Highly prolific LockBit ransomware-as-a-service gang has bolstered its operations with the new LockBit 5.0 variant, which features increased modularity despite being mostly based on the LockBit 4.0 codebase, according to Cyber Security News.Improved sophistication exhibited by LockBit 5.0 is apparent in its two-stage execution model, which begins with the use of a covert loader for persistence, a report from Flashpoint revealed. After leveraging control flow obfuscation for dynamic execution path calculation, the loader proceeds to use a hashing algorithm to dynamically resolve API calls before reloading core library copies to evade security tools.Attackers then used the loader to craft a suspended defrag.exe instance, which triggered the second stage involving decrypted payload delivery. Installation of the payload via process hollowing was followed by an instruction pointer update and subsequent in-memory execution, said researchers, who noted that the entire process remained undetected by security systems.
Ransomware, Threat Intelligence
Modularity advances LockBit 5.0 ransomware
(Adobe Stock)
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds