Search This Blog

Showing posts with label LockBit. Show all posts

9 Million Patients' Data Exposed by Ransomware Attack on US Dental Giant


A ransomware attack may have compromised nearly nine million individuals' personal information in the United States. This is due to the harm caused by an apparent attack on a dental health insurer — one of the country's largest.

According to Managed Care of North America (MCNA) Dental, a multinational dental insurance company headquartered in the United States, the company took notice of certain activities in its computer system on March 6, 2023. MCNA immediately stopped those activities and began an investigation.

As a result, despite those steps being taken, the LockBit ransomware – which acquired responsibility for the attack – is making a comeback with a threat to leak 700GB of data stolen from MCNA's network if the company does not pay the attackers a $10 million ransom. To allow anyone to download all of the data, reports suggest the group released the data on its website on April 7 for anyone to download.

There are several dental insurers in the United States. However, Managed Care of North America (MCNA) Dental claims to be the nation's largest dental insurer for children and seniors covered by government-sponsored plans. Among the notices the company posted on Friday, it stated it became aware on March 6 that "certain activities in our computer system took place without our permission" and that the company had decided to take action. After it was discovered that a hacker had gained access to their computer system between February 26 and March 7, 2023, the company became suspicious that there was a breach of security. 

A breach notice from MCNA ticks the typical boxes: it was discovered that a criminal could view and copy some information stored in our computer system using IDX, a ZeroFox Inc.-owned company. 

Names, addresses, dates of birth, telephone numbers, e-mail addresses, Social Security numbers, driver's licenses, and other government-issued identification numbers were among the information that was stolen. There was also information regarding health insurance details, dental care records, billing, and insurance details that were taken. 

According to MCNA Dental, the hackers also gained access to information about a patient's health insurance plan information, Medicaid ID numbers, billing and insurance claim information, and bills and insurance claims. 

During this time, PharMerica, a leading pharmacy service provider with over 2,500 facilities in the US and offering over 3,100 pharmacy and healthcare programs, announced a data breach that exposed nearly six million patients. PharMerica operates in more than 2,500 facilities across the country.

As part of the notification to Maine's attorney general regarding the data breach, PharmaCrime indicated that on March 14, its computer network was discovered to have suspicious activity on it. 

It was reported on March 7 that the LockBit ransomware gang was responsible for the attack, saying they were willing to publish 700 gigabytes of stolen data unless the victim paid a $10 million ransom. LockBit released the data on April 7 because MCNA failed to pay the ransom.

To assist people whose personal information may have been involved in this incident, the insurer is now sending individual letters directly to them. 

Several questions must be addressed about possible liability and responsibilities arising from LockBit having the data and publishing it versus MCNA publishing its breach notice. Until well over a month after LockBit first released its data, the company did not notify its patients of the breach, which gave threat actors ample opportunity to target those in the affected area before the company was fully notified.

In the past, security experts have told organizations that are victims of ransomware not to pay the attackers in exchange for the decryption keys, however, due to double-extortion attacks that can lead to both companies and their clients suffering long-term harm due to data leaks, the rules of the game have changed. There are several factors to consider before paying a ransom. It might be to your advantage to give in to a ransom demand. This will save you a lot of trouble and time in the long run. 

Organizations can take several measures to prevent ransomware attacks from gaining a foothold in their networks. These measures include enhancing their overall security defense posture and implementing multifactor authentication (MFA). 

As part of their efforts to prevent phishing attacks, organizations should also maintain strong controls to shield them since attackers often use credentials stolen in this way as an entry point into a network to launch ransomware attacks and other malicious software.

Kyocera AVX: Electronic Manufacturer Company the Current Target of LockBit

Kyocera, a global electronics manufacturer, has apparently experienced what seems like a data breach, wherein their data was exposed by ransomware gang LockBit on their dark web blog. The company was one of several who felt the aftershocks of a breach at Japanese tech firm Fujitsu last year.

The group has set a June 9 deadline for the payment of an undetermined ransom. According to the blog, "all available data will be published" if the company does not collaborate with the cybercriminals before then.

Kyocera AVX

Kyocera AVX’s clients involves military, industrial and automotive industries, for whom the company manufactures electronic products. It was established in the 1970s, and since 1990, it has been a part of Kyocera, a Japanese electronics business best known for its printers. Over 10,000 individuals are employed by it globally.

On May 26th, security researchers revealed that selected data of the company has been leaked and posted to LockBit’s dark web victim blog.

Apparently, the company’s data was breached following a cyberattack that took place on Fujitsu last year. The attack might have been the reason why LockBit was able to launch a supply chain attack on Kyocera AVX, and other companies that are partnered with Fujitsu via cyber or other social engineering attacks.

According to a Financial Times report, Fujitsu confirmed the attacks in December following a heads-up given by police agency of a potential intrusion. The intrusion further gave outsiders access to emails sent through an email system powered by Fujitsu.

It was later revealed that at least ten Japan-based companies, along with Kyocera AVX were victims of the attack.

LockBit Continues Cyber Activities Against Russia’s Enemy 

Ransomware gang LockBit, which is assumed to have originated in Russia has been on news highlights pertaining to its interest on targeting organizations based in US and allied countries. 

According to a report by security firm Malwarebytes, 126 victims have been posted by the ransomware gang in February alone.

This year, the gang targeted the UK Royal Mail, demanding ransom of $80 million in bitcoin. When the business refused to pay up, labeling the demands "ridiculous," the gang retaliated by sharing the information along with copies of the conversations between LockBit and Royal Mail's officials.

Later, it stole client information from WH Smith, a high-end street retailer in the UK. The hacker used current and previous employees' personal information. Since then, there has been no information indicating whether the business has paid the ransom.

In its recent case, this month, an individual named Mikhail Pavlovich Matveev who claims to have been involved with LockBit, has a bounty of $10 million on his head placed by the FBI. With connections to both the Hive and Babuk organizations, Matveev is believed to be a major participant in the Russian ransomware ecosystem.  

Data And Employees Of BSI Shared On The Dark Web By LockBit Ransomware Gang


An international data breach affecting one of Indonesia's leading Islamic banks, Bank Syariah Indonesia, caused significant disruptions to its normal operations and payment systems which in turn hampered the business flow. Customers’ personal and financial details have been compromised due to this breach. 

The infamous ransomware group, LockBit claims to have spread 1.5 TB data belonging to the customers and employees of Bank Syariah Indonesia, on the dark web sites. Millions of BSI customers' identity data was leaked by the LockBit gang. The gang did not receivethe demanded ransom in time which led to the same. 

