Connecting the Dots Between LockBit 3.0 and BlackMatter?

There were implication previous about some putting similarities between LockBit 3.0 and BlackMatter ransomware, indicating a collaboration between the duo. Pattern Micro has studied extra round it and shared some main points.

Similarities between the 2 teams

Just lately, the LockBit 3.0 ransomware was once launched at the side of necessary novelties. Researchers from Pattern Micro noticed that a couple of parts of LockBit 3.0’s code are borrowed from the BlackMatter ransomware.

LockBit 3.0 plays API harvesting the use of hashing of API names of a DLL after which compares it to the listing of the APIs that the ransomware wishes. This regimen is the same to BlackMatter.
The privilege escalation and harvesting routines utilized by BlackMatter ransomware to spot APIs to hold out other actions also are very similar to that of LockBit 3.0.
Additional, the method of deletion of shadow copies utilized by each LockBit 3.0 and BlackMatter contains WMI by the use of COM gadgets. By contrast, the LockBit 2.0 model had used vssadmin[.]exe for deletion.

As well as, a researcher noticed any other LockBit 3.0 pattern on VirusTotal able to injecting a DLL inside of reminiscence with reflective loading the use of code, which is the same to BlackMatter’s PowerShell code.

Identical regimen jobs

BlackMatter and LockBit 3.0 carry out a number of regimen jobs in a similar way.

They each use the similar encryption set of rules and pointed information when encrypting .lnk information, amongst different issues.
Each BlackMatter and LockBit 3.0 use threading whilst the use of an API as a substitute of without delay calling an API.
Additional, each ransomware use a Base64-encoded hash string as an encrypted document title extension. Additionally, the ransom observe title, wallpaper, and icon names also are Base64-encoded hashes.

Key variations

But even so the entire aforementioned similarities, researchers additionally laid out some key variations between the 2 malware:

LockBit 3.0 makes use of an RSA public key added in its configuration and hashes it with MD5, whilst BlackMatter makes use of a MachineGUID hashed the use of the similar set of rules for APIs.
There’s a main distinction between their configuration flags; whilst BlackMatter comes with simplest 9 flags, LockBit 3.0 has 24.

Conclusion

The new document sheds gentle on a couple of similarities and a few variations between LockBit and BlackMatter teams. Nonetheless, there are top possibilities of participants of the the each gangs running and supporting every different. Organizations are urged to erect a multilayered method to harden their access issues reminiscent of an e-mail, endpoint, community, and internet.

Connecting the Dots Between LockBit 3.0 and BlackMatter? | Cyware Signals

Recommended For You

Palo Alto Networks Firewalls Focused for Mirrored, Amplified DDoS Assaults

Learn how to scale back your publicity & safe your information within the cloud in 5 fast tactics

The Hacking of Starlink Terminals Has Begun

Pictures: Black Hat USA 2022, phase 2

BlueSky Ransomware: Speedy Encryption by the use of Multithreading

Interpreting 0 Agree with Id and embracing its advantages

Leave a Reply Cancel reply

Related News

Apple releases iOS 16 beta 4. Here is what’s new

Russia-Ukraine Warfare Holds Cyberwar Classes

Has GOLD SOUTHFIELD resumed operations?

Browse by Category

66 W Flagler Street, suite 900 Miami, FL 33130

Are you sure want to unlock this post?

Are you sure want to cancel subscription?