Lockbit 3.0 has BlackMatter ransomware code, wormable traits

LockBit 3.0 or 'LockBit Black' includes anti-debugging capabilities, the ability to delete Volume Shadow Copy files and the potential ability to self-spread via legitimate tools.

The latest version of the LockBit ransomware strain contains new capabilities and utilizes features of another prominent ransomware, BlackMatter, according to Sophos research published Wednesday.

Sophos said it analyzed multiple incidents utilizing the latest version of LockBit, referred to as LockBit 3.0 or "LockBit Black." The original LockBit ransomware was first observed in mid-2019, with an upgraded 2.0 version discovered last year. Version 3.0 was initially tracked earlier this year. Most recently, source code for the new variant was leaked in September.

Perhaps most notably, LockBit 3.0 appears to have multiple features originally present in BlackMatter, another ransomware-as-a-service strain that was first tracked last year. SophosLabs principal researcher Andrew Brandt, who authored Sophos' research blog, wrote that the security vendor "found a number of similarities which strongly suggest that LockBit 3.0 reuses code from BlackMatter."

Among them include the ability to send ransom notes to a network printer, the ability to delete Volume Shadow Copy files, a method for determining which version a victim operating system uses and multiple anti-debugging features.

Brandt noted that other researchers have speculated about a BlackMatter coder being recruited by LockBit, but that whatever the case, "it's not uncommon for ransomware groups to interact, either inadvertently or deliberately."

"These findings are further evidence that the ransomware ecosystem is complex, and fluid," Brandt wrote. "Groups reuse, borrow, or steal each other's ideas, code, and tactics as it suits them. And, as the LockBit 3.0 leak site (containing, among other things, a bug bounty and a reward for 'brilliant ideas') suggests, that gang in particular is not averse to paying for innovation."

Other LockBit 3.0 features include experimentation with wormable capabilities. allowing it to self-spread and move laterally across victim computers without any actions from affiliate hackers. The blog post highlighted leaked data from the LockBit operation that showed how the latest version used Windows Group Policy Objects or the PSExec utility tool to potentially move through an environment without manual operations. Sophos discovered additional features designed to make it difficult for researchers to analyze the code.

"In some cases, it now requires the affiliate to use a 32-character 'password' in the command line of the ransomware binary when launched, or else it won't run, though not all the samples we looked at required the password," Brandt wrote.

It's unclear how the BlackMatter code ended up in LockBit 3.0. Brandt told TechTarget Editorial in an email that there's no way to know for sure.

"We can't know whether the code was stolen or sold or if a programmer who worked for one team picked up their library of tricks and moved to another team," he wrote. "What's pretty clear is that not only are the functions really close to one another in behavior, but that they look almost identical (with some minor improvements, in some cases) in the source code themselves. That isn't an accident. But there's no way for us to know how it ended up in the hands of the newer ransomware."

Regarding LockBit 3.0 deployment, the blog post also noted that threat actors are "becoming very difficult to distinguish from the work of a legitimate penetration tester" thanks to the use of Cobalt Strike and other tools, like the security monitoring-sabotaging tool Backstab.

Google recently introduced new YARA rules intended to combat malicious Cobalt Strike use. Brandt said that while they are helpful to combat penetration testing-like behavior, YARA rules are not enough on their own.

"Long term, YARA rules are just one tool in the defender's toolbox but the rules are just rules, and you'd need to have software that can interpret those rules and use them to find malicious activity," he told TechTarget Editorial. "They also are very good but aren't perfect, and threat actors have the advantage of being able to download them as well, and look for ways to get around those rules. Defenders, unfortunately, are going to always play a bit of 'catch-up' with these folks."

LockBit has grown to be one of the most prominent strains in recent years in part thanks to it being a popular ransomware-as-a-service choice for affiliates. According to research published this month by Intel 471, LockBit was the most prominent strain tracked this quarter, with 3.0 becoming the dominant variant.

Brandt told TechTarget Editorial that LockBit 3.0 is the only version of the ransomware currently being used and that "we're not seeing any other older versions in use right now.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Threat detection and response