Over the past few years, companies and government agencies have had several data breaches in Indonesia. A cybersecurity expert described it as one of the biggest breaches at a financial institution in the country. 

During the Bank Syariah Indonesia cyberattack, the ransomware group requested the termination of all services. The management of the company lied to their customers and partners that the stoppage was a result of the technical work they were carrying out. 

Earlier today, it was reported that LockBit 3.0 was distributing 1.5 TB of BSI bank data at a fantastic price to dark sites posted on a Twitter account named @darktracer_int. 

CNN Indonesia reports the attackers stole "non-critical data" belonging to Bank Indonesia employees during the incident. They then used ransomware payloads to infect several dozen systems within the bank's network before extorting money from the bank. 

According to the bank, there have been no reported impacts on BI's public services due to the incident, as first reported by Reuters. 

"BI is aware of a ransomware hack last month. We know we have been hit by a cyberattack. This is a crime, it is real, and we are exposed to it," Erwin Haryono, head of BI's communications department, told local media outlets that it is a crime. 

Following Bank Syariah Indonesia's cyberattack on 15 May, ransom payments were due by this date. As a result of the ransomware attack on Bank BSI, the group had access to the following data: 

Over 15 million individual records can be found in nine databases containing personal information. Customer service and employee service are both part of this. 

A person's name, phone number, address, account data, card details, and transaction details are collected. 

Legal documents are legally binding documents. 

In the bank, all internal and external services have passwords needed to access them. 

In a statement released on Wednesday, the central bank of Indonesia said it is confident that the country's payment system is safe and reliable for any transaction. 

Additionally, the authorities stated that they would continue to ensure that payment service providers meet all regulatory requirements in the future. BSI's payment system (under Bank Indonesia's supervision) has also returned to normal. 

BSI President and Chief Executive Officer Henry Gunardi announced on May 11 that ATMs and bank branches are now available to the public again. According to him, an important part of the restoration process was strengthening capacity and restoring key channels of communication. A BSI official explained that the disruption occurred on May 8 as a result of company maintenance on the company's information technology system. This maintenance was conducted to mitigate risks. 

A previous version of the ransomware group's communication with bank representatives between the dates of May 8 and May 13 had been published as well. As can be seen in the screenshots, the bank offered a payment of $10 million to recover the stolen data to get the data back. After requesting $20 million from LockBit, the company disappeared without a trace. 

Earlier this month it was reported that the LockBit ransomware group sent a tweet announcing the end of the negotiation period, and all of the stolen data from Bank Syariah Indonesia is now publicly available on the black market. 

After a month of being taken down, Bank BSI has not been able to return its systems to function. This is even after LockBit wrote a rant. A class action lawsuit is being filed as a result of users finding their data with a data leak and then going to court and bringing the case to court. 

Despite Bank Indonesia not stating which ransomware gang was responsible for the attack, Conti posted a series of files that it claims were stolen from Bank Indonesia's network today which they claim helped expose the attack. 

The ransomware group claims that if Bank Indonesia does not pay the ransom to them, 13.88 GB of information will be exposed to the public. 

As of earlier today, when BleepingComputer contacted a representative of Bank Indonesia, he did not have any comments to offer. It's imperative to remember that this type of Ransomware-as-a-Service (RaaS) is linked to the Russian cybercriminal group Wizard Spider, which is also responsible for other notorious malware, such as Ryuk, TrickBot, and BazarLoader. 

As soon as corporate workstations infected with BazarLoader or TrickBot malware are breached by these ransomware groups' affiliates, the ransomware group's affiliates gain remote control of the compromised computers using command and control systems. As soon as the Conti operators gain access to the victim's internal network, they will disrupt other devices scattered throughout the victim's network. This will spread malware.

In addition to Ireland's Department of Health (DoH) and Health Service Executive (HSE), Conti also attacks marketers RR Donnelly (RRD), who sell services to the government. 

There has also been a recent update to the FBI's advisory warning that an increased number of Conti ransomware attacks have been reported as a result of increased Conti activity. The FBI recently released an advisory warning regarding increased Conti activity.

New MOTW Bypass Method Introduced by LockBit


Despite being on the winning side of the race, LockBit operators continue to exfiltrate data from high-profile organizations and add the names of those organizations to its leak site. It's well known that the tactics and techniques employed by the gang are one of the significant factors contributing to the murders of innocent individuals. In the context of evasion tradecrafts, researchers have come across one such technique. 

When a .img container is used to deliver an image, the protection mechanism used by the Mark of the Web (MOTW) has been bypassed. As a result, it is possible to bypass traditional signature-based detection by deploying scripts that extract a password-protected executable from a compressed archive that can only be unpacked when a specific password is provided. 

Revolutionary Techniques: What are They? 

In a campaign conducted between December and January of this year, Fortinet researchers observed that LockBit operators were using evasion techniques to conceal their identities.

  • An image file mounted as part of the attack campaign contains malware files, one of which is visible to the user and the others are hidden. Therefore, attackers can evade MOTW's protection mechanism by sending the attack through a .img file container.  
  • It is after the user opens the single visible file that a set of BAT scripts are downloaded. These scripts check whether the targeted system is at the proper privilege level. 
  • The Python embed package of the official Python distribution is also sometimes used to execute Python scripts in some cases. Some scripts are used to change the password and settings of the system without the user being aware of them. 
  • There is also a BAT script in the final payload of LockBit ransomware, which will be executed by the ransomware's password-protected archive. 
The Exploitation Strategy of LockBit 

  • LockBit 3.0, released by the LockBit operators in June 2022, caught the attention of researchers as they added enhanced anti-analysis features and evasion improvements as well. In these regards, it exhibited similarities to BlackMatter ransomware in that it packaged code into byte strings, created function trampolines, and resolved function addresses dynamically, which are techniques that have been used to execute the malware. 
  • There was a slight setback suffered by operators towards the end of September 2022 when disgruntled developers allegedly leaked the source code of LockBit 3.0 to the media. There was, however, no adverse effect on the attackers as LockBit Green was upgraded in February, bringing an upgrade to the threat landscape. 
  • This updated version of ransomware draws on the code that was used in Conti ransomware and uses reverse engineering analysis to develop it. 
  • The LockBit Green variant has recently been released by the LockBit team and is believed to have targeted at least five victims so far. 
A few examples of successful ransomware attacks using LockBit have been reported in the second and third quarters of 2022. LockBit remains one of the most active ransomware families in RaaS and extortion attacks. Depending on the leak sites, LockBit tallied records for 436 victim organizations between April and September based on data gathered from the leak sites. 

