Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label LockBit. Show all posts
Software
Cyber Security LockBit Ransomware Software

New Ransomware 'SuperBlack' Abuses Fortinet Firewall Flaws to Launch Attacks

 


A newly discovered ransomware group known as Mora_001 is carrying out cyberattacks by exploiting security weaknesses found in Fortinet's firewall systems. The group is using a custom ransomware strain named SuperBlack to target organizations and lock their data for ransom.

The attackers are taking advantage of two security loopholes that allow them to bypass login protections on Fortinet devices. These issues, listed as CVE-2024-55591 and CVE-2025-24472, were made public by Fortinet earlier this year. Reports indicate that one of these vulnerabilities had been secretly exploited by attackers even before the company officially disclosed it.

Initially, Fortinet clarified that only one of the two bugs had been misused. However, a recent investigation suggests that the second vulnerability was also being exploited during the same period. Researchers from cybersecurity firm Forescout uncovered this while examining attacks that occurred in January and February 2025.


Step-by-Step Breakdown of the Attack

The cybercriminals begin their attack by finding exposed Fortinet firewall devices that haven’t been updated. They then use these security flaws to gain full control over the system.

Once inside, the attackers grant themselves the highest level of access, commonly known as 'super admin' rights. They either use web-based tools or direct network requests to make these changes.

After securing control, they create new administrator profiles with names like forticloud-tech, fortigate-firewall, or adnimistrator. These fake accounts are set up in a way that even if someone deletes them, automated tasks will recreate them instantly.

The hackers then scan the network to understand its layout and start moving from one system to another. They use stolen login details, create new VPN accounts, and rely on common tools like WMIC and SSH to spread across connected machines. They also try to break into systems that use security checks like TACACS+ or RADIUS.

Before locking files, the group copies important data using their own tools. Their main targets include file storage systems, database servers, and computers that control user access across networks. Once the data is stolen, the ransomware is triggered, encrypting files and leaving ransom messages behind.

To make it harder for experts to investigate the attack later, the hackers run a program called ‘WipeBlack’. This tool removes all traces of the ransomware from the system, leaving very little evidence.


Possible Links to a Bigger Ransomware Group

During their investigation, Forescout found that SuperBlack ransomware shares several similarities with the well-known LockBit ransomware group. The coding style and methods used appear to have been copied from LockBit’s earlier leaked tools.

However, it looks like SuperBlack is being operated separately and is not officially part of the LockBit group.

This incident is a reminder of the risks that come with outdated software. Organizations using Fortinet firewalls should install security updates immediately to avoid falling victim to such attacks. Staying updated is crucial in protecting sensitive information from advanced ransomware threats.



Read more »
Ransomware
Cyber Crime LockBit RaaS Ransomware

Look Who’s Back: LockBit Gears Up for a Comeback With Version 4.0

 



The infamous LockBit ransomware group has announced its return with the upcoming release of LockBit 4.0, set for February 2025. This marks a big moment for the group, which has had major setbacks over the last year. A global law enforcement crackdown shut down its operations, with arrests and recovery of nearly 7,000 decryption keys. As other ransomware groups like RansomHub take the lead, it remains uncertain if LockBit can reclaim its former dominance.  


Challenges Facing LockBit’s Return

LockBit's return is definitely not in the cards, though. The group did a lot of damage to itself, mainly because law enforcement was doing their job and newer Ransomware groups were outperforming it. Probably, the development of this 4.0 version involves deep changes in its codebase since the previous variant had been compromised. Experts therefore wonder whether LockBit manages to overcome these obstacles or gets back into the crowded field of ransomware services.

Another emerging favorite is ransomware-as-a-service, where groups start to sell their tools and infrastructure to affiliates in a specific ratio of the profits being extracted by that affiliate. LockBit will find itself competing not just with opponents such as RansomHub but also with variants from the same ransomware assembled using leaked source code.


What to Expect With LockBit 4.0

The group's announcement for LockBit 4.0 has bold claims, enticing potential affiliates with promises of wealth and success. The official launch is scheduled for February 3, 2025, and keys are provided to access their dark web leak site. While specific details about the 4.0 version are unclear, cybersecurity researchers are closely monitoring its development.

The group may also change its tactics to stay off the radar of international law enforcement. In the past, LockBit has been criticized for hitting high-profile victims, including the Toronto Hospital for Sick Children in 2022. After public backlash, the group issued an apology and provided a free decryption key, an unusual move for a ransomware organization.  


The Future

LockBit's ability to stage a successful comeback will depend on its capacity to adapt to the challenges it faces. With competitors gaining ground and its credibility in question, the group's path forward is uncertain. Cybersecurity experts will be watching closely to see how LockBit 4.0 impacts the ransomware infrastructure.

For now, organizations are advised to remain vigilant, as ransomware groups continue to improvise their tactics. Implementing robust security measures and staying informed about emerging threats are critical steps in defending against such attacks.



Read more »
Ransomwares
Akira Ransomware Cyber Security Cyber Threats LockBit Malware Attack malware prevention Malwares RansomHub Ransomwares

2024’s Most Dangerous Malware: A Wake-Up Call for Cybersecurity

 

OpenText, a leader in cybersecurity insights, has released its eagerly awaited “Nastiest Malware of 2024” list, highlighting some of the most destructive and adaptive cyber threats of the year. The list illustrates how ransomware and other malicious software continue to evolve, particularly regarding their impact on critical infrastructure. As cybercriminals refine their tactics, the need to strengthen cybersecurity measures has become increasingly urgent. Organizations around the globe are projected to boost their cybersecurity spending by 14.3% in 2024, raising total investments to over $215 billion, which reflects the magnitude of the challenges posed by these threats. 

LockBit claimed the title of the most dangerous malware of the year. This ransomware-as-a-service (RaaS) entity has demonstrated its ability to evade law enforcement efforts, including those from the FBI. Its ongoing attacks on critical infrastructure showcase its resilience and technical prowess. According to the FBI, LockBit was responsible for 175 reported attacks on essential systems in 2023 alone. The group’s bold ambition to target one million businesses emphasizes its threat level and solidifies its position in the ransomware landscape. 

Akira, a relatively new player, has rapidly gained infamy for its aggressive tactics. This ransomware has been particularly active in industries such as healthcare, manufacturing, and finance, using advanced encryption methods to cause significant disruption. Its retro-inspired branding contrasts sharply with its destructive potential, making it a popular choice among cybercriminal affiliates. 

Meanwhile, RansomHub, which may have connections to the infamous Black Cat (ALPHV) group, has made headlines with its high-profile attacks, including a daring strike on Planned Parenthood that compromised sensitive patient data. 

