{ "id": "c2df4916-757e-4522-89c4-7958d8947c16", "created_at": "2026-04-06T00:16:47.712031Z", "updated_at": "2026-04-10T13:12:59.112231Z", "deleted_at": null, "sha1_hash": "537e7c37a9c2a7d53f2c9f4406d80841debfd489", "title": "LockBit Green and phishing that targets organizations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 943855, "plain_text": "LockBit Green and phishing that targets organizations\r\nBy GReAT\r\nPublished: 2023-06-22 · Archived: 2026-04-05 12:40:00 UTC\r\nIntroduction\r\nIn recent months, we published private reports on a broad range of subjects. We wrote about malware targeting\r\nBrazil, about CEO fraud attempts, Andariel, LockBit and others. For this post, we selected three private reports,\r\nnamely those related to LockBit and phishing campaigns targeting businesses, and prepared excerpts from these.\r\nIf you have questions or need more information about our crimeware reporting service, contact\r\ncrimewareintel@kaspersky.com.\r\nPhishing and a kit\r\nRecently we stumbled upon a Business Email Compromise (BEC) case, active since at least Q3 2022. The\r\nattackers target German-speaking companies in the DACH region. As in many other BEC cases, they register a\r\ndomain name that is similar to that used by the attacked organization and typically differs in one or two letters. For\r\nreasons unknown, the Reply-to field contains a different email address from the From field. The Reply-to email\r\naddress does not mimic the target-organization’s domain.\r\nIn contrast to BEC campaigns that are targeted and require significant effort from the criminals, ordinary phishing\r\ncampaigns are relatively simple. This creates opportunities for automation, of which the SwitchSymb phishing kit\r\nis one example.\r\nAt the end of this past January, we observed a spike in phishing email from a campaign targeting business users,\r\nwhich we have closely monitored. We noticed that the message contained a link to an “email confirmation form”.\r\nIf one clicked on the link, they found themselves on a page looking very similar to that of the recipient’s domain.\r\nThe phishing kit was designed to serve multiple campaigns at a time while running one instance on the web\r\nserver. This was easily demonstrated by modifying the page URL, specifically the reference to the targeted user in\r\nit^ the layout of the phishing page would change.\r\nhttps://securelist.com/crimeware-report-lockbit-switchsymb/110068/\r\nPage 1 of 6\n\nAn example of a SwitchSymb-generated phishing page\r\nLockBit Green\r\nLockBit is one of the most prolific ransomware groups currently active, targeting businesses all over the world.\r\nOver time, they have adopted code from other ransomware gangs, such as BlackMatter and DarkSide, making it\r\neasier for potential affiliates to operate the ransomware.\r\nStarting in this past February, we have detected a new variant, named “LockBit Green”, which borrows code from\r\nthe now-defunct Conti gang. According to the Kaspersky Threat Attribution Engine (KTAE), LockBit incorporates\r\n25% of Conti code.\r\nhttps://securelist.com/crimeware-report-lockbit-switchsymb/110068/\r\nPage 2 of 6\n\nKTAE shows similarities between LockBit Green and Conti\r\nThree pieces of adopted code really stand out: the ransomware note, the command line options and the encryption\r\nscheme. Adopting the ransom note makes the least sense. We could not think of a good reason for doing so, but\r\nnevertheless, LockBit did it. In terms of command line options, the group added those from Conti to make them\r\navailable in Lockbit. All the command line options available in Lockbit Green are:\r\nFlag Functionality\r\n-p folder Encrypt the selected folder using a single thread\r\n-m local Encrypt all available drives within multiple threads, each of them\r\n-m net Encrypt all network shares within multiple threads, each of them\r\n-m all Encrypt all available drives and Network shares within multiple threads, each of them\r\n-m backups Flag not available to use on the detected versions but coded inside the ransomware\r\n-size chunk Functionality to encrypt only part of the files\r\n-log file.log Possibility to log every action performed by the ransomware\r\n-nomutex Skip mutex creation\r\nhttps://securelist.com/crimeware-report-lockbit-switchsymb/110068/\r\nPage 3 of 6\n\nFinally, LockBit adopted the encryption scheme from Conti. The group now usesa custom ChaCha8\r\nimplementation to encrypt files with a randomly generated key and nonce that are saved/encrypted with a hard-coded public RSA key.\r\nBinary diffing across the two families\r\nMulti-platform LockBit\r\nWe recently stumbled on a ZIP file, uploaded to a multiscanner, that contained LockBit samples for multiple\r\narchitectures, such as Apple M1, ARM v6, ARM v7, FreeBSD and many others. The next question would\r\nobviously be, “What about codebase similarity?”.\r\nFor this, we used the KTAE: simply throwing in the downloaded ZIP file was enough to see that all the samples\r\nwere derived from the LockBit Linux/ESXi version, which we wrote about in an earlier private report.\r\nhttps://securelist.com/crimeware-report-lockbit-switchsymb/110068/\r\nPage 4 of 6\n\nSource code shared with LockBit Linux\r\nFurther analysis of the samples led us to believe that LockBit were in the process of testing their ransomware on\r\nvarious architectures, instead of deploying it in the wild. For instance, the macOS sample was unsigned, so it\r\ncould not be executed as is. Also, the string encryption method was simple: one byte XOR.\r\nNevertheless, our findings suggest that LockBit will target more platforms in the wild in the (near) future.\r\nConclusion\r\nThe world of cybercrime is huge, consisting of many players and gangs that are fluid in terms of composition.\r\nGroups adopt other groups’ code, and affiliates — which can be considered cybercrime groups in their own right\r\n— switch between different types of malware. Groups work on upgrades to their malware, adding features and\r\nproviding support for multiple, previously unsupported, platforms, a trend that existed for some time now.\r\nWhen an incident occurs, it is important to find out who has targeted you. This helps to limit the scope of incident\r\nresponse and could help to prevent further damage. The KTAE attributes code to cybercrime groups and highlights\r\nfeatures shared by different malware families. This information can also help in taking proactive countermeasures\r\nto prevent incidents from happening in the future.\r\nFinally, criminals often resort to old tricks, such as phishing, which, nevertheless, remain highly effective. Being\r\naware of the latest trends can prevent threats like BEC from materializing.\r\nhttps://securelist.com/crimeware-report-lockbit-switchsymb/110068/\r\nPage 5 of 6\n\nIntelligence reports can help you to stay protected against these threats. If you want to keep up to date on the latest\r\nTTPs used by criminals or have questions about our private reports, contact crimewareintel@kaspersky.com.\r\nSource: https://securelist.com/crimeware-report-lockbit-switchsymb/110068/\r\nhttps://securelist.com/crimeware-report-lockbit-switchsymb/110068/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/crimeware-report-lockbit-switchsymb/110068/" ], "report_names": [ "110068" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434607, "ts_updated_at": 1775826779, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/537e7c37a9c2a7d53f2c9f4406d80841debfd489.pdf", "text": "https://archive.orkl.eu/537e7c37a9c2a7d53f2c9f4406d80841debfd489.txt", "img": "https://archive.orkl.eu/537e7c37a9c2a7d53f2c9f4406d80841debfd489.jpg" } }