Exfiltrator-22 or EX-22 has been developed by a group of former LockBit affiliates and members known as a new framework that aims at defending against post-exploitation attacks. The framework has been created by utilizing the source code from other famous post-exploitation frameworks that have been leaked out. 

The EX-22 ransomware family is designed to spread ransomware across corporate networks, using a framework-as-a-service model for post-exploitation without being detected by the victim. 

There are a variety of industries that have been targeted by LockBit ransomware, such as a variety of critical infrastructure industries, in recent years. The threat actors will continue to use obscure methodologies to avoid detection as long as new variants are released with additional capabilities, experts claim.

The Ukraine Invasion Blew up Russian Cybercrime Alliances


Over the years, Russia has built up one of the world’s most formidable cybercriminal ecosystems. Russian hacker groups are linked to disruptive cyberattacks including one of the United States’ most critical oil pipelines and the world’s largest meat producers.  

A recently released study suggests that the conflict between Russia and the former Soviet Union disrupted the criminal ecosystem in Russia and its former Soviet satellite states. This was a year after the illegal invasion. Alexander Leslie, the associate threat intelligence analyst at Recorded Future's Insight Group, believes this is one of the most significant developments in the history of cybercrime. It has broad implications affecting nearly every aspect of the world of cybercrime.

In a recent interview with The Register, Leslie told them that these fractures can be felt in all facets of the Russian-speaking underground: digital fraud, dark web forums and marketplaces, ransomware gangs, and hacktivists, all of whom derive their revenue from Russian-speaking underground activities. 

"Russia's military intervention in Ukraine has ushered in the era of volatility and unpredictability in the world of international cybercrime, which carries a multitude of implications for the defense community," Leslie said in a statement. 

As per the report, Russian cybercrime refers to a wide range of crimes perpetrated by miscreants who speak Russian languages in a variety of parts of the world, including Russia, Ukraine, Belarus, the Baltics, the South Caucasus, and Central Asia.  Leslie, during the time before the war, all of these criminal elements shared a common goal. This goal was refusing to target entities located in the Commonwealth of Independent States. This was so as not to draw attention from law enforcement. The day after the Russian government began attacking critical infrastructure on February 24, 2022, the Conti ransomware gang immediately declared its "full support" for the Russian government and pledged to use all the resources at its disposal to take back the critical infrastructure that had been destroyed. There were later claims that the country had condemned the war, but the damage had already been done at that point. 

Hundreds of internal documents from Conti's internal domains were leaked by a Ukrainian security researcher on February 27, 2022. It was the so-called Conti leaks that led to the Trickbot leaks, which were able to reveal Trickbot's senior leadership by using the information revealed in the Conti data dump, which was appropriated by the Trickbot leaks. According to reports, Conti closed down its operations in the weeks that followed. 

Moreover, Conti's rival gangs such as ALPHV (BlackCat) and LockBit neither declared their loyalty to the Kremlin to any significant extent, while on the other hand, some of his rival gangs did. 

There is also a decrease in the number of ransomware attacks in the context of the war in general, which may be attributable to fewer Russian cyberattacks as well. It has been a year since the war started and fears of large-scale disruptions of Ukrainian and Western infrastructure have not yet been realized. Although Russia has not given up, Google reported that it would increase the targeting of Ukrainian users by 250 percent by the year 2022 compared to 2020. In contrast, it will increase the targeting of NATO users by 300 percent.  

As experts point out, this is not necessarily an indictment of Russia's cyber capabilities. Instead, it is an indication of the effectiveness of Ukrainian cyber defense backed up by its Western allies and companies such as Google, Microsoft, and Amazon on the ground. This is a largely successful strategy.  

The Georgia Institute of Technology's Nadiya Kostyuk, who specializes in modern warfare and cyber conflict, has said that that support was "crucial" to Ukraine's cyberspace remaining relatively unscathed, despite the geopolitical turmoil around the world. 

It is currently apparent that Ukraine's cyber capabilities haven't kept up with those of Russia even though it has been developing them since 2014. According to her, Microsoft, along with other companies, had played a huge part in building more resilient networks and systems as well as defending Ukraine's cyberspace. 

Forum Rules for the Russian Dark Web. 

The war did not only expose the fault lines of ransomware gangs, but also other criminals associated with these gangs. It would appear that the invasion of Ukraine also violates an unwritten rule on Russian-language dark web forums, which holds that criminals would not target organizations in former Soviet states unless they were inside the country. 

Despite the increased geographical decentralization of cybercriminal groups, Leslie predicts that the industry will become more centralized in the future.

During the kinetic war and in the immediate aftermath of it, there was also an increase in pro-Russian hacktivist groups. The 'second wave' of hacktivism took place around March 22, 2022, when Killnet's campaign against the Latvian government was initiated, following the initial wave of hacktivism, which included pre-existing groups such as the Stormous ransomware gang as well as new crews that were created to support the Russian war effort. 

An Increase in the Number of Killnets

Despite that, Recorded Future claims that Killnet dominated this second wave of electronic music. 

As a consequence of these attacks, the gang and its subgroups have expanded their targets beyond Europe. They have in recent years targeted the Americas, Asia, and other parts of the world. 

Recorded Future says that most of the pro-Russian hacktivist groups active since the end of the war are no longer active despite estimates by security researchers such as @Cyberknow20 that there were 70 or more such groups active at the beginning of the war. 

As the authors point out, although they identified about 100 such groups between February 24, 2022, and February 10, 2023, only a few remain active today. This is even though a total of about 100 groups were identified. 

Even those that remain are not very effective, as there are only a few left. A new FBI report describes Killnets' distributed denial of service attacks as having "limited success" in the course of their attacks. Additionally, the researchers point out that their impact on the overall war effort has been "minimal" at best, in terms of the effects on the war effort. 

Is 2023 Going to be a Year of Change?

A second year of the war is expected to bring more of the same from security researchers, with insider criminal gangs leaking information, hacktivist attacks making headlines, and database dumps being sold on dark-web forums - possibly with a rise in Russian and Belarusian databases that have been leaked - as well as credential leaks targeting .ru and .by domains that have been targeted by hackers.  As a result of the malware-as-a-service threat landscape and the ongoing changing of the criminal forums on the dark web, "volatility and instability" are predicted to persist through 2023 throughout the Russian-speaking dark web market. 

In the short term, Leslie predicts that the cyber efforts of Ukraine are likely to be stepped up in 2023. The public-private partnership has helped foster increased collaboration between intelligence agencies and the provision of active defensive support, and we anticipate that this will only increase in the years to come, Leslie added. 