Other significant threats include Dark Angels, recognized for its precision-targeted attacks on Fortune 50 companies, and Play Ransomware, which takes advantage of vulnerabilities in FortiOS systems and RDP servers. Redline Stealer, while not technically ransomware, this type of threat significantly endangers organizations by focusing on stealing credentials and sensitive information. Each of these threats illustrates how cybercriminals are continually pushing the limits, employing advanced tactics to stay ahead of defenses. 

Muhi Majzoub, OpenText’s EVP and Chief Product Officer, notes that the increase in ransomware targeting critical infrastructure highlights the growing risks to national security and public safety. At the same time, the heightened emphasis on cybersecurity investments is a positive indication that organizations are recognizing these threats. However, the ability of ransomware groups to adapt remains a significant worry, as these criminals continue to leverage new technologies, including artificial intelligence, to create more sophisticated attacks. 

The findings from this year reveal a harsh truth: while progress in cybersecurity is being made, the rapid pace of innovation in malware development poses an ongoing challenge. As companies enhance their vigilance and dedicate more resources to protect vital systems, the battle against cyber threats is far from finished. The changing nature of these attacks requires ongoing adaptation, collaboration, and investment to protect the essential services that support modern society.
Read more »
Security Expert
Covert Operation Cyber Crime FBI LockBit Ransomware Security Expert

This Security Researcher Infiltrated the LockBit Ransomware Outfit and Exposed its Leader

 

As part of a larger plan to gather intelligence and stop cybercrime from within, security researchers are actively pursuing and even infiltrating the groups that commit cybercrimes. To win the trust of cybercriminals, they frequently adopt a James Bond image, fabricating identities and conducting covert operations. Here is the account of one such investigator. 

Cybersecurity expert Jon DiMaggio has uncovered the mysterious boss of the infamous LockBit ransomware group in a story that reads like a contemporary cyber thriller. Under the guise of a cybercriminal, DiMaggio managed to penetrate the inner ring of the gang and identify its leader, Dmitry Khoroshev, before the authorities could make his identity public. This remarkable operation, which DiMaggio detailed at Def Con, is a tale involving tactical deception as well as the psychological toll that such a game can take. 

DiMaggio, a researcher at Analyst1, began his infiltration by creating sockpuppet identities to contact with people associated with LockBitSupp, Khoroshev's online identity. DiMaggio was able to create a realistic cybercriminal personality by monitoring chats and learning about the gang's culture and preferences. Despite his initial refusal to join the group, DiMaggio continued contact with LockBitSupp and developed a close connection. He engaged in informal chats, enquiring about the gang's operations and strategies. 

DiMaggio submitted a report on his discoveries in January 2023, detailing his infiltration and the burning of his fictitious personas. Surprisingly, LockBitSupp took it lightly, even joking about it in forums, which piqued DiMaggio's interest. The relationship turned into a friendly rivalry, with LockBitSupp utilising DiMaggio's LinkedIn photo as an avatar in forums. DiMaggio also mocked the gang by trying to extort them, which raised concerns among several cybercriminals. 

During this time, DiMaggio noticed that LockBitSupp went missing for roughly 12 days. Upon returning, LockBitSupp appeared agitated but continued to communicate with DiMaggio. At the same time, LockBit claimed responsibility for a cyberattack on a Chicago children's hospital, their second after targeting Toronto's SickKids. These activities frustrated DiMaggio so much that he nearly sent an angry mail to LockBitSupp, expressing his intention to pursue him. However, the researcher eventually decided against it.

After law authorities took down LockBit's website, DiMaggio focused on identifying LockBitSupp. An anonymous tip led him to a Yandex email address, which let him track down Dmitry Khoroshev. Unexpectedly, the police updated the seized LockBit website, declaring their intention to divulge the name of LockBitSupp, the administrator. 

At this point, DiMaggio, who had established a working connection with the FBI as a private business partner, contacted them to say that he had identified Khoroshev as LockBit's administrator. DiMaggio intended to prepare a report on his findings and asked the FBI for advice on whether he should postpone publishing it. He reasoned that if the FBI told him to wait, it would probably corroborate that he had identified the right person. However, the FBI recommended him to wait. 

As the Department of Justice prepared to divulge LockBitSupp's name, DiMaggio completed his report. Eventually, the DOJ appointed Dmitry Khoroshev as LockBit's head, allowing DiMaggio to reveal his own detailed findings. 

"This was my first time doxing somebody. And well, they released his name, I released everything else on this dude. I had where he lived, I had his phone numbers, current and previous," DiMaggio stated. "And boy, it was difficult to not just call this guy up on the phone, having his legitimate phone number prior to the indictment, just to see if I had the right guy, but I didn't.” 

DiMaggio sent Khoroshev a note telling him to call it quits from malicious activities. “LockBitSupp, you are a smart guy. You said it's not about the money anymore, and you want to have a million victims before you stop, but sometimes you need to know when to walk away. It is that time, my old friend," DiMaggio wrote. 

Since then, DiMaggio has not heard from Khoroshev. Despite the fact that nothing has happened, he has heard rumours that Khoroshev seeks payback.
Read more »
Ransomware attack
Cyber Attacks cybercriminals data security healthcare sectors LockBit Malware attacks Ransom Demand Ransomware attack

Comparitech Report Reveals Average Ransom Demands of Over $5.2 Million in Early 2024

 

In the first half of 2024, the average ransom demand per ransomware attack reached over $5.2 million (£4.1 million), according to a new analysis by Comparitech. This figure is derived from 56 known ransom demands issued by cybercriminals from January to June 2024. 

The largest of these demands was a staggering $100 million (£78.9 million) following an attack on India’s Regional Cancer Center (RCC) in April 2024. The second-highest confirmed demand was issued to UK pathology provider Synnovis, with attackers demanding $50 million (£39.4 million). This incident led to the cancellation of thousands of operations and appointments at hospitals in South East England, with the Qilin group claiming to have stolen 400GB of sensitive NHS patient data. The third-highest ransom demand in the first half of 2024 targeted Canadian retailer London Drugs in May 2024, with the LockBit group demanding $25 million (£19.7 million). 

Overall, Comparitech’s researchers logged 421 confirmed ransomware attacks during this period, impacting around 35.3 million records. These figures mark a reduction compared to the same period in 2023, which saw 704 attacks affecting 155.7 million records. However, disclosures for the first half of 2024 are ongoing, so these figures may increase. Comparitech also noted an additional 1,920 attacks claimed by ransomware gangs but not acknowledged by the victims. Private businesses experienced the highest number of incidents, with 240 attacks affecting 29.7 million records. 

