According to analysts from Kaspersky, the resurgence of LockBit ransomware in a variant form has the following features:

    • Impersonation: Leveraging illicitly-acquired credentials, the threat actor impersonates the system administrator with privileged rights to gain access to the most critical areas of the corporate infrastructure.
    • Self-propagation The customized ransomware can spread autonomously across the network using highly-privileged domain credentials and conduct malicious activities, such as disabling Windows Defender, encrypting network shares, and erasing Windows Event Logs to encrypt data and conceal its actions.
    • Adaptation: Along with the aforementioned features, the malware uses customized configuration files to tailor itself to the specific victimized company’s architecture. For example, the attacker can configure the ransomware to infect only specific files, such as all .xlsx and .docx files, or only a set of specific systems. The attackers use the SessionGopher script to locate and extract saved passwords for remote connections in the affected systems.