Search This Blog

Showing posts with label LockBit. Show all posts

Northern European Criminals Copy the Lockbit Gang


The threat group, known as LockBit, is one of the most notorious ransomware groups operating currently. As a result, they have become very active on dark web forums. In addition, they are exploiting the negative publicity created by other ransomware groups to recruit more hardened cybercriminals for their agenda. 

The rate at which ransomware attacks have targeted companies in northern Europe has increased significantly. It appears that these attacks are being conducted using a device known as the LockBit locker. This is believed to be one of the tools used by a criminal affiliation program dubbed Gangrel. 

There is a wide range of industries that have been targeted by the LockBit group. It has caused significant disruptions and financial losses for a wide range of companies, from small to multinational. 

As a result of the nature of these new attacks, one of the most concerning characteristics is how they are being undertaken. A company's network is at risk from the LockBit Locker group. This group exploits a variety of advanced security techniques to gain initial access to the network through phishing and social engineering, among others. Having gained access to a network, attackers use a wide variety of tools and techniques to reach various parts of the network and steal sensitive information. These include sensitive system information. 

There has been an increase in attacks on small and medium-sized businesses in Belgium, as reported by Computerland in the country. There was, however, a report by the company that explained that the company was targeted by a group of cybercriminals using a variant of the LockBit locker malware. This variant appeared to have been used by the company. Following a thorough investigation, it was discovered that these attackers were unlikely to be connected with the LockBit group but rather were "wannabes" who had gained access to leaked versions of the malware. Despite not being the real LockBit Locker group, these micro-criminals were still able to inflict significant damage by encrypting a large number of internal files. 

There was, however, no impact on the company's computer system as a result of the intrusion, as backups had been made, and none of the client workstations were lost. 

The incident is one of many highlighting the dangers of outdated software and systems. This is true especially for less sophisticated actors, even in the criminal underground, where extortion practices seem to be gaining popularity. 

According to the report, in this case, the attackers were able to utilize the company's FortiGate firewall to gain access to the company's sensitive data. They did this by taking advantage of unpatched vulnerabilities. According to the Known Exploited Vulnerabilities Catalog maintained by the Center for Internet Security Awareness, unpatched FortiGate firewalls are prone to several vulnerabilities currently being exploited by cybercriminals. However, in these recent cases, the flaws exploited were the infamous "Fortifuck" flaws that date back as far as 2018. 

Unattended exposure through a branch internet gateway has allowed exploits to be made of these flaws to be discovered and exploited. As a result, these gateway sites are usually less well-protected than the central network, which may put attackers at an advantage in terms of gaining access to the network. 

The recent ransomware attacks against small and medium-sized businesses in North Europe are highly concerning for several reasons. Even though the criminal operators' lack of experience reduced their effectiveness, extended outages and data exfiltration were experienced by the targeted industries despite the reduced effectiveness of the criminal operators. 

Briefing on Threat Actors   

There is a well-known ransomware affiliation program known as LockBit, which started in September of 2019 and involves the developers of the malicious software hiring unethical penetration testing teams to spread the ransomware as a third party. There are a few gangs that have established double-extortion practices. The Stealbit malware was part of the toolkits used by this gang to support such attacks.

It is well known that during Lockbit's infamous career, a large number of small and medium businesses and large corporations such as Accenture and Royal Mail were targeted. During the infection process, the victim will be redirected to a gang payment site managed by the ransomware developers once they have infected the environment. The attackers threatened the victim that they would leak the victim's data to get her to pay more money.

FIN7 Cybercrime Syndicate: Emerges as a Major Player in Ransomware Ecosystem


A thorough investigation of FIN7 has revealed the organisational structure of the cybercrime group as well as its function as an associate for launching ransomware assaults. Additionally, it has revealed deeper connections between the group and the larger threat ecosystem, which includes the now-defunct DarkSide, REvil, and LockBit families of ransomware. 

The extremely active threat group Carbanak is known for using a wide range of instruments and strategies to broaden its "cybercrime horizons," including adding ransomware to its playbook and setting up fictitious security companies to entice researchers into performing ransomware attacks under the pretext of penetration testing. The financially motivated adversary has compromised more than 8,147 victims worldwide, with the majority of the affected businesses being based in the United States. Other notable nations include China, Germany, Canada, Italy, and the U.K.

Over the years, FIN7's invasion techniques have extended beyond conventional social engineering to include infected USB drives, compromised software supply chains, and the exploitation of stolen credentials obtained from dark web markets.