The government sector followed with 74 attacks impacting 52,390 records, and the healthcare sector reported 63 attacks affecting 5.4 million records. LockBit remains the most prolific ransomware group, responsible for 48 confirmed attacks in the first half of 2024, despite a significant law enforcement operation that temporarily disrupted its activities in February. Following a brief period of dormancy, LockBit resurfaced as the most prominent ransomware group in May 2024, according to an analysis by NCC Group. Other notable ransomware groups during this period include Medusa with 31 attacks, BlackBasta with 27, Akira with 20, 8Base with 17, and INC Ransom with 16. 

The researchers observed an increasing trend among ransomware groups to forego file encryption and instead rely solely on data theft for extortion. This shift in tactics highlights the evolving landscape of ransomware attacks and underscores the need for robust cybersecurity measures.
Read more »
SSNs
Banking Information customer data compromise Data Breach Data Leak IMS Information Security LockBit LockBit ransomware Ransomware attack SSNs

LockBit Ransomware Attack on Infosys McCamish Systems Exposes Sensitive Data of Over Six Million Individuals

 

Infosys McCamish Systems (IMS) recently disclosed that a LockBit ransomware attack earlier this year compromised sensitive information of more than six million individuals. IMS, a multinational corporation specializing in business consulting, IT, and outsourcing services, primarily serves the insurance and financial services industries. The company has a significant presence in the U.S., catering to large financial institutions such as the Bank of America and seven out of the top ten insurers in the country. 

In February 2024, IMS informed the public about the ransomware attack that occurred in November 2023. Initially, the company reported that the personal data of around 57,000 Bank of America customers had been compromised. LockBit, the group responsible for the attack, claimed to have encrypted 2,000 computers within the IMS network. A recent notification to U.S. authorities revealed that the total number of affected individuals now exceeds six million. The notification outlined the steps taken by IMS, including the involvement of third-party eDiscovery experts, to conduct a thorough review of the compromised data. 

This review aimed to identify the personal information accessed and determine the individuals impacted. The compromised data includes a wide range of sensitive information, such as Social Security Numbers (SSNs), dates of birth, medical records, biometric data, email addresses and passwords, usernames and passwords, driver’s license or state ID numbers, financial account information, payment card details, passport numbers, tribal ID numbers, and U.S. military ID numbers. To mitigate the risks associated with this data exposure, IMS is offering affected individuals a free two-year identity protection and credit monitoring service through Kroll. 

The notification letters provided instructions on how to access these services. IMS has not disclosed the full list of impacted clients, but the notification mentioned Oceanview Life and Annuity Company (OLAC), an Arizona-based provider of fixed and fixed-indexed annuities, as one of the affected organizations. The list of impacted data owners may be updated as more customers request to be named in the filing. 

This breach highlights the critical importance of robust cybersecurity measures and the significant impact such attacks can have on both individuals and large financial institutions. The LockBit ransomware attack on IMS serves as a stark reminder of the vulnerabilities within the digital infrastructure of major corporations and the far-reaching consequences of data breaches.
Read more »
Ransomware
cyber attack Cyber Attacks LockBit London Drugs Pharmacy Ransomware

LockBit Ransomware Gang Claims Responsibility for London Drugs Cyberattack






In a recent turn of events, the LockBit ransomware gang has claimed responsibility for the cyberattack on Canadian pharmacy chain London Drugs, which occurred in April. The cybercriminals are now threatening to release sensitive data online after reportedly unsuccessful negotiations with the company.

London Drugs, which employs over 9,000 people across 80 stores in Alberta, Saskatchewan, Manitoba, and British Columbia, was forced to shut down all its retail locations following the April 28 cyberattack. At the time, the company assured the public that there was no evidence indicating that customer or employee data had been compromised.

Despite these reassurances, the LockBit gang has now listed London Drugs on its extortion portal, threatening to publish stolen data unless a $25 million ransom is paid. London Drugs, however, has stated that they are both unwilling and unable to meet this ransom demand.

On May 9, Clint Mahlman, London Drugs' President and Chief Operating Officer, reiterated that a forensic investigation conducted by third-party cybersecurity experts found no evidence of compromised customer databases, including health data. Nevertheless, as a precautionary measure, the company has notified all current employees and offered 24 months of complimentary credit monitoring and identity theft protection services.

The company’s website remains down, displaying an error message indicating an internal server issue. London Drugs has acknowledged that the ransomware gang's claims about stealing files from its corporate head office could potentially include employee information, although they have not provided specifics on the nature or extent of the data possibly impacted.

LockBit, a ransomware-as-a-service operation that surfaced in September 2019, has a notorious history of targeting high-profile organisations worldwide. Despite a significant law enforcement operation in February 2024 that dismantled part of their infrastructure and seized numerous decryption keys, the gang continues to be active. They have moved to new servers and dark web domains, continuing to launch attacks and release stolen data.

The ransomware group has stated that negotiations with London Drugs initially involved an offer of $8 million from the company, a claim for which they provided no evidence. London Drugs maintains that they did not offer any ransom and continues to take all available steps to mitigate the impact of the cyberattack.

Shawnigan Lake-based threat analyst Brett Callow noted that his cybersecurity company, Emsisoft, was immediately aware of LockBit's listing due to their dark net tracking tools. He emphasised the real risk that LockBit might follow through on their threat to release the stolen data.

Authorities have highlighted that LockBit, dominated by Russian-speaking individuals, has no known connections to state-sponsored activities. The ransomware group has previously been linked to several high-profile attacks, including those on Boeing, the Continental automotive giant, and the UK Royal Mail.

London Drugs continues to investigate the extent of the breach and is in contact with relevant authorities. The company has also reassured that it will notify affected individuals in compliance with privacy laws should any customer or employee data be found compromised.

The ongoing saga of LockBit's attacks is a telling marker of the persistent threat of ransomware, stressing upon the importance of robust cybersecurity measures and proactive responses to such incidents.


Read more »
rewards
cryptocurrency Cyber Attacks FBI Hackers LockBit LockBit ransomware group ransomware attacks rewards

LockBit Ransomware Group Challenges FBI: Opens Contest to Find Dmitry Yuryevich

 

LockBitSupp, the alleged administrator of the notorious LockBit ransomware group, has responded publicly to recent efforts by the Federal Bureau of Investigation (FBI) and international law enforcement to identify and apprehend him. 

Following the restoration of previously seized domains, law enforcement authorities identified Dmitry Yuryevich Khoroshev as the mastermind behind LockBit operations in a recent announcement. This revelation was accompanied by official sanctions from the U.S., U.K., and Australia, along with 26 criminal charges that collectively carry a maximum sentence of 185 years imprisonment. 

