- Windows binary uses heavy objections and packing: it loads its payload through DLL reflection, applying anti-analisic techniques such as event tracing for Windows (ETW) patches and abolition of security services;
- The Linux variant maintains similar functionality with command-line options to target specific directors and file types;
- The ESXI variant specifically targets the vmware virtual environment, and an attack is designed to encrypted the entire virtual machine infrastructure.
Damage to ESXI drive can be important for an outfit. Trend micro notes that a single ESXI host often drives dozens of important servers. Encrypting at the hyper -wise level can take down several business services at one go.
These new lockbit versions share major behaviors, with random 16-ornament file extensions, protecting the Russian language system via geolocation check, and event log clearing post-encryption, trend micro. The 5.0 version also shares code characteristics with the lockbit 4.0, including equal hashing algorithms and API resolution methods, confirming that it is a development of the original codbase rather than a copy.
“Rainmware actor and his associates are regularly changing their TTP (strategy, technology and procedures) to stay ahead of law enforcement along with rescue,” John Clay, Trend Micro Vice-Pressidant of Threat Intelligence. “Organizations need to consider adopting new cyber security models that go beyond an attack by applying an active approach to the traditional approach and reactionary approach. Applying a risk-based approach that can discover their entire attack surface, can identify the risks related to these attacks and give preference to the surfaces of these attacks that can reduce their risks, which can reduce their risks, which can reduce their risks, which can reduce their risks, which can reduce their risks. Is.”
