32.Lock Code Circular Esm W900

LockBit ransomware is exploiting a critical Citrix bleed vulnerability to break into enterprise networks. The malware spreads via infected USB sticks and allows hackers to steal data and install more malware.

LockBit is being distributed as a self-extracting archive (SFX) file that contains an executable named "Citrix_1.exe," which runs the malicious code on a machine without requiring any user interaction. The file can be distributed over email or any other means of file transfer.

After infection, LockBit starts encrypting files on a victim's computer by using AES encryption with a hardcoded key. The malware then displays a ransom note in a text document: "Your files are encrypted! Your personal ID: 1234567890."

The malware also installs itself as a service for persistence, which allows it to start automatically when the system boots up. To prevent users from accessing other applications on their systems, LockBit also installs an application lock that prevents users from closing or minimizing windows open in the background while they're trying to work with their files.

The link for this article located at The Hacker News is no longer available.