- the Windows binary uses heavy obfuscation and packing: it loads its payload through DLL reflection while implementing anti-analysis techniques like Event Tracing for Windows (ETW) patching and terminating security services;
- the Linux variant maintains similar functionality with command-line options for targeting specific directories and file types;
- the ESXi variant specifically targets VMware virtualization environments, and is designed to encrypt entire virtual machine infrastructures in a single attack.
Damage done to an ESXi drive can be significant for an organization. Trend Micro notes that a single ESXi host often runs dozens of critical servers. Encrypting at the hypervisor level can take many business services down at once.
These new LockBit versions share key behaviors, including randomized 16-character file extensions, Russian language system avoidance through geolocation checks, and event log clearing post-encryption, Trend Micro says. The 5.0 version also shares code characteristics with LockBit 4.0, including identical hashing algorithms and API resolution methods, confirming this is an evolution of the original codebase rather than an imitation.
“Ransomware actors and their affiliates are regularly changing their TTPs [tactics, techniques, and procedures] nowadays to stay ahead of defenses as well as law enforcement,” said Jon Clay, Trend Micro’s vice-president of threat intelligence. “Organizations need to consider adopting newer cybersecurity models that get ahead of an attack by implementing a proactive approach versus the traditional detection and response reactive approach. Implementing a risk-based approach that can discover their entire attack surface, identify and prioritize the risks associated with these attack surfaces, and enabling mitigating controls that can minimize their risk will go a long way in improving their security posture.”