"Nowadays, its initial approach is to carefully pick high-value companies from the pool of already compromised enterprise systems and force them to pay large ransoms to restore their data or seek unique ways to monetize the data and remote access," PRODAFT said in a report shared with The Hacker News.

The Russian-speaking hacking group has also reportedly been seen using a number of Microsoft Exchange security weaknesses, including CVE-2020-0688, CVE-2021-42321, ProxyLogon, and ProxyShell, as weapons to infiltrate target environments. Even in situations where the victim has previously paid a ransom, the organization has launched operations that have installed SSH backdoors on the compromised systems. This is despite the use of double extortion tactics.

As part of its illegal money-making scheme, the plan is to resell access to other ransomware organizations and retarget the victims, underlining its attempts to minimize effort and maximize profits. In addition, it prioritizes businesses based on their annual revenues, dates of founding, and the number of employees. According to the researchers, this "demonstrates a certain form of feasibility study regarded a distinctive habit among cybercrime gangs."

In other words, FIN7's method of operation is to shortlist businesses and organizations with the largest income by using tools like Dun & Bradstreet (DNB), Crunchbase, Owler, and Zoominfo. In order to track visitor traffic to the victims' websites, it also makes use of other website analytics tools like MuStat and Similarweb.

One of the various intrusion vectors is used to gain initial access, after which data is exfiltrated, files are encrypted, and finally the ransom price is calculated based on the company's income.
The remote access trojans Carbanak, Lizar (also known as Tirion), and IceBot are likewise intended to be loaded using these infection sequences. IceBot was initially identified by Recorded Future-owned Gemini Advisory in January 2022.

Other tools created and provided by FIN7 include the Cobalt Strike post-exploitation tool and the Checkmarks module, which automates mass scans for vulnerable Microsoft Exchange servers and other public-facing online applications.

Another example of how criminal organizations behave like legitimate businesses is FIN7, which has a team structure with top-level management, development, pentesting, affiliate, and marketing teams, all of which have specific tasks to do.

While Alex and Rash are the main drivers of the operation, Sergey-Oleg, the third management member, assigns tasks to the other members of the group and supervises their completion. A review of the group's Jabber communication history, however, has shown that operators in administrator roles use coercion and extortion to force team members to put in more effort and issue threats to "harm their family members in case of resigning or escaping from duties."

The information was uncovered more than a month after cybersecurity firm SentinelOne suspected FIN7 may have connections to the Black Basta ransomware operation.

PRODAFT concluded, "FIN7 has established itself as an extraordinarily versatile and well-known APT group that targets enterprise companies. Their signature move is to thoroughly research the companies based on their revenue, employee count, headquarters and website information to pinpoint the most profitable targets."

"Although they have internal issues related to the unequal distribution of obtained monetary resources and somewhat questionable practices towards their members, they have managed to establish a strong presence in the cybercrime sphere."

Lockbit Ransomware Attacks German MNC, Threatens to Leak All Data

LockBit attacks Continental with a ransomware attack

The LockBit ransomware gang has taken responsibility for a cyberattack against the German MNC automotive group continental. 

LockBit also stole some data from Continental's systems, and they are blackmailing to leak it on their data leak site if the company doesn't agree with their demands within the next 22 hours. 

The gang hadn't disclosed any info on what info was extracted from Continental's network or when the compromise happened. 

Ransomware gangs usually post data on their leak websites as a strategy to frighten their targets into settling a deal or into getting back to the negotiation table. 

LockBit threatens to leak data

Since LockBit says that it will leak "all available" data, this hints that Continental is yet to negotiate with the ransomware campaign or it has already refused to agree with demands. 

Kathryn Blackwell, Continental's Vice President of Communications and Marketing, didn't acknowledge LockBit's claims and didn't disclose any information regarding the compromise, she said recently the statement the company has given in the press release regarding the issue. 

As per the press release, the company found a security compromise early in August when the hackers invaded parts of its IT systems. 

Continental's response

As soon as the attack surfaced, Continental took all vital security measures to restore the full integrity of its IT systems. 

With the assistance of external cybersecurity analysts, the organization has launched an inquiry into the incident. The investigation is currently under process. 

The automotive MNC is still to share its findings. Blackwell also refused to link the August cyberattack to LockBit's claims, according to her, she couldn't share any more information at the moment. 