Furthermore, the U.S. Justice Department has offered a substantial $10 million reward for information leading to Khoroshev's capture. Despite these developments, LockBitSupp has vehemently denied the allegations, framing the situation as a peculiar contest on the group's remaining leak site. LockBitSupp has initiated a contest on their leak site, encouraging individuals to attempt contact with Dmitry Yuryevich Khoroshev. They assert that the FBI has misidentified the individual and that Khoroshev is not associated with LockBitSupp. 

The ransomware admin suggests that the alleged identification mistake may have arisen from cryptocurrency mixing with their own funds, attracting the attention of law enforcement. The contest invites participants to reach out to Khoroshev and report back on his well-being, with a reward of $1000 offered for evidence such as videos, photos, or screenshots confirming contact. Submissions are to be made through the encrypted messaging platform Tox, using a specific Tox ID provided by LockBitSupp.  

Additionally, LockBitSupp has shared multiple links to LockBit-associated file-sharing services on the dark web, presumably for individuals to archive details and submit as contest entries. They have also listed extensive personal details alleged to belong to Dmitry Khoroshev, including email addresses, a Bitcoin wallet address, passport, and tax identification numbers. Amidst the contest announcement, LockBitSupp expressed concern for the individual mistakenly identified as them, urging Khoroshev, if alive and aware, to make contact. 

This unusual move by LockBitSupp challenges the assertions made by law enforcement agencies and highlights the complex dynamics of the cyber underworld, where hackers openly taunt their pursuers. LockBitSupp emphasized that the contest will remain active as long as the announcement is visible on the blog. They hinted at the possibility of future contests with larger rewards, urging followers to stay updated for further developments. 

The announcement was uploaded and last updated on May 9, 2024, UTC, leaving the public and cybersecurity community anticipating further developments. Recent indictments have identified Khoroshev as the mastermind behind LockBit operations since September 2019. The LockBit group is alleged to have extorted over $500 million from victims in 120 countries, with Khoroshev reportedly receiving around $100 million from his involvement in the activities.
Read more »
US Department Of Justice
Cyber Crime LockBit Ransomware Gang US Court US Department Of Justice

US Authorities Charge LockBit Ransomware Ringleader

 

US officials have uncovered and indicted the ringleader of LockBit, a widespread ransomware operation that has extorted victims out of half a billion dollars. He is facing over two dozen criminal charges. 

According to a 26-count indictment released on Tuesday, Dmitry Khoroshev, 31, served as LockBit's "developer and administrator," overseeing code development and recruiting affiliates to execute the ransomware on its victims. The alleged cybercriminal got 20% of each ransom payment for his role in the operation, totaling $100 million in cryptocurrency over four years, the US Justice Department noted.

“Today’s indictment…continues the FBI’s ongoing disruption of the BlockBit criminal ecosystem,” FBI Director Christopher Wray noted in the statement. 

Since its founding in 2019, LockBit has allegedly defrauded at least 2,500 individuals across more than 120 countries of at least $500 million in extortion. The U.S. Justice Department noted in its statement that it is also accountable for several billions of dollars' worth of "broader losses" linked to lost profits, incident responses, and ransom recoveries. 

In the indictment, US investigators demanded that Khoroshev surrender his $100 million share of the ill-gotten gains. Meanwhile, the UK, United States, and Australia have sanctioned the mastermind, freezing his assets and prohibiting him from travelling. The US State Department is offering a $10 million prize for information that leads to Khoroshev's capture. The latest charge comes several months after authorities took steps to shut down the ransomware operation. In February, international law enforcement confiscated LockBit's infrastructure, thereby halting operations. Around the same time, US authorities prosecuted two Russian cybercriminals using Lockbit ransomware to target a number of businesses and organisations. 

LockBit's rebuild issue 

The group's attempt to rebuild over the last few months looks to be failing, with the gang still operating at a low capacity and its new leak site being used to publicise victims targeted prior to the takedown, as well as to claim credit for the crimes of others. 

According to the NCA's most recent data, the frequency of monthly LockBit assaults in the UK has decreased by 73% since late February, and those that do occur are carried out by less sophisticated attackers with far lower impact. 

“Since Operation Cronos took disruptive action, LockBit has been battling to reassert its dominance and, most importantly, its credibility within the cyber criminal community,” stated Don Smith, vice-president of SecureWorks’ Counter Threat Unit.
Read more »
ransomware attacks
CDR CISA Cyber Attacks Cyber Defenses cybercriminals EDR endpoint detection and response LockBit Malicious Software Open Source Software ransomware attacks

The Rise of Weaponized Software: How Cyber Attackers Outsmart Traditional Defenses

 

As businesses navigate the digital landscape, the threat of ransomware looms larger than ever before. Each day brings new innovations in cybercriminal techniques, challenging traditional defense strategies and posing significant risks to organizations worldwide. Ransomware attacks have become increasingly pervasive, with 66% of companies falling victim in 2023 alone, and this number is expected to rise. In response, it has become imperative for businesses to reassess their security measures, particularly in the realm of identity security, to effectively combat attackers' evolving tactics.
 
Ransomware has evolved beyond merely infecting computers with sophisticated malicious software. Cybercriminals have now begun exploiting legitimate software used by organizations to conduct malicious activities and steal identities, all without creating custom malware. One prevalent method involves capitalizing on vulnerabilities in Open Source Software (OSS), seamlessly integrating malicious elements into OSS frameworks. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about this growing trend, citing examples like the Lockbit operation, where cyber attackers leverage legitimate, free software for nefarious purposes. Conventional endpoint security solutions often lack the necessary behavior analytics capabilities to detect subtle indicators of compromise. 

As a result, attackers can exploit tools already employed by organizations to acquire admin privileges more easily while evading detection. This underscores the need for organizations to stay abreast of evolving techniques and adapt their defense strategies accordingly. Throughout the ransomware attack lifecycle, cybercriminals employ a variety of tactics to advance their missions. 

From initial infection to data exfiltration, each stage presents unique challenges and opportunities for attackers. For example, attackers may exploit vulnerabilities, manipulate cookies, or employ phishing emails to gain initial access. Once inside a network, they utilize legitimate software for persistence, privilege escalation, lateral movement, encryption, and data exfiltration. 

One critical aspect of mitigating the risk posed by ransomware is embracing an identity-centric defense-in-depth approach. This approach places emphasis on important security controls such as endpoint detection and response (EDR), anti-virus (AV)/next-generation antivirus (NGAV), content disarm and reconstruction (CDR), email security, and patch management. By prioritizing least privilege and behavior analytics, organizations can strengthen their defenses and mitigate the risk of falling victim to ransomware attacks. 

