A new report from cybersecurity company Trellix’s Advance Research Center finds that the infamous ransomware gang LockBit has struggled to remain relevant after its supposed “takedown” by law enforcement and amid a rise of imposters and new ransomware groups.

Lockbit was targeted by an international operation first revealed in February, which saw its leak site — a site operated by LockBit where it threatens to expose and then publish stolen data from victims — taken offline. Later the same month, two alleged members of LockBit were arrested in Poland and Ukraine.

At the time, Europol, the European Union Agency for Law Enforcement Cooperation, claimed that “the months-long operation has resulted in the compromise of LockBit’s primary platform and other critical infrastructure that enabled their criminal enterprise.” But that was effective for a proverbial five minutes, with LockBit resuming operations on Feb. 26.

The Trellix report details LockBit’s activities since being temporarily interrupted in February, finding that there has been a notable surge in LockBit-related activity surrounding vulnerabilities in ScreenConnect. The vulnerabilities exist in ConnectWise Control, previously known as ScreenConnect, a remote support access and meeting solution that enables technicians to control computers or devices remotely to provide support.

But though Trellix researchers did find an uptick in LockBit activity, all may not have been what it seems, as other threat actors either impersonated LockBit or incorporated LockBit tools into their own cyberattack campaigns.

The LockBit imposters came about after the leaking of LockBit’s source code, which a report in August detailed was fueling new threat variants. Since that time, Trellix has observed numerous threat actors attempting to capitalize on it by impersonating LockBit ransomware and leveraging their well-known brand for their financial gain.

The report notes that the rise of impersonators is in part the result of the LockBit affiliate program — the program where hackers gain access to LockBit tools in return for LockBit taking a cut — presenting a challenge. Wannabe affiliates had to prove themselves and establish a reputation before gaining access. The leaked LockBit code provided an opportunity for threat actors to bypass LockBit itself to enter the scene, encrypt smaller enterprises and reap profits without meeting LockBit’s stringent requirements.

The leaked code is claimed to be used by LockBit’s competitors to undermine their reputation as they pretended to act on LockBit’s behalf while violating the LockBit ransomware-as-a-service rules. “By leveraging LockBit’s name and operating outside the established affiliate program rules, these actors sought to discredit LockBit RaaS and gain an advantage in the ransomware market,” the report notes.

The leaked code was also found to be being used by a number of new ransomware gangs. The groups were found to be either using the LockBit code as a basis for their own ransomware programs or were simply leveraging the LockBit 3.0 ransomware builder with minor modifications, such as changing the ransom note and specifying their own contact details.

“The emergence of imposters of LockBit and opportunistic ransomware groups utilizing the leaked LockBit builder highlighted the complexities of threat actor attribution and ongoing challenges posed by the widespread availability of ransomware,” the report concludes. “With tools and techniques of established ransomware families such as LockBit being readily accessible, threat actors can easily launch their own attack campaigns, posing a significant challenge for cybersecurity researchers and law enforcement agencies.”

Image: Bing Image Creator