The majority of offensive operations are likely to be undertaken by the IT Army of Ukraine. This is expected to maintain support to enable a method of crowdsourced hacktivism that will continue to dominate offensive operations. 

He says he expects more hack-and-leak attacks from the Ukrainian IT Army in the future, but the most dominant methods of attack will likely remain DDoS attacks and website defacement.

LockBit Attack: Royal Mail Refuses to Pay 'Absurd' Ransom, Says its Chat Logs

The Royal Mail, which is still experiencing complications as a result of last month's cyberattack, has revealed what the LockBit ransomware gang claims to be the detailed transcript of its negotiations with Royal Mail. 

According to reports, Royal Mail rejected an $80 million (£66 million) ransom demand from the LockBit ransomware gang, declaring that it would "under no circumstances" pay the "absurd amount of money" demanded. 

This is in regard to what appear to be chat logs that LockBit disclosed and were published on February 14, documenting weeks of thorough negotiations between LockBit and its victim, who was attacked on January 10.

The chat logs negotiating the ransoms are apparently the first pieces of information LockBit released following the cyberattack on Royal Mail, that halted the British postal service from sending certain products overseas. This is in spite of earlier threats by the ransomware group with ties to Russia to expose all stolen data on February 9. 

The records seem to indicate that this was the last day of negotiations between LockBit and Royal Mail. Screenshots from LockBit's dark web leak site that was reviewed by TechCrunch reveal that talks started on January 12, two days after the U.K. postal company acknowledged that it had been compromised. 

If the chat logs are legitimate, they indicate that LockBit demanded a grand total of $80 million as a ransom payment, which equals 0.5% of Royal Mail’s annual revenue. The negotiator for Royal Mail appeared to inform LockBit that the company would not comply with the demand and that they had mistaken Royal Mail International for Royal Mail. 

“Under no circumstances will we pay you the absurd amount of money you have demanded[…]We have repeatedly tried to explain to you we are not the large entity you have assumed we are, but rather a smaller subsidiary without the resources you think we have. But you continue to refuse to listen to us. This is an amount that could never be taken seriously by our board.” says Royal Mail’s negotiator (anonymous) to a LockBit representative. 

The ransom demand was reportedly then reduced by LockBit to $70 million on February 1. 

The UK’s National Cyber Security Centre, investigating the Royal Mail has long urged the company against paying the ransom demand since this “does not reduce the risk to individuals, is not an obligation under data protection law, and is not considered as a reasonable step to safeguard data.” Additionally, the FBI advises victims to take precautions such as data backups rather than complying with extortion demands. 

Royal Mail did not object to the legitimacy of the chat records when approached, it has declined to answer certain questions. “As there is an ongoing investigation, law enforcement has advised that it would be inappropriate to make any further comment on this incident,” said a Royal Mail spokesperson, who declined to provide their name. 

The upcoming actions of Royal Mail are still not clear. As of now, since the negotiation between the company and LockBit appears to be unsuccessful, the company could soon be witnessing larger fallout if the stolen data is published online. LockBit’s dark web leak site currently informs that “all available data” has been published, although unavailable to be viewed. 

The postal giant continues to face disruption in its services following the cyberattack, more than a month later. According to a company update dated February 14, despite advances (-i—international services were resumed to all destinations for online purchases) - the company is still unable to process new Royal Mail parcels and large letters requiring a customs declaration bought at the Post Office branches.   

The LockBit Ransomware Takes Responsibility for the Royal Mail Cyberattack


The LockBit ransomware operation has asserted responsibility for the cyberattack on Royal Mail, the UK's leading mail delivery service, which forced the company to stop its international shipping services due to "severe service disruption." 

This emerges after LockBitSupport, the public-facing representative of the ransomware group, earlier told BleepingComputer that the LockBit cybercrime group did not target Royal Mail. They instead blamed the attack on other threat actors who used the LockBit 3.0 ransomware builder, which was leaked on Twitter in September 2022. LockBitSupp did not clarify why printed Royal Mail ransom notes seen by BleepingComputer included links to LockBit's Tor negotiation and data leak sites rather than those operated by a different threat actor.

However, LockBitSupp validated LockBit's involvement in the attack in a post on a Russian-language hacking forum after discovering that one of their affiliates deployed the gang's ransomware payloads on Royal Mail's systems.

The representative of the ransomware gang also stated that they would only provide a decryptor and delete data stolen from Royal Mail's network after a ransom was paid. The entry for the Royal Mail attack on LockBit's data leak site currently states that stolen data will be published online on Thursday, February 9, at 03:42 AM UTC.

The attack was termed a "cyber incident"

On January 10, Royal Mail discovered the attack and hired outside forensic experts to assist with the investigation.

A Royal Mail spokesperson told BleepingComputer on January 11 when we reached out for more details, "Incident was detected yesterday, UK/ domestic mail remains unaffected."

"We're experiencing disruption to our international export services and are temporarily unable to despatch items to overseas destinations. Please do not post any export items while we work to resolve the issue. Sorry for any disruption this may cause," the company tweeted.

The incident was also reported to UK security agencies, and the company is investigating it alongside the National Crime Agency and the UK National Cyber Security Centre (NCSC).

However, Royal Mail has yet to acknowledge that it is the victim of a ransomware attack, which could result in a data breach because LockBit ransomware operators are known for stealing data and leaking it online if their ransom demands are not met.

For the time being, the company is still referring to the attack as a "cyber incident" and claims to have restored some of the services that were impacted by the attack. The incident last month follows a November 2022 outage that caused the Royal Mail's tracking services to be unavailable for more than 24 hours.

The Royal Mail's recurring IT problems come at a time when its mailing services are already under strain due to planned national strikes and ongoing talks with the Communication Workers Union.     

Following a Breach at ION Group, LockBit Hackers Received a Ransom

LockBit hackers who took credit for a severe hack at financial data company ION claim that a ransom was paid, although they would not specify the sum or provide any proof that the payment had been transferred. Meanwhile, the ION Group chose not to comment on the situation. 

The British spying intelligence agency GCHQ's National Cyber Security Agency told Reuters there's nothing further to add. A key to access the files should be provided by the hacking gang if a ransom is paid. As per cybersecurity experts, ransomware often demands the individual file-by-file decryption of computer servers, which can involve days or weeks. Additionally, a machine that has had its data decrypted cannot be trusted after that point and must be wiped clean and rebuilt from scratch. PCs often speed up the process.

After a business pays a ransom, additional ransomware gangs might try to extort them once more by using the company's IT system flaws. Considering to be completely secure, ransomware victims might seek to redesign their technical infrastructure.

