DarkVault, a new ransomware group with a website resembling LockBit’s, could be the latest in a series of copycats imitating the notorious ransomware-as-a-service (RaaS) gang.
Dominic Alvieri, security researcher draws attention to a redesign of the DarkVault website on Wednesday. Alvieri’s post on X included a screenshot of a new homepage sporting LockBit’s distinctive style, including a red and white color scheme and similar page headers.
The LockBit logo was also found on the DarkVault blog. The group’s former website features an image of a black cat lying on a safe, potentially a reference to another ransomware gang, ALPHV/BlackCat.
Cybernews reported that DarkVault could be an attempt by LockBit to change its name, but Alvieri later clarified that the intention of his post was to mock “copycats.”
DarkVault published nine alleged victims on its LockBit imitation site on Thursday, according to Dark Web Informerwho discovered the old DarkVault website with no victims listed on March 29.
LockBit Imposters Exploit RaaS 2022 Builder Leak
DarkVault would not be the first cybercrime group to imitate LockBit, with several using LockBit’s name, branding and leaked ransomware generator in their own attacks.
Trellix noted this trend in a blog published Thursdaywhich also describes the partial revival of the original LockBit since its infrastructure was disrupted by law enforcement in February.
The maker of the LockBit 3.0 ransomware, also known as LockBit Black, was leaked by one of the gang’s own developers in 2022 – since then, many malicious actors have used the constructor in their own attacks.
Some are using the code as is with minimal modifications, such as adding their own version of the ransom note, while others have used the constructor as a basis for new ransomware strains, the Advanced Research researchers wrote Trellix Center.
Dragonforce and Werewolves are two ransomware groups that emerged in 2023 and use LockBit Black in their attacks. Dragonforce was discovered to be using LockBit code as-is last September, except for the ransom note, while Werewolves potentially has LockBit affiliates on its team due to the overlap between victims claimed by the werewolves and LockBit, according to Trellix. .
Some impersonators not only use LockBit’s leaked code, but also copy the RaaS group’s website in a similar way to DarkVault. In November 2023, a group called Spacecolon created a fake LockBit leak site on the surface web and used the name LockBit in its contact details to attempt to extort victims, according to Trend Micro.
LockBit’s name was also used in an attack on Russian security company AN-Security in January, which was later challenged by LockBit’s admin, “LockBitSupp”, who stressed that the group was not targeting businesses Russians.
LockBitSupp ultimately blamed the attack on Cl0p RaaS owner “Signature,” saying the rival threat actor was trying to smear LockBit’s name in retaliation for a recent feud.
“The emergence of LockBit impostors and opportunistic ransomware groups using the leaked LockBit constructor has highlighted the complexity of malicious actor attribution and the ongoing challenges posed by the widespread availability of ransomware,” the researchers said from Trellix.
The LockBit gang returns with limited capabilities
Since its removal in February, LockBit has reemerged with a limited restoration of its infrastructure, recently observed by the Trellix Advanced Research Center attempting to exploit ScreenConnect vulnerabilities.
The group has disabled access to the RaaS panel for some of its less profitable affiliates, demanding a fee of 1 or 2 BTC (approximately US$70,000 to US$140,000) from those who wish to re-register in order to help prevent law enforcement, journalists and competing threat actors from gaining access, according to Trellix.
LockBit also divided its affiliate panel into multiple servers to minimize the impact of further law enforcement interference after the panel’s source code was seized as part of an international takedown operation.
Signs that the gang has not yet fully recovered from the takedown include the addition and removal of several unconfirmed victims at its leak site, which could be done to artificially inflate the group’s activity, as well as the apparent removal of anti-DDoS protection from its site, “suggesting a potential failure of LockBit’s defensive capabilities,” Trellix said.