Continental reported sales of €33.8 billion in 2021, and it has employed more than 190,000 people across 58 nations and markets. 

The press release said:

"Continental informed the relevant authorities of the incident and is in close contact with them, including the security authorities. The company is aware of its data protection obligations and – in consultation with the responsible data protection authorities – is taking the necessary steps to ensure they are completely fulfilled.

The security of its employees’, customers’, and partners’ information as well as of its own data is paramount to Continental. That is why Continental has taken and continues to take extensive measures to constantly strengthen cybersecurity at the company."

Raspberry Robin Worm Threats Uncovered by Microsoft

According to Microsoft Security Threat Intelligence analysts, threat actors have continued to target Raspberry Robin virus victims, indicating that the worm's creators have sold access to the infected devices to other ransomware gangs.

Raspberry Robin is malware that infects Windows systems via infected USB devices. It is also known as QNAP Worm due to the usage of compromised QNAP storage servers for command and control.

The malware loader Bumblebee, the Truebot trojan, and IdedID also known as BokBot, a banking trojan, have all been distributed using Raspberry Robin. Microsoft analysts claim that hackers also instructed it to launch the LockBit and Clop ransomware on hijacked computers.

The FakeUpdates malware, which resulted in DEV-0243 activity, was installed on Raspberry Robin-infected devices in July 2022, according to a report from Microsoft. DEV-0243 is a ransomware-focused threat actor with ties to EvilCorp that is also thought to have used the LockBit ransomware in some campaigns.

A malicious payload associated with Raspberry Robin has reportedly been the subject of at least one alert on almost 3,000 devices across 1,000 companies, according to data gathered by Microsoft's Defender for Endpoint product over the past 30 days.

When Raspberry Robin-infected devices were updated with the FakeUpdates backdoor earlier in July, Microsoft analysts discovered Evil Corp's pre-ransomware behavior on those networks. The activity was linked to the access broker monitored as DEV-0206, and it was seen during that time period.

In September, IBM's Security X-Force discovered additional linkages between Raspberry Robin and Dridex, including structural and functional parallels between a Raspberry Robin DLL and a malware loader used by Dridex.

Microsoft further speculated that the hackers of such malware operations linked to Raspberry Robin are funding the worm's operators for payload distribution, allowing them to stop using phishing as a method of acquiring new victims. According to Microsoft, the malware is anticipated to develop into a threat that is severe.

Angry Developer Leaks LockBit Ransomware Builder


The recently released 3.0 version of LockBit encryptor’s builder, called LockBit Black is leaked online. According to the Ransomware operator’s public representative LockBitSupp, this leak is not executed by a hacker, rather, it is the work of some disgruntled developer. 

About LockBit Black Builder 

The latest version, LockBit Black was under the testing phase till June and comprised numerous advanced features, such as auto-analysis, a ransomware bug bounty program, and newer methods of extortion. 

The builder included a password-protected 7z archive LockBit3Builder, it comprised four files – a batch file, a builder, a modifiable configuration file, and an encryption key generator. The files allow one to build the executable code to launch their own operation, such as encryptor, decryptor, and tools to execute the decryptor in a specific way.  

LockBit Ransomware’s Builder Leaks

A recently registered Twitter account by the handle @ali_qushji is under scrutiny by the security researchers of 3xport, as the Twitter user Ali Qushji claims that his team has gotten hold of LockBit servers and found a builder for the LockBit 3.0 ransomware encryptor. 

“Unknown person @ali_qusji said his team has hacked the LockBit servers and found the possible builder of LockBit Black (3.0) ransomware” the Tweet read. 

On September 10, the researchers at VX-Underground were allegedly contacted by a user named protonleak (@protonleaks1), who shared a copy of the builder. The research agency further claimed that the ransomware group was not hacked, but the private ransomware builder code was leaked by one of the group’s developers. 

The developer was allegedly hired by the LockBit ransomware group, he was discontented with the ransomware operator’s leadership, and leaked the builder in response. 

"We reached out to LockBit ransomware group regarding this and discovered this leaker was a programmer employed by LockBit ransomware group [...] They were upset with LockBit leadership and leaked the builder." VX-Underground tweeted. 

Threat to the Ransomware Operators

According to John Hammond, a security researcher at Huntress Labs, "This leak of the builder software commoditizes the ability to configure, customize, and ultimately generate the executables to not only encrypt but decrypt files[...] Anyone with this utility can start a full-fledged ransomware operation."   

