Analysis of LockBit Ransomware v2.0


Community Feature - @cPeterr

Curated Intelligence member Chuong Dong has recently shared his findings in a blog after reverse engineering the infamous LockBit ransomware family, version 2.0. Most interestingly of all, Dong says "LockBit is definitely the most sophisticated ransomware I have taken a look at".

Dong's analysis shows that LockBit uses a hybrid-cryptography scheme of Libsodium’s XSalsa20-Poly1305-Blake2b-Curve25519 and AES-128-CBC to encrypt files. The malware’s configuration is XOR-encrypted and stored in static memory. Like REvil and BlackMatter, LockBit’s child threads use a shared structure to divide the encryption work into multiple states while encrypting a file. With the elaborated multithreading architecture, LockBit’s performance is relatively fast compared to most ransomware in the field.

Read Choung Dong's previous Curated Intel features here 

LockBit's cyber kill chain was covered previously by Curated Intel features here

Curated Intel Community Features are sourced using our Member Content channel on Discord. If you have recently produced a noteworthy piece of writing, a project, a podcast, an infographic or other CTI content let us know!