LockBit, one of the world’s most prolific ransomware groups, has recently upgraded its operations with enhanced multiplatform functionality, according to cybersecurity experts at Kaspersky. LockBit gained notoriety for its relentless targeting of businesses globally, leaving a trail of financial and operational devastation in its wake. This recent report by Kaspersky showcases LockBit's determination to expand its reach and maximise the impact of its malicious activities.

In its early stages, LockBit operated without leak portals, double extortion tactics, or data exfiltration before encrypting victim data. However, the group has continuously developed its infrastructure and security measures to protect its assets against various threats, including attacks on its administration panels and disruptive distributed denial-of-service (DDoS) attacks.

The cybersecurity community observed that LockBit is adopting code from other infamous ransomware groups, such as BlackMatter and DarkSide. This strategic move not only streamlines operations for potential affiliates but also broadens the range of attack vectors employed by LockBit. Recent findings by Kaspersky's Threat Attribution Engine (KTAE) shed light on the fact that LockBit incorporated approximately 25% of the code previously used by the now-defunct Conti ransomware gang, resulting in a new variant known as LockBit Green.

In a significant breakthrough, Kaspersky researchers uncovered a ZIP file containing LockBit samples specifically tailored to multiple architectures, including Apple M1, ARM v6, ARM v7, FreeBSD, and more. Through analysis and investigation using the KTAE, they confirmed that these samples originated from the LockBit Linux/ESXi version previously observed.

While some samples, like the macOS variant, require additional configuration and are not signed properly, it is evident that LockBit is actively testing its ransomware on various platforms, indicating an imminent expansion of the attacks. This development underscores the urgent need for robust cybersecurity measures across all platforms and an increase of awareness within the business community.

LockBit is a highly active and notorious ransomware group known for its devastating cyberattacks on businesses worldwide. With its continual infrastructure enhancements and incorporation of code from other ransomware gangs, LockBit poses a significant and evolving threat to organisations across various industries. It is imperative for businesses to reinforce their defenses, regularly update security systems, educate employees on cybersecurity best practices, and establish incident response protocols to effectively mitigate the risks posed by LockBit and similar ransomware groups,” comments Marc Rivero, senior security researcher at Kaspersky’s Global Research and Analysis Team.

Learn more about LockBit’s updated toolset on Securelist.

To protect yourself and your business from ransomware attacks, consider following the rules proposed by Kaspersky:

  • Always keep the software updated on all the devices you use to prevent attackers from exploiting vulnerabilities and infiltrating your network.
  • Focus your defense strategy on detecting lateral movements and data leaks to the Internet. Pay special attention to outgoing traffic to detect cybercriminals’ connections to your network. Set up offline backups that intruders cannot tamper with. Make sure you can access them quickly when needed or in an emergency.
  • Activate ransomware protection on all endpoints. There is a free Kaspersky Anti-Ransomware Tool for Business that shields computers and servers from ransomware and other types of malware, prevents exploits and is compatible with already installed security solutions.
  • Install anti-APT and EDR solutions, enabling capabilities for advanced threat discovery and detection, investigation and timely remediation of incidents. Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. All of the above is available within Kaspersky Expert Security framework.
  • Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access to Kaspersky’s TI, providing cyberattack data and insights collected by our team over the last 20 years. To help businesses deliver effective defenses in these turbulent times, Kaspersky has announced it is providing access to independent, continuously updated and globally sourced information on current cyberattacks and threats free of charge. Request access to this offer here