In addition, victims' files are kidnapped by LockBit, the group behind the ION assault, which also demands payment by February 4 to prevent their disclosure.

Ransoms should not be paid, according to the National Cyber Security Centre of the UK, 42 of ION's clients were impacted by the early-morning Tuesday attack. Eventually, it caused several banks and brokers in Europe and the US to conduct some trades manually, thus setting them back for decades. About the attack, the FBI has contacted ION management.

LockBit Ransomware Group

In certain cases, the affiliate of LockBit 3.0 is required to start the ransomware binary using a 32-character password. The typical assault procedure consists of infecting the device, encrypting files, removing specific services, and changing the device's background image.

The information can be offered for sale on the dark web if the ransom is not paid. Cobalt Strike, a security testing tool, and a series of malware attacks have been linked to LockBit 3.0's abuse of Windows Defender.

Operating with affiliates who may lack the means to develop and launch attacks, LockBit uses a ransomware-as-a-service (RaaS) business model. The associated hacker in this case receives a percentage of the ransom, based on a December 2022 warning from the U.S. Department of Health & Human Services.

Among the most expensive and disruptive concerns for businesses globally in recent years has been ransomware. Several ransomware groups not only encrypt a victim's files in exchange for a ransom payment, but they also steal data and threaten to expose it online as an added inducement to pay up.

Numerous brokers have experienced difficulties as a result of the exchange-traded financial derivatives trading and clearance being impacted by the ransomware attack on ION. Reuters reports that among the numerous ION customers whose operations have been interrupted are ABN Amro Clearing and Intesa Sanpaolo, the largest bank in Italy.

Northern European Criminals Copy the Lockbit Gang


The threat group, known as LockBit, is one of the most notorious ransomware groups operating currently. As a result, they have become very active on dark web forums. In addition, they are exploiting the negative publicity created by other ransomware groups to recruit more hardened cybercriminals for their agenda. 

The rate at which ransomware attacks have targeted companies in northern Europe has increased significantly. It appears that these attacks are being conducted using a device known as the LockBit locker. This is believed to be one of the tools used by a criminal affiliation program dubbed Gangrel. 

There is a wide range of industries that have been targeted by the LockBit group. It has caused significant disruptions and financial losses for a wide range of companies, from small to multinational. 

As a result of the nature of these new attacks, one of the most concerning characteristics is how they are being undertaken. A company's network is at risk from the LockBit Locker group. This group exploits a variety of advanced security techniques to gain initial access to the network through phishing and social engineering, among others. Having gained access to a network, attackers use a wide variety of tools and techniques to reach various parts of the network and steal sensitive information. These include sensitive system information. 

There has been an increase in attacks on small and medium-sized businesses in Belgium, as reported by Computerland in the country. There was, however, a report by the company that explained that the company was targeted by a group of cybercriminals using a variant of the LockBit locker malware. This variant appeared to have been used by the company. Following a thorough investigation, it was discovered that these attackers were unlikely to be connected with the LockBit group but rather were "wannabes" who had gained access to leaked versions of the malware. Despite not being the real LockBit Locker group, these micro-criminals were still able to inflict significant damage by encrypting a large number of internal files. 

There was, however, no impact on the company's computer system as a result of the intrusion, as backups had been made, and none of the client workstations were lost. 

The incident is one of many highlighting the dangers of outdated software and systems. This is true especially for less sophisticated actors, even in the criminal underground, where extortion practices seem to be gaining popularity. 

According to the report, in this case, the attackers were able to utilize the company's FortiGate firewall to gain access to the company's sensitive data. They did this by taking advantage of unpatched vulnerabilities. According to the Known Exploited Vulnerabilities Catalog maintained by the Center for Internet Security Awareness, unpatched FortiGate firewalls are prone to several vulnerabilities currently being exploited by cybercriminals. However, in these recent cases, the flaws exploited were the infamous "Fortifuck" flaws that date back as far as 2018. 

Unattended exposure through a branch internet gateway has allowed exploits to be made of these flaws to be discovered and exploited. As a result, these gateway sites are usually less well-protected than the central network, which may put attackers at an advantage in terms of gaining access to the network. 

The recent ransomware attacks against small and medium-sized businesses in North Europe are highly concerning for several reasons. Even though the criminal operators' lack of experience reduced their effectiveness, extended outages and data exfiltration were experienced by the targeted industries despite the reduced effectiveness of the criminal operators. 

Briefing on Threat Actors   

There is a well-known ransomware affiliation program known as LockBit, which started in September of 2019 and involves the developers of the malicious software hiring unethical penetration testing teams to spread the ransomware as a third party. There are a few gangs that have established double-extortion practices. The Stealbit malware was part of the toolkits used by this gang to support such attacks.

It is well known that during Lockbit's infamous career, a large number of small and medium businesses and large corporations such as Accenture and Royal Mail were targeted. During the infection process, the victim will be redirected to a gang payment site managed by the ransomware developers once they have infected the environment. The attackers threatened the victim that they would leak the victim's data to get her to pay more money.

FIN7 Cybercrime Syndicate: Emerges as a Major Player in Ransomware Ecosystem


A thorough investigation of FIN7 has revealed the organisational structure of the cybercrime group as well as its function as an associate for launching ransomware assaults. Additionally, it has revealed deeper connections between the group and the larger threat ecosystem, which includes the now-defunct DarkSide, REvil, and LockBit families of ransomware. 

The extremely active threat group Carbanak is known for using a wide range of instruments and strategies to broaden its "cybercrime horizons," including adding ransomware to its playbook and setting up fictitious security companies to entice researchers into performing ransomware attacks under the pretext of penetration testing. The financially motivated adversary has compromised more than 8,147 victims worldwide, with the majority of the affected businesses being based in the United States. Other notable nations include China, Germany, Canada, Italy, and the U.K.

Over the years, FIN7's invasion techniques have extended beyond conventional social engineering to include infected USB drives, compromised software supply chains, and the exploitation of stolen credentials obtained from dark web markets.

"Nowadays, its initial approach is to carefully pick high-value companies from the pool of already compromised enterprise systems and force them to pay large ransoms to restore their data or seek unique ways to monetize the data and remote access," PRODAFT said in a report shared with The Hacker News.

The Russian-speaking hacking group has also reportedly been seen using a number of Microsoft Exchange security weaknesses, including CVE-2020-0688, CVE-2021-42321, ProxyLogon, and ProxyShell, as weapons to infiltrate target environments. Even in situations where the victim has previously paid a ransom, the organization has launched operations that have installed SSH backdoors on the compromised systems. This is despite the use of double extortion tactics.