As ransomware attacks continue to evolve and proliferate, organizations must prioritize identity security and adopt a proactive approach to defense. By recognizing and addressing the tactics employed throughout the ransomware attack lifecycle, businesses can bolster their defenses, enhance identity security, and safeguard against the ever-evolving threat of ransomware.
Read more »
Ransomware
AlphaV Cyber Security Cyber Victim Cyberattacks CyberCrime Cybersecurity CyberThreat LockBit Ransomware

Behind the LockBit Takedown: Strategies and Significance

 


It was widely hailed as a major victory for law enforcement to take down LockBit in the sprawling war against ransomware and was considered one of the most important victories for law enforcement. However, after law enforcement takes down ransomware groups, they usually reemerge, albeit with less power to continue their criminal activity. 

There was a back-and-forth tussle between law enforcement and the AlphV ransomware group in December when the group resurfaced on the dark web hours after being taken down by the police. As of today, AlphaV has been active for over ten years and lists new victims on its data leak site. 

Over the past decade, ransomware has become an increasingly prevalent problem worldwide, with modern ransomware gangs running complex businesses, and governments and private companies working together to stop these gangs have been working together for the past year. As a part of Operation Cronos, LockBit's infrastructure was used by the coordinating organizations involved with the operation to publish information about the gang's activities. 

There is no doubt that this activity against LockBit is an important victory, but ransomware continues to be a major threat, even from LockBit. To combat ransomware better, cybersecurity communities need to reflect on some lessons learned to improve the fight against ransomware. There have been instances where a victim has paid LockBit but has yet to receive the data that they promised was deleted from their servers, according to the UK's National Crime Agency (NCA). 

As a result of this, a victim trusts that the criminal will keep their end of the bargain after paying the ransom. This is one of the top risks associated with paying a ransom. The disclosure that LockBit failed to delete the data as promised severely tarnished its reputation. If a ransomware group appears trustworthy, its victims will not be willing to pay. 

Organizations need to be prepared for such eventualities and have plans in place in case of such an event. When a company's data is compromised, it needs to prioritize the creation of a thorough disaster recovery plan and procedure in case of data loss or damage, rather than relying on decryption for the sake of recovery. In response to a law enforcement takedown last week, which resulted in police seizing both LockBit's cyber extortion operations and its darknet site, as well as receiving significant intelligence, the criminals are attempting to relaunch their cyber extortion operation. 

The group's administrator, LockbitSupp, launched a new extortion site on Saturday that contains the names and contact information of five victim companies they are threatening to leak stolen documents. Even so, the site is no longer showing any of the old listings from before the law enforcement operation occurred.

Since its launch four years ago, this prolific ransomware-as-a-service outfit has hosted more than 2,000 documents that have been stolen from its victims. Last Monday, police posted a splash page to the dark web that said that they were in control, the most of any of the several extortion gangs operating on it. A week after LockBit's .onion website was hijacked by the U.K. National Crime Agency (NCA), the gang parodied LockBit's infrastructure in a series of posts about how the police had possessed “unprecedented technological access” to the company's infrastructure. 

To downplay the extent of the access, the ransomware service attempted to downplay it. The arrests of alleged affiliates as well as the shutting down of 14,000 accounts on third-party services have come as a result of the ransomware gang's failure to destroy the data of victims, even after it promised to. In an attempt to minimize the reputational damage caused by police action, a new LockBit post attempts to minimize the damage caused by the action. 

The criminals repeat what they claim in the beginning that police had compromised outdated PHP servers. To counter ransomware-as-a-service (RaaS), agencies will resort to a two-fold attack: first, to disrupt the administrative staff of the gang, and then to disrupt its affiliates. It is generally the task of the administrative staff to manage the data leak site, and the task of the affiliates to deploy the ransomware and encrypt networks is the task of the affiliates. 

There is a significant part of the administration staff that enables criminals, and without them being removed, there will be many more criminals assisting them. A disruption of the administration staff will result in the affiliates of the ransomware gangs working for other ransomware gangs. Infrastructure is used by affiliates themselves, either by purchasing it or by illegally accessing it. 

The tools, network connections, and behaviours of this infrastructure provide a considerable amount of information about this infrastructure. The ransom process exposes some details about the administrators: For the ransom process to proceed, the administrator must provide a method of communication and a method of payment for the ransom to be paid. 

The significance of these details may not seem useful to an organization immediately, but law enforcement and researchers will be able to leverage these details to uncover more about the individuals who committed these crimes. Using details from past incidents, law enforcement was able to disrupt LockBit's infrastructure as well as some affiliates of the group by using information from past incidents. 

Likely, Operation Cronos could not have been undertaken without that information, which was gathered with the assistance of attack victims and the allied agencies of the governmental organizations. The fact that an organization does not need to be a victim to help is an important thing to remember. Private organizations are eager to work with governments and are eager to collaborate with them. 

By partnering with CISA, the US government division that formed the Joint Cyber Defense Collaborative (JCDC) to create a global partnership platform to share critical and timely information to fight ransomware, organizations in the US can contribute to the effort to fight ransomware. Government agencies and public organizations can share information through the JCDC in a bidirectional manner. 

To stay on top of emerging trends as well as identify the infrastructure being used by attackers, CISA and organizations work together. There are several ways in which law enforcement can take advantage of collaboration and information sharing to gain a critical advantage against even the most powerful attacker groups, as the LockBit takedown demonstrated.
Read more »
Ransomware Gang
Cyber Crime Data Leak Extortion Threat Food Vendors LockBit Ransomware Gang

LockBit Ransomware Outfit Claims Subway as its Latest Victim

 

Due to an alleged ransomware attack by the notorious LockBit ransomware gang, the multinational fast-food restaurant giant Subway is facing a potential PR nightmare. Reports suggest Subway’s systems were exploited by the LockBit gang, known for its aggressive modus operandi. 

After the LockBit ransomware organisation claimed to have breached Subway's internal SUBS systems and stolen an abundance of data, the firm launched an investigation. The ransomware-as-a-service provider listed the company on its data leak website, claiming that one of its affiliates took gigabytes of critical details. 

LockBit indicated that they are allowing the company some time to preserve the data, "which includes hundreds of gigabytes of data and all financial of the franchise, including employee salaries, franchise royalty payments, master franchise commission payments, restaurant turnovers, etc." If they do not, the notorious outfit plans to sell it to competitors.

The message was posted on January 21, and the criminals gave Subway till February 2 to pay the extortion. However, Subway's spokesperson states that the company is still investigating the hackers' claims. 