The leak consequently is a threat to ransomware operators, as the builder code is now accessible to other ransomware operators. As a result, many new versions of the builder will soon be circulated by the operators. Moreover, the leaked builder will give security researchers a chance to conduct a better analysis of the ransomware, and develop advanced software that could tackle future attacks.

Hackers are Actively Targeting Linux-Based Devices

Ransomware attacks against Linux have accelerated as cybercriminals try to increase their options and take advantage of an operating system that is sometimes neglected when organizations think about security. 

According to Trend Micro, hackers prefer using ransomware-as-a-service (RaaS) techniques because they enable quicker deployment and higher rewards. Additionally, they increasingly focused their attacks on Linux-based computers and employed relatively new ransomware families in high-profile strikes. Operators of ransomware also used both cutting-edge and time-tested strategies to attack cloud environments.

Linux powers significant enterprise IT infrastructure, including servers, making it a target for ransomware gangs. This is especially true when cybersecurity teams may decide to concentrate on protecting Windows networks against cybercrime due to a believed lack of threat to Linux systems compared to Windows.

For instance, LockBit, one of the most widespread and effective ransomware operations in recent memory, now provides the choice of a Linux-based variant that is made to target Linux systems and has been used to carry out assaults in the field.

Hackers are regularly extending the scope of their exploits by focusing on Linux, one of the most potent operating systems utilized in cloud platforms and servers around the world, in addition to upping the ante by utilizing MaaS methods in their attacks.

The RaaS architecture makes it simpler and quicker for cyber criminals to deploy ransomware attacks than traditional ransomware models, even those with limited technical knowledge. According to SPN data, three ransomware families—the infamous LockBit, Conti, and BlackCat families—dominated the RaaS space in terms of detections. BlackCat is a family of ransomware that was developed in the Rust programming language at the end of 2021.

Attackers using ransomware are motivated by money and would jump at new possibilities if they believe they can increase their earnings; it would seem that encrypting Linux systems and demanding payment for the key to open servers and files are becoming more and more common.

According to researchers, as ransomware perpetrators strive to maximize their profits, this strategy will only grow in popularity.

It's not only ransomware entities that are focusing more on Linux, according to Trend Micro, but there has also been a 145% increase in Linux-based cryptocurrency-mining malware attacks, wherein online criminals covertly use the processing power of infected computers and servers to mine for cryptocurrency for their own gain.

Here's How BlackMatter Ransomware is Linked With LockBit 3.0


LockBit 3.0, the most recent version of LockBit ransomware, and BlackMatter contain similarities discovered by cybersecurity researchers. 

In addition to introducing a brand-new leak site, the first ransomware bug bounty program, LockBit 3.0, was released in June 2022. Zcash was also made available as a cryptocurrency payment method.

"The encrypted filenames are appended with the extensions 'HLJkNskOq' or '19MqZqZ0s' by the ransomware, and its icon is replaced with a.ico file icon. The ransom note then appears, referencing 'Ilon Musk'and the General Data Protection Regulation of the European Union (GDPR)," researchers from Trend Micro stated.

The ransomware alters the machine's wallpaper when the infection process is finished to alert the user of the attack. Several LockBit 3.0's code snippets were found to be lifted from the BlackMatter ransomware by Trend Micro researchers when they were debugging the Lockbit 3.0 sample.

Identical ransomware threats

The researchers draw attention to the similarities between BlackMatter's privilege escalation and API harvesting techniques. By hashing a DLL's API names and comparing them to a list of the APIs the ransomware requires, LockBit 3.0 executes API harvesting. As the publically accessible script for renaming BlackMatter's APIs also functions for LockBit 3.0, this procedure is the same as that of BlackMatter.

The most recent version of LockBit also examines the UI language of the victim machine to prevent infection of machines that speak these languages in the Commonwealth of Independent States (CIS) member states.

Windows Management Instrumentation (WMI) via COM objects is used by Lockbit 3.0 and BlackMatter to delete shadow copies. Experts draw attention to the fact that LockBit 2.0 deletes using vssadmin.exe.

The findings coincide with LockBit attacks becoming the most active ransomware-as-a-service (RaaS) gangs in 2022, with the Italian Internal Revenue Service (L'Agenzia delle Entrate) being the most recent target.

The ransomware family contributed to 14% of intrusions, second only to Conti at 22%, according to Palo Alto Networks' 2022 Unit 42 Incident Response Report, which was released and is based on 600 instances handled between May 2021 and April 2022.