As part of its illegal money-making scheme, the plan is to resell access to other ransomware organizations and retarget the victims, underlining its attempts to minimize effort and maximize profits. In addition, it prioritizes businesses based on their annual revenues, dates of founding, and the number of employees. According to the researchers, this "demonstrates a certain form of feasibility study regarded a distinctive habit among cybercrime gangs."

In other words, FIN7's method of operation is to shortlist businesses and organizations with the largest income by using tools like Dun & Bradstreet (DNB), Crunchbase, Owler, and Zoominfo. In order to track visitor traffic to the victims' websites, it also makes use of other website analytics tools like MuStat and Similarweb.

One of the various intrusion vectors is used to gain initial access, after which data is exfiltrated, files are encrypted, and finally the ransom price is calculated based on the company's income.
The remote access trojans Carbanak, Lizar (also known as Tirion), and IceBot are likewise intended to be loaded using these infection sequences. IceBot was initially identified by Recorded Future-owned Gemini Advisory in January 2022.

Other tools created and provided by FIN7 include the Cobalt Strike post-exploitation tool and the Checkmarks module, which automates mass scans for vulnerable Microsoft Exchange servers and other public-facing online applications.

Another example of how criminal organizations behave like legitimate businesses is FIN7, which has a team structure with top-level management, development, pentesting, affiliate, and marketing teams, all of which have specific tasks to do.

While Alex and Rash are the main drivers of the operation, Sergey-Oleg, the third management member, assigns tasks to the other members of the group and supervises their completion. A review of the group's Jabber communication history, however, has shown that operators in administrator roles use coercion and extortion to force team members to put in more effort and issue threats to "harm their family members in case of resigning or escaping from duties."

The information was uncovered more than a month after cybersecurity firm SentinelOne suspected FIN7 may have connections to the Black Basta ransomware operation.

PRODAFT concluded, "FIN7 has established itself as an extraordinarily versatile and well-known APT group that targets enterprise companies. Their signature move is to thoroughly research the companies based on their revenue, employee count, headquarters and website information to pinpoint the most profitable targets."

"Although they have internal issues related to the unequal distribution of obtained monetary resources and somewhat questionable practices towards their members, they have managed to establish a strong presence in the cybercrime sphere."

Lockbit Ransomware Attacks German MNC, Threatens to Leak All Data

LockBit attacks Continental with a ransomware attack

The LockBit ransomware gang has taken responsibility for a cyberattack against the German MNC automotive group continental. 

LockBit also stole some data from Continental's systems, and they are blackmailing to leak it on their data leak site if the company doesn't agree with their demands within the next 22 hours. 

The gang hadn't disclosed any info on what info was extracted from Continental's network or when the compromise happened. 

Ransomware gangs usually post data on their leak websites as a strategy to frighten their targets into settling a deal or into getting back to the negotiation table. 

LockBit threatens to leak data

Since LockBit says that it will leak "all available" data, this hints that Continental is yet to negotiate with the ransomware campaign or it has already refused to agree with demands. 

Kathryn Blackwell, Continental's Vice President of Communications and Marketing, didn't acknowledge LockBit's claims and didn't disclose any information regarding the compromise, she said recently the statement the company has given in the press release regarding the issue. 

As per the press release, the company found a security compromise early in August when the hackers invaded parts of its IT systems. 

Continental's response

As soon as the attack surfaced, Continental took all vital security measures to restore the full integrity of its IT systems. 

With the assistance of external cybersecurity analysts, the organization has launched an inquiry into the incident. The investigation is currently under process. 

The automotive MNC is still to share its findings. Blackwell also refused to link the August cyberattack to LockBit's claims, according to her, she couldn't share any more information at the moment. 

Continental reported sales of €33.8 billion in 2021, and it has employed more than 190,000 people across 58 nations and markets. 

The press release said:

"Continental informed the relevant authorities of the incident and is in close contact with them, including the security authorities. The company is aware of its data protection obligations and – in consultation with the responsible data protection authorities – is taking the necessary steps to ensure they are completely fulfilled.

The security of its employees’, customers’, and partners’ information as well as of its own data is paramount to Continental. That is why Continental has taken and continues to take extensive measures to constantly strengthen cybersecurity at the company."

Raspberry Robin Worm Threats Uncovered by Microsoft

According to Microsoft Security Threat Intelligence analysts, threat actors have continued to target Raspberry Robin virus victims, indicating that the worm's creators have sold access to the infected devices to other ransomware gangs.

Raspberry Robin is malware that infects Windows systems via infected USB devices. It is also known as QNAP Worm due to the usage of compromised QNAP storage servers for command and control.

The malware loader Bumblebee, the Truebot trojan, and IdedID also known as BokBot, a banking trojan, have all been distributed using Raspberry Robin. Microsoft analysts claim that hackers also instructed it to launch the LockBit and Clop ransomware on hijacked computers.

The FakeUpdates malware, which resulted in DEV-0243 activity, was installed on Raspberry Robin-infected devices in July 2022, according to a report from Microsoft. DEV-0243 is a ransomware-focused threat actor with ties to EvilCorp that is also thought to have used the LockBit ransomware in some campaigns.

A malicious payload associated with Raspberry Robin has reportedly been the subject of at least one alert on almost 3,000 devices across 1,000 companies, according to data gathered by Microsoft's Defender for Endpoint product over the past 30 days.

When Raspberry Robin-infected devices were updated with the FakeUpdates backdoor earlier in July, Microsoft analysts discovered Evil Corp's pre-ransomware behavior on those networks. The activity was linked to the access broker monitored as DEV-0206, and it was seen during that time period.

In September, IBM's Security X-Force discovered additional linkages between Raspberry Robin and Dridex, including structural and functional parallels between a Raspberry Robin DLL and a malware loader used by Dridex.

Microsoft further speculated that the hackers of such malware operations linked to Raspberry Robin are funding the worm's operators for payload distribution, allowing them to stop using phishing as a method of acquiring new victims. According to Microsoft, the malware is anticipated to develop into a threat that is severe.

Angry Developer Leaks LockBit Ransomware Builder


The recently released 3.0 version of LockBit encryptor’s builder, called LockBit Black is leaked online. According to the Ransomware operator’s public representative LockBitSupp, this leak is not executed by a hacker, rather, it is the work of some disgruntled developer. 

About LockBit Black Builder 

The latest version, LockBit Black was under the testing phase till June and comprised numerous advanced features, such as auto-analysis, a ransomware bug bounty program, and newer methods of extortion. 

