There have been implication earlier about some striking similarities between LockBit 3.0 and BlackMatter ransomware, indicating a collaboration between the duo. Trend Micro has studied more around it and shared some details.
Similarities between the two groups
Recently, the LockBit 3.0 ransomware was released along with important novelties. Researchers from Trend Micro observed that multiple portions of LockBit 3.0’s code are borrowed from the BlackMatter ransomware.
- LockBit 3.0 performs API harvesting using hashing of API names of a DLL and then compares it to the list of the APIs that the ransomware needs. This routine is identical to BlackMatter.
- The privilege escalation and harvesting routines used by BlackMatter ransomware to identify APIs to carry out different activities are also similar to that of LockBit 3.0.
- Further, the process of deletion of shadow copies used by both LockBit 3.0 and BlackMatter includes WMI via COM objects. In contrast, the LockBit 2.0 version had used vssadmin[.]exe for deletion.
In addition, a researcher spotted another LockBit 3.0 sample on VirusTotal capable of injecting a DLL inside memory with reflective loading using code, which is identical to BlackMatter’s PowerShell code.
Same routine jobs
BlackMatter and LockBit 3.0 perform several routine jobs in a similar fashion.
- They both use the same encryption algorithm and pointed files when encrypting .lnk files, among other things.
- Both BlackMatter and LockBit 3.0 use threading while using an API instead of directly calling an API.
- Further, both ransomware use a Base64-encoded hash string as an encrypted file name extension. Moreover, the ransom note name, wallpaper, and icon names are also Base64-encoded hashes.
Key differences
Besides all the aforementioned similarities, researchers also laid out some key differences between the two malware:
- LockBit 3.0 uses an RSA public key added in its configuration and hashes it with MD5, while BlackMatter uses a MachineGUID hashed using the same algorithm for APIs.
- There is a major difference between their configuration flags; while BlackMatter comes with only nine flags, LockBit 3.0 has 24.
Conclusion
The recent report sheds light on multiple similarities and a couple of differences between LockBit and BlackMatter groups. Still, there are high chances of members of the the both gangs working and supporting each other. Organizations are suggested to erect a multilayered approach to harden their entry points such as an email, endpoint, network, and web.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/fd79_shutterstock_650823691.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock_000042369650_Medium.jpg)