Bridgestone USA Alleges to be Infiltrated by a LockBit Ransomware Cell


The LockBit ransomware gang claims to have infiltrated Bridgestone Americas' network and stolen data. It is an American subsidiary of Bridgestone Corporation, a Japanese tire, and automobile components manufacturer. It is a conglomerate of companies with more than 50 manufacturing locations and 55,000 people spread across America. If the corporation does not pay the ransom, Lock bit operators aim to reveal the private documents by March 15, 2022, 23:59. 

Bridgestone began an investigation into "a potential information security incident" on February 27, which was discovered in the morning hours of the same day. The incident remained unknown until recently when the LockBit ransomware gang claimed responsibility for the attack by adding Bridgestone Americas to its list of victims.

LockBit is one of the most active ransomware groups today, demanding significant sums of money in exchange for stolen data. According to a Kaspersky investigation, the ransomware gang utilizes LockBit, a self-spreading malware that uses tools like Windows Powershell and Server Message Block to proliferate throughout an enterprise. 

As per Dragos' study, the transportation and food and beverage industries were the second and third most targeted industries, respectively. LockBit is currently threatening Bridgestone with the release of their data.

The examination by the tire company indicated the attacker followed a "pattern of behavior" which is usual in ransomware assaults. Bridgestone went on to say the attacker had taken information from a small number of its systems and had threatened to make the stolen data public.

In a statement, the company said they are "committed to conducting a rapid and definitive inquiry to identify as swiftly as possible what precise data was obtained" from their environment. "The security of our teammates, customers, and partners' information is extremely important to Bridgestone."

Despite the fact that the LockBit ransomware gang has primarily targeted the industrial and manufacturing sectors, ransomware like the one utilized by the gang can still infect your PC.

To prevent ransomware criminals from getting into users' accounts, Kaspersky recommends using strong passwords and enabling multi-factor authentication. The antivirus firm also advised having system-wide backups in case data was lost due to malware infection. Additionally, keeping your system configurations up to date and following all security measures will help you avoid being a ransomware victim, saving you a lot of time and aggravation.

SFile (Escal) Ransomware Modified for Linux Attacks


The SFile ransomware, also known as Escal, has been ported to work and encrypt data on Linux-based operating systems by its developers. 

Attacks with this new Linux edition were discovered late last year, according to a report published last week by Chinese security firm Rising, which was substantiated by The Record with MalwareHunterTeam, one of the developers of the ID-Ransomware project. 

In February 2020, the SFile (Escal) ransomware was first observed in assaults. The first versions were exclusively designed to encrypt Windows systems. The ransomware has been deployed in targeted assaults against corporate and government networks for the previous two years. 

SFile is typically used in these attacks to encrypt data and leave a ransom note instructing victims to contact the attackers via one of three emails and negotiate a ransom for the decryption key. 

A SFile Linux variation was discovered late last year, following a typical trend in the ransomware ecosystem where groups have developed Linux versions of their payloads, with an encryption strategy identical to its original Windows variant but with a few modifications. 

The option to encrypt data depending on a time range, according to MalwareHunterTeam, was the most intriguing of these—as a way to encrypt current files, which may be more important for some victims and are often not included in recent backups. However, the SFile ransomware is one of the few instances where the victim's name appears in the extension appended to each encrypted file. 

Several Chinese firms were among the most recent victims of SFile assaults. According to the Rising report, one of these victims was Chinese IT business Nuctech, which was sanctioned by the US in late 2020 for giving air travel passenger information to the Chinese government—the company's name was identified in encrypted files in a sample discovered by Rising researchers. 

Despite the presence of a Linux variant, the number of SFile attacks is still limited in comparison to the operation of more well-known ransomware families like Conti, LockBit, Grief, and STOP.

Report: PYSA Emerges as Top Ransomware Actor in November


As per NCC Group, a UK-based risk mitigation organisation, PYSA and Lockbit were the most significant ransomware attacks in November 2021.

Lockbit has been a leading ransomware threat since August of this year, with Conti dominating the landscape as well. Conti's popularity began to fade in November, and PYSA took its place. The total number of organisations infected with PYSA climbed by 50% last month. 

The number of hacked governmental institutions has also increased by 400 per cent, according to the NCC Group. PYSA is for 'Protect Your System Amigo,' and it has been active since late 2019, mostly targeting the education, healthcare, and government sectors.

