Techly NewsGet the app

Get the latest tech news

Dissecting LockBit v3 Ransomware


We analyzed a variant of LockBit v3 ransomware, and rediscovered a bug that allows us to decrypt some data without paying the ransom. We also found a design flaw that may cause permanent data loss.

The sample uses the restart manager family of APIs ( RmStartSession(), RmRegisterResource(), RmGetList()) to get a list of processes with open handles to the file being encrypted. In this case, Calif observed flaws in the ransomware design that allowed affected organizations to reconsider the true value of the ransom demand. The easiest way to bypass these anti-debugging checks is to modify the process heap structures directly and reset both the Flag and ForceFlag fields’ most significant byte to 0x00.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of Ransomware

Ransomware

Photo of LockBit

LockBit

Photo of Dissecting

Dissecting

Related news:

News photo

French hospital CHC-SV refuses to pay LockBit extortion demand

News photo

Ransomware payments drop to record low of 28% in Q1 2024

News photo

Ransomware feared as IT 'issues' force Octapharma Plasma to close 150+ centers

« Got an old Raspberry Pi spare? Try RISC OS. It is, literally, something else
Key Consciousness Connections Uncovered »