81%9Flockbit%E3%83%A9%E3%83%B3%E3%82%B5%E3%83%A0%E3%82%A6%E3%82%A7%E3%82%A2/


CategoryDns CategoryWatch CategoryTemplate

Moin2Qmail: Security/ransomware/Lockbit3.0 (last edited 2022-09-28 07:59:40 by ToshinoriMaeno)