Cybersecurity researchers have reiterated similarities between the latest iteration of the LockBit ransomware and BlackMatter, a rebranded variant of the DarkSide ransomware strain that closed shop in November 2021.
网络安全研究人员重申了 LockBit 勒索软件的最新版本与 BlackMatter 之间的相似之处,BlackMatter是 DarkSide 勒索软件家族的更名变种,于2021 年 11 月关闭网站。
The new version of LockBit, called LockBit 3.0 aka LockBit Black, was released in June 2022, launching a brand new leak site and what's the very first ransomware bug bounty program, alongside Zcash as a cryptocurrency payment option.
LockBit的新版本,称为 LockBit 3.0 又名 LockBit Black,于 2022 年 6 月发布,推出了一个全新的泄密网站,这也是第一个勒索软件漏洞赏金计划,以及采用 Zcash 作为加密货币支付选项。
Its encryption process involves appending the extension "HLJkNskOq" or "19MqZqZ0s" to each and every file and changing the icons of the locked files to that of the .ico file that's dropped by the LockBit sample to kick-start the infection.
其加密过程包括将扩展名“HLJkNskOq”或“19MqZqZ0s”附加到每个文件,并将锁定文件的图标更改为 LockBit 样本删除的 .ico 文件的图标以启动感染。
"The ransomware then drops its ransom note, which references 'Ilon Musk' and the European Union's General Data Protection Regulation (GDPR)," Trend Micro researchers said in a Monday report. "Lastly, it changes the wallpaper of the victim's machine to inform them of the ransomware attack."
趋势科技研究人员在周一的一份报告中说: “勒索软件随后放弃了赎金票据,其中提到了‘伊隆马斯克’和欧盟的通用数据保护条例 (GDPR)。” “最后,它会更改受害者机器的壁纸,以通知他们遭受勒索软件的攻击。”
LockBit's extensive similarities to BlackMatter come from overlaps in the privilege escalation and harvesting routines used to identify APIs required to terminate processes and other functions as well as the use of anti-debugging and threading techniques designed to thwart analysis.
LockBit 与 BlackMatter 的广泛相似之处来自于权限提升和获取例程的重叠,这些例程用于识别终止进程和其他功能所需的 API,以及使用旨在阻止分析的反调试和线程技术。
Also of note is its use of a "-pass" argument to decrypt its main routine, a behavior seen in another defunct ransomware family named Egregor, effectively making the binary harder to reverse if the parameter is not available.
另外值得注意的是它使用“-pass”参数来解密其主程序,这是另一个已不存在的勒索软件家族Egregor中的一种行为,如果参数不可用,则有效地使二进制文件更难反转。
In addition, LockBit 3.0 is designed to check the victim machine's display language to avoid compromising systems associated with the Commonwealth of Independent States (CIS) states.
此外,LockBit 3.0 旨在检查受害机器的显示语言,以避免损害与独立国家联合体 (CIS) 国家相关的系统。
"One notable behavior for this third LockBit version is its file deletion technique: Instead of using cmd*ex.e** to execute a batch file or command that will perform the deletion, it drops and executes a .tmp file decrypted from the binary," the researchers said.
“LockBit 3.0 版本的一个值得注意的行为是它的文件删除技术:它不使用 cmd*ex.e** 执行批处理文件或执行删除的命令,而是删除并执行从二进制文件中解密的 .tmp 文件,”研究人员说。
This .tmp file then overwrites the contents of the ransomware binary and then renames the binary several times, with the new file names based on the length of the original file name, including the extension, in an attempt to prevent recovery by forensic tools and cover its tracks.
这个 .tmp 文件覆盖勒索软件二进制文件的内容,然后多次重命名二进制文件,新文件名基于原始文件名的长度,包括扩展名,以防止取证工具恢复并覆盖它的轨迹。
The findings come as LockBit infections have emerged as the most active ransomware-as-a-service (RaaS) groups in 2022, the most recent allegedly being the Italian Internal Revenue Service (L'Agenzia delle Entrate).
该调查结果发布之际,LockBit 已成为2022 年最活跃的勒索软件即服务 (RaaS) 组织。
According to Palo Alto Networks 2022 Unit 42 Incident Response Report published today based on 600 cases handled between May 2021 and April 2022, the ransomware family accounted for 14% of the intrusions, second only to Conti at 22%.
根据今天发布的 Palo Alto Networks 2022 Unit 42 事件响应报告,该报告基于 2021 年 5 月至 2022 年 4 月期间处理的 600 起案件,勒索软件家族占入侵的 14%,仅次于 Conti 的 22%。
The development also highlights the continued success of the RaaS business model, lowering the barrier to entry for extortionists and expanding the reach of ransomware.
这一发展还突显了 RaaS 商业模式的持续成功,降低了勒索者的门槛并扩大了勒索软件的范围。
Check Point's analysis of cyberattack trends for Q2 2022 shows that the weekly average of impacted organizations by ransomware reached one out of 40, a 59% increase YoY from one out of 64 organizations in Q2 2021.
Check Point 对 2022 年第二季度网络攻击趋势的分析显示,平均每周受到勒索软件影响的组织达到 40 个,比 2021 年第二季度的 64 个组织中的一个增加了 59%。
"Latin America has seen the largest increase in attacks, spotting one out of 23 organizations impacted weekly, a 43% increase YoY, compared to one out of 33 in Q2 2021, followed by Asia region that has seen a 33% increase YoY, reaching one out of 17 organizations impacted weekly," the Israeli cybersecurity firm said.
“拉丁美洲的攻击增幅最大,每周有 23 个组织受到影响,同比增长 43%,而 2021 年第二季度为 33 个组织,其次是亚洲地区,同比增长 33%,达到每周有 17 个组织受到影响,”这家以色列网络安全公司表示。
民不畏威,则大威至。
——《道德经.第七十四章》
本文翻译自:
https://thehackernews.com/2022/07/experts-find-similarities-between.html
如若转载,请注明原文地址
翻译水平有限 :(
有歧义的地方,请以原文为准 :)