the Windows binary uses heavy obfuscation and packing: it loads its payload through DLL reflection while implementing anti-analysis techniques like Event Tracing for Windows (ETW) patching and terminating security services;the Linux variant maintains similar functionality with command-line options for targeting specific directories and file types;the ESXi variant specifically targets VMware virtualization environments, and is designed to encrypt entire virtual machine infrastructures in a single attack.Damage done to an ESXi drive can be significant for an organization. Trend Micro notes that a single ESXi host often runs dozens of critical servers. Encrypting at the hypervisor level can take many business services down at once.These new LockBit versions share key behaviors, including randomized 16-character file extensions, Russian language system avoidance through geolocation checks, and event log clearing post-encryption, Trend Micro says. The 5.0 version also shares code characteristics with LockBit 4.0, including identical hashing algorithms and API resolution methods, confirming this is an evolution of the original codebase rather than an imitation.”Ransomware actors and their affiliates are regularly changing their TTPs [tactics, techniques, and procedures] nowadays to stay ahead of defenses as well as law enforcement,” said Jon Clay, Trend Micro’s vice-president of threat intelligence. “Organizations need to consider adopting newer cybersecurity models that get ahead of an attack by implementing a proactive approach versus the traditional detection and response reactive approach. Implementing a risk-based approach that can discover their entire attack surface, identify and prioritize the risks associated with these attack surfaces, and enabling mitigating controls that can minimize their risk will go a long way in improving their security posture.”After the February 2024 takedown of the LockBit infrastructure, a Russian national alleged to have been the administrator was indicted in the US, but is still at large.Five days later, the crew brought back new servers, and restored admin panels for subscribers. “But what happened behind the scenes is everybody bailed on them. The top affiliates don’t trust them, won’t work with them. It was really hard to work for LockBit. It got so bad he (the leader) was giving away access,” DiMaggio said, noting that a subscription that used to cost $10,000 plunged to $700. “He started lying and putting out fake victims [on the gang’s dark web site]” to show the gang’s reach hadn’t diminished.It didn’t help that, earlier this year, someone leaked a file from LockBit’s affiliate panel database with details including over 4,400 victim negotiation messages.Even the few victims that now get hit by LockBit aren’t paying out the way they used to. DiMaggio cited a case this year where a victim paid a mere $800 to get access back.”It is not business as usual” for the gang, DiMaggio said. “Those $100 million years are long gone. But he’s trying to rebuild. That’s what this effort is. He’s trying to restore trust and lure people to come back and work for him, which is why he’s trying to make the profit-sharing with affiliates better and making the malware work a little bit faster.”
What should CSOs do now?: Asked what mistakes CSOs are making in the fight against ransomware, DiMaggio said many still believe that attacks start with phishing and social engineering. However, today gangs are focusing more on compromising IT infrastructure through poorly-patched publicly-available servers and applications, as well as by getting into applications through brute-forced or stolen credentials.Trend Micro says to better protect ESXi drives, CSOs should treat virtualization as critical and follow these guidelines:
remove ESXi hosts from direct internet exposure. Management consoles should be behind a VPN, backed up by strong role-based access control.keep ESXi patched and only use supported versions.require anyone who has access to the vCenter management console to log in with multi-factor authentication.disable unused services like SSH and follow the vSphere Security Configuration Guide and VMware ransomware defense guidance.have teams hunt for hypervisor and lateral movement attack precursors such as unusual admin logins, mass process termination, or snapshot manipulation.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4064250/meet-lockbit-5-0-faster-esxi-drive-encryption-better-at-evading-detection.html
