LockBit 3.0 attacks and leaks reveal a number of similarities between the latest generation of the ransomware and the BlackMatter ransomware family, and how the malware has been developed. The threat actors behind this ransomware also use a package from GitHub called Backstab. As the name implies, the primary function of Backstab is to sabotage the tooling analysts in security operations centers use to monitor suspicious activity in real-time. The utility uses Microsoft’s own Process Explorer driver (signed by Microsoft) to terminate protected anti-malware processes and disable EDR utilities.
TAGS: lockbit, blackmatter, ransomware
MALWARE FAMILIES: LockBit, REvil, BlackMatter
ATT&CK IDS: T1027 - Obfuscated Files or Information, T1059 - Command and Scripting Interpreter, T1082 - System Information Discovery, T1106 - Native API, T1134 - Access Token Manipulation, T1140 - Deobfuscate/Decode Files or Information, T1490 - Inhibit System Recovery, T1562 - Impair Defenses, T1566 - Phishing, T1471 - Data Encrypted for Impact
Read More:
Comments