LockBit, one of the world’s most prolific ransomware groups, has upgraded its operations with enhanced multiplatform functionality, according to cybersecurity experts at Kaspersky.

LockBit gained notoriety for its relentless targeting of businesses globally, leaving a trail of financial and operational devastation in its wake. This report by Kaspersky showcases LockBit’s determination to expand its reach and maximise the impact of its malicious activities.

In its early stages, LockBit operated without leak portals, double extortion tactics, or data exfiltration before encrypting victim data. However, the group has continuously developed its infrastructure and security measures to protect its assets against various threats, including attacks on its administration panels and disruptive distributed denial-of-service (DDoS) attacks.

The cybersecurity community observed that LockBit is adopting code from other infamous ransomware groups, such as BlackMatter and DarkSide. This strategic move not only streamlines operations for potential affiliates but also broadens the range of attack vectors employed by LockBit. Recent findings by Kaspersky’s Threat Attribution Engine (KTAE) shed light on the fact that LockBit incorporated approximately 25% of the code previously used by the now-defunct Conti ransomware gang, resulting in a new variant known as LockBit Green.

In a significant breakthrough, Kaspersky researchers uncovered a ZIP file containing LockBit samples specifically tailored to multiple architectures, including Apple M1, ARM v6, ARM v7, FreeBSD, and more. Through analysis and investigation using the KTAE, they confirmed that these samples originated from the LockBit Linux/ESXi version previously observed.

While some samples, like the macOS variant, require additional configuration and are not signed properly, it is evident that LockBit is actively testing its ransomware on various platforms, indicating an imminent expansion of the attacks. This development underscores the urgent need for robust cybersecurity measures across all platforms and an increase of awareness within the business community.

“LockBit is a highly active and notorious ransomware group known for its devastating cyberattacks on businesses worldwide,” comments Marc Rivero, senior security researcher at Kaspersky’s Global Research and Analysis Team. “With its continual infrastructure enhancements and incorporation of code from other ransomware gangs, LockBit poses a significant and evolving threat to organisations across various industries. It is imperative for businesses to reinforce their defenses, regularly update security systems, educate employees on cybersecurity best practices, and establish incident response protocols to effectively mitigate the risks posed by LockBit and similar ransomware groups.”