In March 2021, the FBI issued a warning about PYSA. PYSA was thought to only target Windows systems until September 2021, but the evidence was discovered that the ransomware was getting prepared to target Linux PCs as well. 

NCC Group noted, “PYSA is a malware capable of exfiltrating data and encrypting users’ critical files and data, which typically targets large or high-value finance, government and healthcare organizations.” 

In November, the total number of ransomware assaults was 1.9 per cent higher than in October, with firms in North America and Europe being hit the hardest. According to the NCC Group, ransomware affected 154 companies in North America last month (140 in the United States and 14 in Canada). A total of 96 European victims have been identified, the majority of whom are from the United Kingdom (32), France (14), Italy, and Germany (11 each). 

“The industrial sector continued to be the most targeted sector in November. Meanwhile, automotive, housing, entertainment, and retail businesses overtook technology this month, with attacks targeting the sector decreasing by 38.1%,” NCC Group stated. 

The cybersecurity firm also saw the Everest ransomware group providing paid access to their victims' infrastructure in November. Other groups are also anticipated to forego a ransom demand in the future and instead grant access to the compromised infrastructure.

Russian Organizations Targeted By Outdated Threat Actors


Currently, European and American organizations top the list in ransomware from Russian state sponsored hackers, however, organizations from these countries are not ready for managing file encryption and double extortion problems on their own. Threat actors troubling CIS and Russian based companies are generally LockBit, REvil, DarkSide and many more criminal groups that target high profile victims with critical infrastructure cyberattacks. According to Kaspersky's report on first half of 2021, the Commonwealth of Independent States (CIS) was also targeted by threat actors which attack Russian organizations monthly, meanwhile no such attacks are reported. 

These groups, under unnoticed subcategory of ransomware actors are generally less sophisticated, and mostly use leaked malware or outdated strains, and build their own hacking access instead of buying access to the victims. Some of these famous ransomware families that were used earlier this year against the Russian targets are as followed: XMRLocker, Thanos/Hakbit, Limbozar/VoidCrypt, Fonix/XINOF, CryptConsole, Cryakl/CryLock, Phobos/Eking, Crysis/Dharma, /BigBobRoss. The most effective older strains include Phobos and Dharma. 

Phobos first surfaced in 2017 and reached its final stage in 2020. The threat actors had unauthorised RDP access as the main entry point. It consists of a C++/C malware having similar contextual technicalities to Dharma strain, but has no relation. Dharma came out in the open in 2016 by the name of Crysis, even though outdated, it has one of the most effective encryption schemes. Like Phobos, Dharma has similar unauthorised RDP access following brute-force of credentials and manual planting of malware. 

As per Kaspersky, such attacks come and go, however, they can't be left unnoticed. Kaspersky says these strains are still under development, with threat actors constantly making their strains effective, therefore, they are not without firepower. "Russian companies can prevent many of these threats by simply blocking RDP access, using strong passwords for domain accounts that are changed regularly, and accessing corporate networks through VPN," reports Bleeping Computers.

HHS Cybersecurity Agency Issues Threat Briefing on LockBit Ransomware


A security report on LockBit, a ransomware gang that reportedly published a new variant, has been issued by The Health Sector Cybersecurity Coordination Center. The cybercriminals were behind the highly reported cyberattack on Accenture this summer, wherein the corporation was supposedly threatened with a ransom demand of $50 million. 

LockBit ransomware is a malicious program that prevents users from accessing their computers in return for a ransom demand. LockBit will automatically scan a network seeking valuable targets, spread the virus, and lock all computers that are accessible. This ransomware is employed in very specific cyberattacks against businesses and other organizations. 

LockBit was introduced in September 2019 and began advertising its "ransomware as a service" affiliate scheme in January 2020, according to HC3. 

In May 2020, it began collaborating with Maze, another ransomware organization, and in September of the same year, it debuted its very own leak site. LockBit v2.0 was released in June of this year. Furthermore, according to HC3, it employs a two-pronged extortion scheme involving the StealBit malware. It has improved encryption and circumvents user account control methods. 

"Threat actors continue to view unpatched systems as an easy, if not preferred, method of intrusion," wrote officials from the cybersecurity arm of the U.S. Department of Health and Human Services in its brief. 

It moreover relaunched its affiliate program, wherein affiliates determine the ransom, then choose a payment system, and receive the majority of the money before actually paying the organization. Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, and Uzbekistan are among the Commonwealth of Independent States countries where the program does not function. 

