LockBit, a prominent ransomware group, has recently bolstered its operations with enhanced multiplatform functionality, according to cybersecurity experts at Kaspersky. This group has gained notoriety for its relentless targeting of businesses worldwide, leaving behind a trail of financial and operational devastation in its wake. Kaspersky’s recent report highlights LockBit’s determination to expand its reach and maximize the impact of its malicious activities.
Evolution of LockBit’s Tactics and Infrastructure
LockBit initially operated without leak portals, double extortion tactics, or data exfiltration before encrypting victim data. However, the group has continuously developed its infrastructure and security measures to safeguard its assets against various threats, including attacks on its administration panels and disruptive distributed denial-of-service (DDoS) attacks.
Adoption of Code from Infamous Ransomware Groups
The cybersecurity community has observed LockBit adopting code from other notorious ransomware groups like BlackMatter and DarkSide. This strategic move not only streamlines operations for potential affiliates but also expands the range of attack vectors employed by LockBit. Kaspersky’s Threat Attribution Engine (KTAE) has revealed that LockBit incorporated approximately 25% of the code previously used by the now-defunct Conti ransomware gang, resulting in a new variant known as LockBit Green.
Multiplatform Capabilities and Expansion Plans
Kaspersky researchers made a significant breakthrough by uncovering a ZIP file containing LockBit samples tailored to multiple architectures, including Apple M1, ARM v6, ARM v7, FreeBSD, and more. Through analysis using the KTAE, they confirmed that these samples originated from the LockBit Linux/ESXi version previously observed. While some samples require additional configuration and lack proper signing, it is clear that LockBit is actively testing its ransomware on various platforms, indicating an imminent expansion of attacks. This development emphasizes the urgent need for robust cybersecurity measures across all platforms and increased awareness within the business community.
Protective Measures and Recommendations
Marc Rivero, senior security researcher at Kaspersky’s Global Research and Analysis Team, warns that LockBit poses a significant and evolving threat to organizations across various industries. To mitigate the risks posed by LockBit and similar ransomware groups, businesses should:

Keep software updated on all devices to prevent exploitation of vulnerabilities.
Focus defense strategies on detecting lateral movements and data leaks while monitoring outgoing traffic for cybercriminal connections.
Set up offline backups that cannot be tampered with, ensuring quick access when needed.
Activate ransomware protection on all endpoints, utilizing tools like the free Kaspersky Anti-Ransomware Tool for Business.
Install anti-APT and EDR solutions, enabling advanced threat discovery, detection, investigation, and timely remediation.
Provide SOC teams with access to the latest threat intelligence and offer professional training to enhance their skills.
Leverage the Kaspersky Expert Security framework, which offers comprehensive security capabilities.

Access Kaspersky’s Securelist for more information on LockBit’s updated toolset and follow Kaspersky’s recommended rules to protect yourself and your business from ransomware attacks. Additionally, businesses can request access to Kaspersky’s free, continuously updated threat intelligence through the Kaspersky Threat Intelligence Portal to enhance their defenses.