The builder included a password-protected 7z archive LockBit3Builder, it comprised four files – a batch file, a builder, a modifiable configuration file, and an encryption key generator. The files allow one to build the executable code to launch their own operation, such as encryptor, decryptor, and tools to execute the decryptor in a specific way.  

LockBit Ransomware’s Builder Leaks

A recently registered Twitter account by the handle @ali_qushji is under scrutiny by the security researchers of 3xport, as the Twitter user Ali Qushji claims that his team has gotten hold of LockBit servers and found a builder for the LockBit 3.0 ransomware encryptor. 

“Unknown person @ali_qusji said his team has hacked the LockBit servers and found the possible builder of LockBit Black (3.0) ransomware” the Tweet read. 

On September 10, the researchers at VX-Underground were allegedly contacted by a user named protonleak (@protonleaks1), who shared a copy of the builder. The research agency further claimed that the ransomware group was not hacked, but the private ransomware builder code was leaked by one of the group’s developers. 

The developer was allegedly hired by the LockBit ransomware group, he was discontented with the ransomware operator’s leadership, and leaked the builder in response. 

"We reached out to LockBit ransomware group regarding this and discovered this leaker was a programmer employed by LockBit ransomware group [...] They were upset with LockBit leadership and leaked the builder." VX-Underground tweeted. 

Threat to the Ransomware Operators

According to John Hammond, a security researcher at Huntress Labs, "This leak of the builder software commoditizes the ability to configure, customize, and ultimately generate the executables to not only encrypt but decrypt files[...] Anyone with this utility can start a full-fledged ransomware operation."   

The leak consequently is a threat to ransomware operators, as the builder code is now accessible to other ransomware operators. As a result, many new versions of the builder will soon be circulated by the operators. Moreover, the leaked builder will give security researchers a chance to conduct a better analysis of the ransomware, and develop advanced software that could tackle future attacks.

Hackers are Actively Targeting Linux-Based Devices

Ransomware attacks against Linux have accelerated as cybercriminals try to increase their options and take advantage of an operating system that is sometimes neglected when organizations think about security. 

According to Trend Micro, hackers prefer using ransomware-as-a-service (RaaS) techniques because they enable quicker deployment and higher rewards. Additionally, they increasingly focused their attacks on Linux-based computers and employed relatively new ransomware families in high-profile strikes. Operators of ransomware also used both cutting-edge and time-tested strategies to attack cloud environments.

Linux powers significant enterprise IT infrastructure, including servers, making it a target for ransomware gangs. This is especially true when cybersecurity teams may decide to concentrate on protecting Windows networks against cybercrime due to a believed lack of threat to Linux systems compared to Windows.

For instance, LockBit, one of the most widespread and effective ransomware operations in recent memory, now provides the choice of a Linux-based variant that is made to target Linux systems and has been used to carry out assaults in the field.

Hackers are regularly extending the scope of their exploits by focusing on Linux, one of the most potent operating systems utilized in cloud platforms and servers around the world, in addition to upping the ante by utilizing MaaS methods in their attacks.

The RaaS architecture makes it simpler and quicker for cyber criminals to deploy ransomware attacks than traditional ransomware models, even those with limited technical knowledge. According to SPN data, three ransomware families—the infamous LockBit, Conti, and BlackCat families—dominated the RaaS space in terms of detections. BlackCat is a family of ransomware that was developed in the Rust programming language at the end of 2021.

Attackers using ransomware are motivated by money and would jump at new possibilities if they believe they can increase their earnings; it would seem that encrypting Linux systems and demanding payment for the key to open servers and files are becoming more and more common.

According to researchers, as ransomware perpetrators strive to maximize their profits, this strategy will only grow in popularity.

It's not only ransomware entities that are focusing more on Linux, according to Trend Micro, but there has also been a 145% increase in Linux-based cryptocurrency-mining malware attacks, wherein online criminals covertly use the processing power of infected computers and servers to mine for cryptocurrency for their own gain.

Here's How BlackMatter Ransomware is Linked With LockBit 3.0


LockBit 3.0, the most recent version of LockBit ransomware, and BlackMatter contain similarities discovered by cybersecurity researchers. 

In addition to introducing a brand-new leak site, the first ransomware bug bounty program, LockBit 3.0, was released in June 2022. Zcash was also made available as a cryptocurrency payment method.

"The encrypted filenames are appended with the extensions 'HLJkNskOq' or '19MqZqZ0s' by the ransomware, and its icon is replaced with a.ico file icon. The ransom note then appears, referencing 'Ilon Musk'and the General Data Protection Regulation of the European Union (GDPR)," researchers from Trend Micro stated.

The ransomware alters the machine's wallpaper when the infection process is finished to alert the user of the attack. Several LockBit 3.0's code snippets were found to be lifted from the BlackMatter ransomware by Trend Micro researchers when they were debugging the Lockbit 3.0 sample.

Identical ransomware threats

The researchers draw attention to the similarities between BlackMatter's privilege escalation and API harvesting techniques. By hashing a DLL's API names and comparing them to a list of the APIs the ransomware requires, LockBit 3.0 executes API harvesting. As the publically accessible script for renaming BlackMatter's APIs also functions for LockBit 3.0, this procedure is the same as that of BlackMatter.

The most recent version of LockBit also examines the UI language of the victim machine to prevent infection of machines that speak these languages in the Commonwealth of Independent States (CIS) member states.

Windows Management Instrumentation (WMI) via COM objects is used by Lockbit 3.0 and BlackMatter to delete shadow copies. Experts draw attention to the fact that LockBit 2.0 deletes using vssadmin.exe.

The findings coincide with LockBit attacks becoming the most active ransomware-as-a-service (RaaS) gangs in 2022, with the Italian Internal Revenue Service (L'Agenzia delle Entrate) being the most recent target.

The ransomware family contributed to 14% of intrusions, second only to Conti at 22%, according to Palo Alto Networks' 2022 Unit 42 Incident Response Report, which was released and is based on 600 instances handled between May 2021 and April 2022.

Bridgestone USA Alleges to be Infiltrated by a LockBit Ransomware Cell


The LockBit ransomware gang claims to have infiltrated Bridgestone Americas' network and stolen data. It is an American subsidiary of Bridgestone Corporation, a Japanese tire, and automobile components manufacturer. It is a conglomerate of companies with more than 50 manufacturing locations and 55,000 people spread across America. If the corporation does not pay the ransom, Lock bit operators aim to reveal the private documents by March 15, 2022, 23:59. 

Bridgestone began an investigation into "a potential information security incident" on February 27, which was discovered in the morning hours of the same day. The incident remained unknown until recently when the LockBit ransomware gang claimed responsibility for the attack by adding Bridgestone Americas to its list of victims.

