Cybersecurity researchers at Kaspersky have uncovered evidence that cybercriminal groups are customizing the virulent LockBit 3.0 ransomware for targeted attacks against organizations worldwide.
This allows the threat actors to tailor the malware for maximum impact and effectiveness against specific targets.
The findings come from the researcher’s analysis of the leaked LockBit 3.0 builder, which first surfaced on underground forums in 2022.
This builder enables criminals to generate customized versions of the ransomware by configuring options like network spreading capabilities and defenses to disable.
“The leaked builder has significantly simplified the process of creating tailored ransomware variants,” stated Dmitry Bestuzhev, Director of Kaspersky’s Global Research and Analysis Team. “This opens up a new level of danger, especially if the attackers can obtain privileged credentials within the targeted network.”
Customized Attack Leaves Trail of Destruction
In one alarming incident response case, investigators found that the attackers had managed to steal plain text administrator credentials.
They then used the LockBit builder to generate a customized ransomware variant capable of spreading rapidly across the network using these stolen privileges.
The customized malware killed Windows Defender protections and erased event logs to cover its tracks before encrypting data across the compromised systems. Bestuzhev called it “a precision strike intended to maximize damage and cripple the victim.”
Researchers have identified similar customized LockBit attacks across Russia, Italy, Guinea-Bissau, and Chile in recent months. While most relied on default or slightly modified configurations, the incident involving stolen credentials demonstrates the potential devastation.
“We expect this trend to accelerate as more threat groups obtain access to the LockBit builder,” warned Bestuzhev. “Tailoring malware for specific targets makes attacks exponentially more potent.”
Calls for Increased Defensive Measures
The findings have cybersecurity experts urging organizations to enhance their defensive posture and incident response preparedness radically. Implementing multi-factor authentication, promptly installing patches, and maintaining strict credential hygiene policies are critical.
“The ability for criminals to customize ransomware strains to bypass existing protections is a gamechanger,” said Emily Pycroft, CEO of CyberSec Consultants in London. “Defending against these advanced threats requires a new mindset and proactive measures.”
As LockBit 3.0 continues spreading, the cybersecurity community is bracing for an escalation in high-impact, targeted ransomware attacks tailored to punch holes through organizational defenses. Rapid action may be necessary to stay ahead of the evolving threat.
Indicators of compromise
Host-based:
- 8138f1af1dc51cde924aa2360f12d650
- decd6b94792a22119e1b5a1ed99e8961
Network-based:
- update.centos-yum[.]com (199.231.211[.]19)
Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.