Based on an interview with a LockBit ransomware operator, the organization concluded that the malicious actors looked to have a "contradictory code of ethics." 

According to HC3, healthcare facilities are ideal targets, but the LockBit affiliate showed "a strong disdain for those who attack healthcare entities while displaying conflicting evidence about whether he targets them himself." 

"The U.S. also has lucrative targets, but with data privacy laws requiring victim companies to report all breaches, the incentive for such entities to pay the ransom is likely somewhat reduced," said HC3. 

"Cybercriminals are avid consumers of security news and remain up to date on the latest research and vulnerabilities, weaponizing that information to use in future attacks," it wrote. 

Threat advisories on various ransomware organizations, including BlackMatter, Conti, and Hive, have recently been published by the federal government. The alerts, however, haven't stopped the flood of ransomware news. Hive hacked a Missouri health center earlier this month and published patient names, Social Security numbers, and medical information on its blog.

HC3 Issues a Warning About a LockBit Ransomware Variant


The Health Sector Cybersecurity Coordination Center issued a threat briefing on LockBit, a ransomware gang that recently published a new variation. The hackers were behind the widely publicized ransomware attack on Accenture this summer, in which the firm was supposedly held hostage for $50 million. Threat actors claimed to have acquired more than six terabytes of data, according to researchers from the cyber intelligence firm Cyble. 

"Through our security controls and protocols, we identified irregular activity in one of our environments," said Accenture in a statement. "We immediately contained the matter and isolated the affected servers. We fully restored our affected systems from backup. There was no impact on Accenture's operations, or on our clients' systems." 

According to Eleanor Barlow, content manager at SecurityHQ, LockBit attacks are recognized for their ability to encrypt Windows domains using Active Directory group settings. When a domain is compromised, the malware generates new group policies and sends them to networked devices. The policies in this case disable antivirus protection and allow malware to be installed.

"Threat actors continue to view unpatched systems as an easy, if not preferred, method of intrusion," wrote officials from the cybersecurity arm of the U.S. Department of Health and Human Services in its brief.

LockBit was founded in September 2019 and began advertising its "ransomware as a service" affiliate scheme in January 2020, according to HC3. In May 2020, it began collaborating with Maze, another ransomware organization, and in September of the same year, it launched its own leak site. LockBit v2.0 was released in June of this year. Now, according to HC3, it employs a double extortion scheme involving the StealBit malware. It has improved encryption and circumvents user account control methods.

It also relaunched its affiliate programme, in which affiliates determine the ransom, choose the payment method, and receive the majority of the money before paying the gang. Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, and Uzbekistan are not part of the Commonwealth of Independent States. 

According to HC3, hospitals are simple targets, but the LockBit affiliate showed "a great dislike for people who attack healthcare companies while providing contradicting information regarding whether he targets them himself." Although the United States has lucrative targets, data privacy regulations mandating victim organizations to notify all breaches have lowered the incentive for such entities to pay the ransom, according to HC3.

Lockbit Ransomware Suspected Behind the Attacks on Envision Credit Union


Cyberattacks employing a type of ransomware that appeared nearly two years ago have increased in number lately. The ransomware known as LockBit Ransomware, continues to be effective for cyber thieves. 

Trend Micro's cybersecurity analysts recently documented an uptick in LockBit ransomware operations that have surged since the beginning of July. This ransomware-as-a-service first surfaced in September 2019 and has been quite successful, although activities have increased relatively during this summertime. 

Recently, Envision Credit Union has been the victim of a potential ransomware attack that seized its computer networks. There were clear indications of a suspected ransomware attack that surfaced last week, leading to speculation that the entity responsible for the attack was LockBit 2.0. 

LockBit works on the concept of Ransomware as a Service (RaaS), in which they lease out their network and software to legitimate hackers in exchange for a portion of the payment. It is a sort of double extortion in which the perpetrator threatens to expose the victim's personal information or data if the victim does not pay the money. 

Thus according to Datminr, a New York-based cybersecurity firm, the cybercriminals allegedly threatened to expose the stolen information on the 30th of August. 

The Tallahassee Democrat wrote Envision officials with various questions regarding the alleged cyber-attack. A representative only acknowledges the attack as "technical difficulties" and an "event," whilst presenting the Democrat with the following statement: 

“The credit union started experiencing technical difficulties on some of its systems, even though it has already implemented adequate security measures. We are taking all necessary steps to address the issue, which includes establishing an investigation and notifying law enforcement. We are aware of the situation and are working to ensure that the funds of our members were not put at risk.” 