LockBit is one of the most active ransomware groups today, demanding significant sums of money in exchange for stolen data. According to a Kaspersky investigation, the ransomware gang utilizes LockBit, a self-spreading malware that uses tools like Windows Powershell and Server Message Block to proliferate throughout an enterprise. 

As per Dragos' study, the transportation and food and beverage industries were the second and third most targeted industries, respectively. LockBit is currently threatening Bridgestone with the release of their data.

The examination by the tire company indicated the attacker followed a "pattern of behavior" which is usual in ransomware assaults. Bridgestone went on to say the attacker had taken information from a small number of its systems and had threatened to make the stolen data public.

In a statement, the company said they are "committed to conducting a rapid and definitive inquiry to identify as swiftly as possible what precise data was obtained" from their environment. "The security of our teammates, customers, and partners' information is extremely important to Bridgestone."

Despite the fact that the LockBit ransomware gang has primarily targeted the industrial and manufacturing sectors, ransomware like the one utilized by the gang can still infect your PC.

To prevent ransomware criminals from getting into users' accounts, Kaspersky recommends using strong passwords and enabling multi-factor authentication. The antivirus firm also advised having system-wide backups in case data was lost due to malware infection. Additionally, keeping your system configurations up to date and following all security measures will help you avoid being a ransomware victim, saving you a lot of time and aggravation.

SFile (Escal) Ransomware Modified for Linux Attacks


The SFile ransomware, also known as Escal, has been ported to work and encrypt data on Linux-based operating systems by its developers. 

Attacks with this new Linux edition were discovered late last year, according to a report published last week by Chinese security firm Rising, which was substantiated by The Record with MalwareHunterTeam, one of the developers of the ID-Ransomware project. 

In February 2020, the SFile (Escal) ransomware was first observed in assaults. The first versions were exclusively designed to encrypt Windows systems. The ransomware has been deployed in targeted assaults against corporate and government networks for the previous two years. 

SFile is typically used in these attacks to encrypt data and leave a ransom note instructing victims to contact the attackers via one of three emails and negotiate a ransom for the decryption key. 

A SFile Linux variation was discovered late last year, following a typical trend in the ransomware ecosystem where groups have developed Linux versions of their payloads, with an encryption strategy identical to its original Windows variant but with a few modifications. 

The option to encrypt data depending on a time range, according to MalwareHunterTeam, was the most intriguing of these—as a way to encrypt current files, which may be more important for some victims and are often not included in recent backups. However, the SFile ransomware is one of the few instances where the victim's name appears in the extension appended to each encrypted file. 

Several Chinese firms were among the most recent victims of SFile assaults. According to the Rising report, one of these victims was Chinese IT business Nuctech, which was sanctioned by the US in late 2020 for giving air travel passenger information to the Chinese government—the company's name was identified in encrypted files in a sample discovered by Rising researchers. 

Despite the presence of a Linux variant, the number of SFile attacks is still limited in comparison to the operation of more well-known ransomware families like Conti, LockBit, Grief, and STOP.

Report: PYSA Emerges as Top Ransomware Actor in November


As per NCC Group, a UK-based risk mitigation organisation, PYSA and Lockbit were the most significant ransomware attacks in November 2021.

Lockbit has been a leading ransomware threat since August of this year, with Conti dominating the landscape as well. Conti's popularity began to fade in November, and PYSA took its place. The total number of organisations infected with PYSA climbed by 50% last month. 

The number of hacked governmental institutions has also increased by 400 per cent, according to the NCC Group. PYSA is for 'Protect Your System Amigo,' and it has been active since late 2019, mostly targeting the education, healthcare, and government sectors.

In March 2021, the FBI issued a warning about PYSA. PYSA was thought to only target Windows systems until September 2021, but the evidence was discovered that the ransomware was getting prepared to target Linux PCs as well. 

NCC Group noted, “PYSA is a malware capable of exfiltrating data and encrypting users’ critical files and data, which typically targets large or high-value finance, government and healthcare organizations.” 

In November, the total number of ransomware assaults was 1.9 per cent higher than in October, with firms in North America and Europe being hit the hardest. According to the NCC Group, ransomware affected 154 companies in North America last month (140 in the United States and 14 in Canada). A total of 96 European victims have been identified, the majority of whom are from the United Kingdom (32), France (14), Italy, and Germany (11 each). 

“The industrial sector continued to be the most targeted sector in November. Meanwhile, automotive, housing, entertainment, and retail businesses overtook technology this month, with attacks targeting the sector decreasing by 38.1%,” NCC Group stated. 

The cybersecurity firm also saw the Everest ransomware group providing paid access to their victims' infrastructure in November. Other groups are also anticipated to forego a ransom demand in the future and instead grant access to the compromised infrastructure.

Russian Organizations Targeted By Outdated Threat Actors


Currently, European and American organizations top the list in ransomware from Russian state sponsored hackers, however, organizations from these countries are not ready for managing file encryption and double extortion problems on their own. Threat actors troubling CIS and Russian based companies are generally LockBit, REvil, DarkSide and many more criminal groups that target high profile victims with critical infrastructure cyberattacks. According to Kaspersky's report on first half of 2021, the Commonwealth of Independent States (CIS) was also targeted by threat actors which attack Russian organizations monthly, meanwhile no such attacks are reported. 

These groups, under unnoticed subcategory of ransomware actors are generally less sophisticated, and mostly use leaked malware or outdated strains, and build their own hacking access instead of buying access to the victims. Some of these famous ransomware families that were used earlier this year against the Russian targets are as followed: XMRLocker, Thanos/Hakbit, Limbozar/VoidCrypt, Fonix/XINOF, CryptConsole, Cryakl/CryLock, Phobos/Eking, Crysis/Dharma, /BigBobRoss. The most effective older strains include Phobos and Dharma. 

Phobos first surfaced in 2017 and reached its final stage in 2020. The threat actors had unauthorised RDP access as the main entry point. It consists of a C++/C malware having similar contextual technicalities to Dharma strain, but has no relation. Dharma came out in the open in 2016 by the name of Crysis, even though outdated, it has one of the most effective encryption schemes. Like Phobos, Dharma has similar unauthorised RDP access following brute-force of credentials and manual planting of malware. 

As per Kaspersky, such attacks come and go, however, they can't be left unnoticed. Kaspersky says these strains are still under development, with threat actors constantly making their strains effective, therefore, they are not without firepower. "Russian companies can prevent many of these threats by simply blocking RDP access, using strong passwords for domain accounts that are changed regularly, and accessing corporate networks through VPN," reports Bleeping Computers.