Corvus Threat Intel
LockBit 3.0 Experiences a Leak, BlackCat Upgrades, & Domain Shadowing
Insider threats hit LockBit 3.0, BlackCat upgrades, and domain shadowing is on the rise.
LockBit 3.0 Ransomware Software is Leaked
Insider threats aren’t just a problem for legitimate businesses. Threat actors also have to worry about the fallout of a disaffected employee. Just ask the LockBit ransomware gang, whose software was leaked by a disgruntled software developer. This comes on the heels of LockBit’s recent release of their updated ransomware program, LockBit 3.0. For the past year, LockBit has remained among the most active ransomware groups, while competitors such as Conti, REvil, and DarkSide have closed up shop. Internal fractures were part of the events leading to Conti’s demise, but whether this is an early indication LockBit will suffer the same fate remains to be seen.
Why This Matters
Leaks like this are a double-edged sword. On one hand, this indicates trouble within the LockBit group. That’s something we should all celebrate. The release of the tool also gives security researchers a chance to examine the code and perhaps find flaws. On the other hand, anyone can use this leaked tool for their own operations. Lowering the barrier to entry for cybercriminals is never a good thing. This may spawn a number of lone-wolf ransomware attacks, or entirely new groups using the leaked LockBit tool. Organizations should prepare by regularly patching, implementing strong MFA, and building secure and resilient backups.
- LockBit ransomware builder leaked online by “angry developer” (BleepingComputer)
- Developer Leaks LockBit 3.0 Ransomware-Builder Code (DarkReading)
BlackCat Ransomware Upgrades Data Theft Capabilities
Operators of the BlackCat (ALPHV) ransomware have been hard at work upgrading their data theft capabilities. Researchers at Symantec reported that BlackCat’s data exfiltration tool, Exmatter, has recently undergone changes to include some of the following features:
- Targets specific types of data to steal (.pdf, .doc, .docx, .xls, .xlsx, .png, .jpg, .jpeg, .txt, .bmp, .rdp, .txt, .sql, .msg, .pst, .zip, .rtf, .ipt, .dwg)
- Creates an automated report on what data was stolen
- Can corrupt files that were processed
- Incorporates a “Self-destruct” function by quitting and deleting the program if it is executed outside of a Windows domain
In addition to these new features, much of the code was rewritten,likely to evade detection. These upgrades signal BlackCat’s focus on data theft in their ransomware operations. It was only a few weeks ago that we reported another BlackCat data theft innovation when attackers made a searchable website for at least one of their victim’s stolen data.
Why This Matters
While most ransomware groups employ “double extortion” (encryption and data theft), they have been clumsy about handling the stolen data. Many groups have prioritized sheer volume but then struggle to know exactly what data they have taken. BlackCat is shifting to a more targeted approach in which they are focusing on specific file types likely to contain sensitive data. In addition, their tool’s report feature will enable them to quickly triage the list of stolen files to find the most impactful information. Organizations can protect themselves by deploying an EDR solution and monitoring network traffic, particularly for large outbound data transfers.
Domain Shadowing Becoming More Popular
Unit42 released a report detailing how domain shadowing is becoming a favorite for cybercriminals, detecting 12,197 instances between April and June 2022. So what is domain shadowing? Many “smart” cyber tools such as next-generation firewalls have made it more difficult for attackers to host criminal infrastructure (such as phishing pages or command and control) without being blocked. So attackers are compromising legitimate domains and quietly adding malicious subdomains where they can host their criminal enterprises. For example, an attacker might compromise example.com and create a number of subdomains to host phishing pages such as, authenticate.example.com or auth-5738.example.com.
Domain shadowing leaves the legitimate website and DNS records unchanged, making it hard for a domain owner to know they are compromised. By using a legitimate domain with a good reputation, hackers can sneak past firewalls, blacklists, and email protection tools without being detected. A legitimate domain is also more likely to convince a victim who might be visiting a phishing page, as they wouldn’t know the subdomain has been added by an attacker.
- Domain shadowing becoming more popular among cybercriminals (BleepingComputer)
This blog post and its contents are intended for general guidance and informational purposes only. This blog post is under no circumstances intended to be used or considered as specific insurance or information security advice.