The Kaspersky team has also published a report on the LockBit ransomware gang. According to them, LockBit is the newest in a succession of cybercriminals organizations promoting the ability to automate infiltration of local machines via a domain controller. 

“This ransomware is used for highly targeted attacks against enterprises and other organizations,” Kaspersky researchers said. “As a self-piloted cyberattack, LockBit attackers have made a mark by threatening organizations globally.”

Ransomware operations are on the upswing both internationally and regionally. One such ransomware attack happened in May, where the ransomware gang Darkside targeted the Colonial Pipeline Company, a Houston-based utility corporation that operates the nation's largest refined oil pipeline. 

Researchers also note that sometimes the ransomware attacks are so professionally built that they easily pass the security measure.

Operations of the LockBit Ransomware Group: A Quick Look


Researchers have investigated on how LockBit, one of the more recent ransomware organisations, operates. 

As per the instances this year, ransomware has emerged as one of the most disruptive forms of cybercrime. So far, the world has witnessed the Colonial Pipeline ransomware crisis, which resulted in fuel supply shortages throughout sections of the United States; continuous troubles with Ireland's national health care; and systematic interruption for meat processing major JBS as a result of the infection. 

By 2031, ransomware assaults are expected to cost $265 billion globally, and settlements are now routinely in the millions of dollars, as in the case of JBS. However, there is no guarantee that decryption keys are suitable for their intended use, or that paying once guarantees that a business will not be targeted again. 

According to a Cybereason report issued this week, up to 80% of organisations that were victimised by ransomware and paid the ransom have experienced a second attack, possibly by the same threat actors. 

The danger of ransomware to businesses and essential infrastructure has grown to the point where it was brought up during a meeting between US President Joe Biden and Russian President Vladimir Putin at the Geneva summit. 

Prodaft Threat Intelligence (PTI) published a study (.PDF) on LockBit and its affiliates on Friday. 

According to the study, LockBit, which was previously known as ABCD, uses a RaaS model to give affiliate groups a central control panel where they can produce new LockBit samples, monitor their victims, make blog articles, and view statistics on the success — or failure — of their attacks. 

LockBit affiliates frequently purchase Remote Desktop Protocol (RDP) access to servers as an initial attack vector, however, they may also employ traditional phishing and credential stuffing approaches. 

"Those kinds of tailored access services can be purchased in as low as $5," Prodaft says, "making this approach very lucrative for affiliates." 

Exploits are also utilised to attack vulnerable systems, including Fortinet VPN vulnerabilities on victim machine that have not been fixed. As per the forensic studies of machines attacked by LockBit affiliates, threat organisations will frequently try to find "mission-critical" systems first, such as NAS devices, backup servers, and domain controllers. The data is subsequently exfiltrated, and packages are typically uploaded to services such as MEGA's cloud storage platform. 

After that, a LockBit sample is manually installed, and files are encrypted using an AES key that is generated. Backups are erased, and the system wallpaper is replaced with a ransom notice with a link to a.onion website address where decryption software can be purchased. The website also offers a free decryption 'trial,' in which one file (less than 256KB in size) can be decoded. 

If victims contact attackers, a chat window in the LockBit panel is used to communicate with them. The ransom demand, payment date, method (typically in Bitcoin (BTC)), and directions on how to obtain bitcoin are frequently discussed. Prodaft gained access to the LockBit panel, which revealed affiliate usernames, victim counts, registration dates, and contact information. 

The study team stated that evidence in the affiliate names and addresses indicate that some may also be linked with Babuk and REvil, two other RaaS organisations; however, the inquiry is still ongoing. 

LockBit affiliates look for an average of $85,000 from each victim, with 10 to 30% of that going to the RaaS operators, and the ransomware has attacked thousands of machines around the world. The software and services industry accounted for more than 20% of the victims on the dashboard. 

"Commercial and professional services as well as the transportation sector also highly targeted by the LockBit group," Prodaft says. "However, it should be noted that the value of the ransom is determined by the affiliate after various checks using online services. This value does not solely depend on the sector of the victim." 

LockBit's leak site was unavailable at the time of publication. After breaking into LockBit's systems, the researchers decrypted all of the platform's accessible victims.