For your information, LockBit is one of the most active ransomware groups, having targeted thousands of organisations. The US authorities claimed in June 2023 that the LockBit gang had targeted 1,700 companies in the US since 2020, collecting more than $90 million in ransom. 

Many people were surprised to learn that Subway was unaware of the ransomware attack. However, this is not surprising given that hackers are increasingly focusing on data theft rather than ransomware encryption, since developing, creating, maintaining, and delivering ransomware has become too difficult. Companies have significantly improved their data backup and defence systems; as a result, criminals steal data and demand payment for not releasing it publicly. 

It is worth mentioning that Subway has 20,000 stores worldwide and over 400,000 employees, so the data leak might have long-term consequences for its customers if it unfolds. To protect yourself from online risks, avoid clicking links or opening attachments, use strong passwords, enable two-factor authentication, maintain software and operating systems up to date, and invest in reliable antivirus and anti-malware software. Adequate cyber hygiene is the best approach to fight against cybercrime.
Read more »
Shimano
Canyon Bicycles Cyber Attacks Cybercime Cybersecurity LockBit ransomware attacks Shimano

Shimano's Cyber Siege: A Saga of Resistance Against Ransomware

 


Shimano Industries, a prominent Japanese multinational manufacturing company specializing in cycling components, fishing tackle, and rowing equipment, seems to have been hit by a massive data breach by the ransomware attacker LockBit, who has threatened to release confidential data, including information such as factory inspection results, lab tests and financial documents by 5 November if their demands are not met. 

The group stole 4.5 terabytes of sensitive company data.  The company had previously been involved in the production of golf supplies until 2005 and snowboarding gear until 2008. Situated in Sakai, Osaka Prefecture, the corporation operates with 32 consolidated and 11 unconsolidated subsidiaries. 

Its primary manufacturing facilities are strategically located in Kunshan (China), as well as in Malaysia and Singapore.  LockBit is a major international cybercrime group that uses malware to breach global corporations' security protocols and attempts to extort money in exchange. Its previous targets have included Royal Mail, with the British postal company's international services severely disrupted in January 2023 due to the attack. 

American aeroplane and missiles manufacturer Boeing is the latest victim of the group, with the company officially confirming the attack yesterday. Another major brand hit recently by a similar cybersecurity threat includes Canyon Bicycles. 

A victim who does not make a ransom payment within a few days will have their data posted on the dark web in addition to being threatened with posting their data on the dark web if a ransom payment is not made. 

Shimano Industries Ltd, a Japanese manufacturer of bicycle parts, was recently targeted by a ransomware attack that demanded payment of a ransom. Shimano was unwilling to pay the ransom and the blackmail gang offered to put stolen data online, which is what they did. Now the stolen data is probably widely available online. 

Escape Collective updated their report late last week and said, upon contacting an industry-leading cyber-security firm, it was said that the delay in publishing could be an indication that Shimano was in negotiations. This has been the case until recently.

Several attempts to contact LockBit itself via Sonar, a web messenger that can be used in the Tor darknet browser, have not been successful. In a recent report from LockBit, cybercriminals claim to have successfully penetrated the Japanese manufacturer's network and obtained access to several terabytes of data. It was announced by the attackers that Shimano would publish the stolen data after they ignored their ultimatum. 

The Russian ransomware group LockBit appears to have released much of the company data on its darknet page after the ransom has expired. The company has been releasing 4.5 terabytes of various company data. Now that LockBit has expired, much of the data has been released, however. Shimano did not respond to a request for comment on the matter. 

Experts have yet to clarify who made them. Several financial records and personal information, including financials of employees and customers, have been revealed to have been leaked in the current case. Drawings, diagrams, test evaluations, development material, etc., have also reportedly been reported to have been exposed, as well as contracts and non-disclosure agreements. 

Recently, the Russian-speaking ransomware gang LockBit caused a sensation by attacking the US aircraft manufacturer Boeing. They were one of the most active ransomware gangs at the time. Shimano has yet to release a statement regarding the attack, and it is also not mentioned on the Shimano homepage of any kind regarding the cyberattack. 

It seems that Shimano was hacked by hackers and that cash was not paid to them for this backdoor. It's also clear from the report that sensitive information was leaked. However, the company has not elaborated on its original statements following the hack. A Shimano spokesperson has been contacted by Cycling News and has replied to their inquiry by saying, "This is an internal matter at Shimano and is under investigation. 

For the time being, we cannot address the situation." According to the original ransom note issued by the LockBit group, the following threats were made: “If you do not pay the ransom, we will attack your company again in the future.” 

A researcher in cyber security at the University of Warwick, Dr Harjinder Lallie, explained to Cycling Weekly earlier this month that the leak may lead to intellectual property being transferred to competitors if it is not paid for.
Read more »
Ransomware
Air India LockBit malware National Aerospace Laboratories Ransomware

LockBit Claims Cyberattack on India’s National Aerospace lab

 

LockBit, the infamous ransomware group, has admitted to being behind a cyber assault on India's state-owned aerospace research laboratory. Additionally, during the month of July, LockBit's dark web leaked data of Granules, an Indian pharmaceutical company, as one of its latest targets in a cyber attack. 
 
On Wednesday, LockBit put the National Aerospace Laboratories (NAL) on its dark web leak site, where ransomware groups usually try to get money from their victims. They threatened to share the organization's stolen information unless they paid an unknown amount, according to what TechCrunch found. 

After asserting responsibility for the cyberattack on the National Aerospace Laboratories and posting the claim on the dark web, the hacker collective has presented a daunting ultimatum. They set a deadline of December 18, 2023, at 18:58:48 UTC, emphasizing that if their demands are not met, they will expose the compromised data.  

In an unexpected departure from their usual approach, LockBit has chosen not to reveal any mitigation plans this time. Typically, they would outline a ransom, often starting at $10,000, to secure a 24-hour extension to the deadline. As of the time this information is being shared, the National Aerospace Laboratories (NAL) website is currently inaccessible globally. 

The cause of this website disruption remains uncertain, and it is not clear whether it is linked to the ransomware attack or not. Furthermore, the LockBit released eight documents, claiming they were stolen. These documents include confidential letters, an employee's passport, and various internal records. 

Established in 1959, the National Aerospace Laboratories (NAL) is India's premier aerospace research organization, owned by the government's Council of Scientific and Industrial Research. NAL collaborates closely with entities like ISRO and DRDO, focusing on advanced research in aerospace and related fields, particularly in the development of civilian aircraft. 

