cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

LockBit developing 4.0 encryptor at time of global takedown

Developers for the now crippled LockBit ransomware group were reportedly developing a secret new encryptor that would have bolstered its future capabilities.

user icon Daniel Croft
Fri, 23 Feb 2024
LockBit developing 4.0 encryptor at time of global takedown
expand image

LockBit ransomware was taken down this week when a campaign by a global alliance of law enforcement agencies dubbed Operation Cronos, led by the UK’s National Crime Agency and the FBI, took control of the group’s dark web leak site, following which arrests were made, servers and crypto accounts were seized and more.

What would have been the new encryptor was known as LockBit-NG-Dev and would later likely have been renamed LockBit 4.0, marking the group’s evolution from its current LockBit 3.0 and former LockBit 2.0 and so forth.

The new encryptor is written in .NET, compiled with CoreRT and packed with MPRESS, unlike 3.0, which was built in C/C++.

According to a report by Trend Micro, observed by BleepingComputer, the new encryptor was still lacking some of the features in the previous malware versions, such as printing ransomware notes on victim printers and being able to self-propagate on affected networks; it was in its final development stages and offered most functions.

“Like past versions, it still has an embedded configuration that dictates the routines it can perform,” wrote Trend Micro in its technical report.

“The configuration, which is in JSON format, is decrypted at runtime and includes information like date range for execution, the ransom note filename and content, unique IDs for the ransomware, the RSA public key, and some other flags and lists for its other routines.”

The report added that the malware supports three types of encryption:

  • Fast encrypts the first 0x1000 bytes of the file (files listed in Fast Set will use Buffersize value to determine the size to encrypt).
  • Intermittent only encrypts a certain percentage of the file based on the value set in the configuration under the Percent field. Also, the field Segmentation determines the distance between encrypted blocks.
  • Full encrypts the whole file.”

With the discovery of the new encryptor, LockBit’s chances at recovery take another blow. Many industry experts believe the group will be forced into a rebrand.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.