Lockbit: after the FBI, it’s time for imposters!

Articles

For several weeks now, a wave of attacks attributed to Lockbit has continued to appear in our daily watch.

These attacks, coming on the heels of Operation Cronos, which jeopardized the group’s business, suggest that Lockbit is back on track.

The Lockbit group has already given an interview following Operation Cronos indicating its return. An “Open Letter” (https://samples.vx-underground.org/tmp/Lockbit_Statement_2024-02-24.txt) has even been published explaining how law enforcement was able to gain access to servers and data.

New strains were shared as open sources. We were able to analyze one of them.

Hash:
9b5f1ec1ca04344582d1eca400b4a21dfff89bc650aba4715edd7efb089d8141

Our GLIMPS Malware tool correctly detected the ransomware, giving it a high score.

And by bringing it closer to the Lockbit / BlackMatter families, i.e. Lockbit Black.

A ransom note is extracted.

This ransom note is different from the one used by the Lockbit group.

In fact, certain elements such as the email address jimyjoy139@proton.me or the bitcoin wallet 328N9mKT6xFe6uTvtpxeKSymgWCbbTGbK2 are not listed as belonging to the group.

What’s more, the ransom note contains no links pointing to known urls and claimed by the Lockbit group, as shown in one of their ransom notes.

In 2022, the ransomware builder was leaked on github. It is quite likely that some players will decide to use it today.

Conclusion

If we look a little more closely, and know the history of the group, we can deduce that this is one or more actors attempting to usurp the group’s name for malicious purposes.

So be wary of attribution.

IOCs :

Email: jimyjoy139@proton.me
Wallet bitcoins: 328N9mKT6xFe6uTvtpxeKSymgWCbbTGbK2
Hash 256:
9b5f1ec1ca04344582d1eca400b4a21dfff89bc650aba4715edd7efb089d81