As per a collaborative advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and its counterparts in Australia, Canada, France, Germany, New Zealand, and the United Kingdom, disclosed information highlights coordinated efforts in the field of cybersecurity. The report also shows that Lockbit has become the most famous used ransomware variant globally in 2022 and 2023.
Read more »
world’s largest organizations
Cyber Crime cybercrime gang Cybersecurity global threats Hacking LockBit world’s largest organizations

Unveiling LockBit: Cybercrime Gang Targeting Global Titans in Hacking Spree

 

Ransomware, a form of malicious software, has a history spanning over three decades. However, it only gained regular attention in popular media over the last ten years.

This type of malware locks access to computer systems or encrypts files until a ransom is paid. Cybercriminal groups now view ransomware as a lucrative scheme, especially with the emergence of "ransomware as a service," which enables various groups to profit from successful ransom demands through affiliate schemes.

One prominent group, LockBit, has garnered attention by showcasing high-profile victims on its website. LockBit refers to both the malware and the group behind it, complicating its identification.

LockBit emerged in 2019 as a stealthy malware aimed at infiltrating organizations, locating valuable data, and encrypting it. Unlike mere data theft, LockBit encrypts data and holds it hostage until a ransom is paid, often resorting to threats of data publication (known as double extortion) if the payment deadline isn't met.

The LockBit group remains largely enigmatic, claiming no specific political allegiance and welcoming an unlimited number of affiliates worldwide solely interested in financial gain. However, they enforce rules prohibiting attacks on certain targets, including critical infrastructure like hospitals and specific post-Soviet countries.

Despite these rules, instances like a Canadian hospital falling victim to LockBit indicate the potential breach of these restrictions by rogue users. Interestingly, LockBit justifies avoiding specific countries due to the high number of members originating from the former Soviet Union, despite the group's current location in the Netherlands.

LockBit's victims range from the United Kingdom's Royal Mail and Ministry of Defence to Japanese company Shimano and aerospace giant Boeing, whose leaked data surfaced after refusing to pay the ransom. LockBit has also allegedly claimed responsibility for the recent ransomware incident involving the Industrial and Commercial Bank of China, linking the group to nearly 2,000 victims in the United States alone.

Ransomware as a service (RaaS) has surged in popularity, mirroring legitimate software services like Microsoft 365, providing cybercriminals with tools to conduct ransomware campaigns efficiently and profitably. These services handle every aspect of the criminal process, enticing new affiliates with a 20% commission and requiring a hefty deposit in Bitcoin.

Preventing ransomware attacks involves robust cybersecurity measures such as system updates, password management, network monitoring, and prompt responses to suspicious activities. The decision to pay a ransom remains subjective for organizations, but bolstering cybersecurity measures can deter criminal groups from targeting easier victims.
Read more »
Vulnerabilities and Exploits
Citrix CitrixBleed Bug DP World LockBit LockBit ransomware Ransomware attack Vulnerabilities and Exploits

Researcher Claims: Teens with “Digital Bazookas” are Winning Ransomware War


One thing that Boeing, the Australian shipping company, the world’s largest bank and the world’s biggest law firm share in common is that they have all suffered a cybersecurity incident, at least once. And, these breaches have apparently been conducted by a teenage hacker, all due to the companies’ failure in patching a critical vulnerability that their security professionals warned about weeks ago, according to a post published by doublepulsar on Monday. 

According to Kevin Beaumont, a freelance security researcher, Some other notable victims of cybersecurity breaches include DP World, the Australian branch of the Dubai-based logistics company DP World; Industrial and Commercial Bank of China; and Allen & Overy, a multinational law firm.

These four companies have recently admitted to being struck with at least one security incident. Also, China's ICBC has allegedly paid an undisclosed amount of ransom to retrieve their encryption keys for data that remained unavailable since the breach. 

Beaumont stated the four businesses are among the ten victims he is aware of that are presently being blackmailed by LockBit, one of the most active and destructive ransomware crime syndicates in the world, citing data that allows the tracking of ransomware operators and those familiar with the breaches. Despite a fix being available since October 10, Beaumont claimed that all four of the organizations had yet to apply it to a critical vulnerability. The companies used the networking solution Citrix Netscaler.

CitrixBleed Bug

With a 9.4 severity rating out of 10, CitrixBleed is an easy-to-exploit vulnerability that reveals session tokens that can be used to negate any multifactor authentication mechanisms inside a vulnerable network. Within the affected victim's internal network, attackers are left with the equivalent of a point-and-click desktop PC and are free to move around.

In his post, Beaumont wrote:

Ransomware groups are often staffed by almost all teenagers and haven’t been taken seriously for far too long as a threat. They are a threat to civil society as long as organizations keep paying.

Focusing on cybersecurity fundamentals for enterprise-scale organizations is a challenge, as often people are chasing after the perceived next big thing—metaverse (remember that?), NFTs, generative AI—without being able to do the fundamentals well. Large-scale enterprises need to be able to patch vulnerabilities like CitrixBleed quickly.

The cybersecurity reality we live in now is teenagers are running around in organized crime gangs with digital bazookas. They probably have a better asset inventory of your network than you, and they don’t have to wait 4 weeks for 38 people to approve a change request for patching 1 thing.

Know your network boundary and risky products as well as LockBit do. You need to be able to identify and patch something like CitrixBleed within 24 hours—if you cannot, there is a very real possibility it isn’t the ideal product fit for your organization due to the level of risk it poses, and you need to rethink if the architecture of your house is fit for purpose. 

Vendors like Citrix need to have clear statements of intent for securing their products, as piling on patch after patch after patch is not sustainable for many organizations—or customers should opt with their wallets for more proven solutions. The reality is many vendors are shipping appliance products with cybersecurity standards worse than when I started my career in the late '90s—while also advertising themselves as the experts. Marketing is a hell of a drug.

Beaumont further highlighted query results from the Shodan search service, which showed that at the time of the intrusion, none of the four firms had installed a CitrixBleed patch. The CVE-2023-4966 vulnerability is being monitored.

The researcher additionally condemned Citrix for Netscaler's logging features, which he claimed made it practically impossible for consumers to determine whether they had been hacked. Because of this, it is possible that some users of the CitrixBleed patch were unaware that LockBit was already present on their networks.

However, Boeing refused to comment on the post.

In the case of Citric and Allen& Overy, the emails sent were left unanswered when the post reached Arstechnica. The tech forum further notes that requests for comment from DP World and ICBC were also not immediately followed.

LockBit uses tools like Atera, which offers interactive PowerShell interfaces without triggering antivirus or endpoint detection alerts, to escalate its access to other parts of the compromised network after the CitrixBleed exploit first provides remote access through Virtual Desktop Infrastructure software. This access persists until administrators take specific steps, even after CitrixBleed is patched.  

