The notorious ransomware group known as LockBit appears to be expanding its operations by developing ransomware for new architectures, moving away from targeting Windows systems. This development could potentially present entirely new challenges and problems for the victims of LockBit’s attacks.
In a recent blog post published by Kaspersky on June 22, researchers stumbled upon a .ZIP file containing a collection of LockBit malware samples. These samples were derived from LockBit’s previous encryptor variations that specifically targeted VMWare ESXi hypervisors. However, these new samples were designed to target FreeBSD and Linux platforms, which aligns with the growing trend among ransomware actors to focus on these operating systems. Additionally, the samples also targeted various embedded technologies, including different instruction set architectures (ISAs) firmware for CPUs such as ARM, MIPS, ESA/390, and PowerPC. Even Apple’s M1 chip, which is an ARM-based system-on-chip (SoC) used in Mac and iPad devices, was included as a target.
Upon analysis, Kaspersky noted that these samples were a work in progress. For example, the macOS sample was unsigned, making it unable to be executed as is. Furthermore, the string encryption method used was quite simple, employing a basic one-byte XOR technique. Despite these limitations, if these new ransomware variants eventually make it to the wild, they could still prove to be useful for LockBit as they attempt to remain relevant in the highly competitive ransomware-as-a-service (RaaS) marketplace.
According to Jason Baker, a threat intelligence analyst at GuidePoint Security, LockBit’s decision to develop ransomware for new architectures could ultimately benefit them in the long run, despite the additional costs and potentially lower volume of targets. In a crowded marketplace, such differentiating behavior could help LockBit stand out and attract both talent and targets.
LockBit stepped into the spotlight after the demise of the Conti ransomware group, becoming one of the premier ransomware gangs in the world. However, there has been a noticeable decline in LockBit’s activity in recent months. While the overall ransomware industry has seen a rise in attacks, LockBit reported 30% fewer victims compared to the previous month. It is unclear whether the decline in activity was due to the group dedicating extra time and resources to developing its new malware or if the development of new malware is a response to its declining success.
Regardless, the emergence of LockBit’s new direction is cause for concern for defenders. Security analysts have already raised alarms about vulnerabilities in various embedded devices, including Android SoCs and Apple’s M1 chip. Exploiting vulnerabilities in these specialized systems can pose unique challenges for ransomware developers. For example, embedded systems and IoT devices often have limited processing power, resource constraints, and specific hardware configurations. Ransomware designed for SoCs needs to be tailored to these limitations and adapted to the specialized environment.
Callie Guenther, a cyber threat research senior manager at Critical Start, highlights the need for attackers to adapt their payload delivery, execution, and evasion techniques to the specialized firmware and customized operating systems running on SoCs. This adds another layer of complexity and requires exploiting specific vulnerabilities or weaknesses within the firmware or system architecture to gain control over the device and encrypt its data.
Baker suggests that targeting SoCs, such as Apple silicon, that are not typically targeted by other ransomware groups could be a way for LockBit to differentiate itself and enhance its brand strength and prestige. As a larger and more advanced ransomware group, LockBit has the expertise and resources to tackle these challenges, and developing a unique capability not available elsewhere would solidify its position as a pioneer in the RaaS ecosystem.
Ransomware attacks on embedded technologies are particularly concerning because these systems are often overlooked and harder to protect compared to traditional operating systems like Windows. Many enterprises heavily focus their security efforts on Windows, neglecting other server and embedded operating systems that may coexist within the same network. This makes alternate platforms an effective way for attackers to evade existing defenses.
Adam Pennington, the project leader for MITRE, explains that organizations must consider a diverse set of operating systems and architectures when securing their networks, not just Windows systems. Failure to do so can leave organizations vulnerable to attacks that target less visible and easily overlooked systems. Pennington emphasizes that almost everyone is running some number of systems with non-Windows operating systems and chips, even if they are not aware of it.
In conclusion, LockBit’s move to develop ransomware for new architectures signifies a new direction for the group and could pose significant challenges for defenders and victims alike. Targeting embedded technologies and specialized systems requires a unique approach and the exploitation of specific vulnerabilities. By venturing into this uncharted territory, LockBit aims to differentiate itself in the ransomware landscape and maintain its relevance in the RaaS ecosystem. To mitigate the risks associated with embedded ransomware, organizations must expand their security efforts beyond traditional operating systems and consider the diverse set of operating systems and architectures present in their networks.