Read more »
Shimano
cyber attack Data Extortion LockBit Ransomware Shimano

Shimano Suffers Cyberattack: 4.5 Terabytes Company Data Breached


Shimano, the market-leading cycling component manufacturer, has been the subject of a ransomware attack that has affected 4.5 terabytes of important company data. 

The Japanese manufacturing has apparently been targeted by ransomware organization LockBit, who are threatening to expose the data on November 5, 2023, at 18:34:13 UTC, according to a post on X (previously Twitter) by technology security company Falcon Feeds.

The attack, first reported by Escape Collective, is also recorded on the Ransom-db website's Live Ransomware Updates, with Shimano.com listed as a victim of LockBit 3.0 and the date November 2, 2023, as the attack date. 

The whole ransom note is also available on Ransomlook.io, which is known as an open-source initiative intended to support users in tracking ransomware-related posts and actions across numerous sites, forums, and Telegram groups. 

The gang breached highly sensitive data

  • Identification, social security numbers, residences, and passport scans of employees
  • Balance sheets, profit and loss statements, bank statements, and numerous tax forms and reports are examples of financial papers.
  • Addresses, internal documents, postal exchanges, confidential reports, legal documents, and factory inspection findings are examples of client data.
  • Non-disclosure agreements, contracts, confidential designs and drawings, development materials, and laboratory testing are among the other documents.

LockBit is a cybercriminal group that employs malware to compromise critical company data and then tries to extort money in exchange for preventing its public publication. 

Lockbit world's most active ransomware

According to the cyber-crime prevention firm Flashpoint, it is the world's most active ransomware organization, responsible for 27.93% of all known ransomware assaults in the year ending June 2023. It stated a total of 1,036 victims is more than double that of the second-placed organization known as BlackCat. 

Other victims of the cyberattack

Shimano is the latest in a long line of high-profile LockBit victims. Trendmicro reports that the British postal service Royal Mail was attacked in January, virtually suspending its international export services. Dublin software firm Ion Group was targeted in February, while Taiwanese chipmaker TSMC was targeted in June with a US$70 million ransom demand. 

Boeing, the world's largest aircraft manufacturer, is also being extorted by the organization. 

A Shimano spokeswoman told Cyclingnews, "This is an internal matter at Shimano that is being investigated, but we cannot comment on anything at this time."

Aftermath of the attack

It is unclear what ransom, if any, has been sought by the organization at this time, but it is apparent that the revelation will be another significant blow in an already difficult period for the Japanese brand. 

It just announced a global recall of 2.8 million road cranksets due to a long-standing bonding separation issue. As a result, a class-action lawsuit was filed in North America in the weeks that followed. According to its most recent quarterly report, overall sales of bicycle components declined by 24.8%, with operational profitability decreasing by nearly half. 

Read more »
Sony Data Breach
Cyber Attacks Infection time LockBit Ransomware ransomware attacks Ransomware group Sony Data Breach

Time Taken by Ransomware to Infect Systems Witnesses a Significant Drop


The amount of time it will take for a threat actor to completely infect the targeted system with ransomware has decreased significantly over the past 12 months. 

According to a report published by The Register, the average dwell time — the interval between the start of an assault and the deployment of ransomware — was 5.5 days in 2021 and 4.5 days in 2022. The dwell duration was less than 24 hours last year, but less this year. Ransomware was even distributed within five hours after first access in 10% of cases, according to Secureworks' annual State of the Threat Report.

It is interesting to note that the cybersecurity industry has become much better at spotting the activity that occurs before a ransomware outbreak, which is one of the factors contributing to this dramatic decrease in infection time. Because of this, Secureworks explains, "threat actors are focusing on simpler and quicker to implement operations, rather than big, multi-site enterprise-wide encryption events that are significantly more complex."

Also, this year has witnessed a considerable increase in the number of ransomware victims and data leaks due to the significant emergence of "several new and very active threat groups." Attacks are therefore occurring more frequently and in greater numbers.

The ransomware groups are now majorly utilizing three vectors to try and infect targeted systems. The first is known as scan-and-exploit, which looks for exploitable flaws in a system. When detected, stolen credentials are also exploited, and phishing emails are used to try to deceive people into giving attackers access to secure systems quickly.

Currently, Sony is one of the most recent high-profile victims of ransomware gang, but the company did not yet reveal the extent to which its systems are affected or data stolen. Another ransomware attack was recently witnessed in a Danish cloud-hosting company that compromised most of its customer data. Furthermore, a case came to light when the LockBit ransomware gang stole data from 8.9 million dental insurance customers earlier this year. 

However, on a positive note, the FBI was able to take down the renowned Qakbot botnet, which was revealed to be in charge of 700,000 compromised machines and was utilized in numerous ransomware assaults.  

Read more »
User Privacy
3 am 3 am Ransomware attackers Data Hackers LockBit LockBit ransomware malware Safety Security User Privacy

LockBit Ransomware Falters, Attackers Deploy New '3AM' Malware

 

In a recent cyberattack targeting a construction company, hackers attempted to deploy the LockBit ransomware on a target network but were thwarted. In an unexpected twist, they resorted to a previously unknown ransomware variant called 3AM, successfully infiltrating the system.

The newly discovered ransomware, 3AM, follows a fairly typical pattern by disabling various cybersecurity and backup-related software before encrypting files on the compromised computer. However, it stands out with an unusual theme: the name 3AM, a reference to the eerie hour when only insomniacs, night owls, and malicious hackers are typically active.

Researchers from Symantec highlighted this double-pronged attack in their recent report. It marked the first documented instance of 3AM being used alongside the LockBit ransomware in a single compromised machine.

Dick O'Brien, the principal intelligence analyst for the Symantec threat hunter team, cautioned, "This isn't the first time we've seen attackers employ multiple ransomware families simultaneously, and organizations should be prepared for such scenarios."

Upon gaining access to the target network, the threat actors wasted no time gathering user information and deploying tools for data extraction. They utilized tools like Cobalt Strike and PsExec to escalate privileges and performed reconnaissance tasks such as identifying users and network status. They also sought out other servers for lateral movement and established a new user for persistence. Subsequently, they employed the Wput utility to transfer the victim's files to their FTP server.

Their initial plan was to deploy LockBit ransomware, but the target's robust cybersecurity defenses prevented its execution. Unfortunately for the victim, the attackers had an alternative weapon at their disposal: 3AM ransomware. This malware is characterized by its encryption of files with the ".threeamtime" suffix and references to the time of day in its ransom note.

The ransom note began with an ominous message: "Hello, '3 am' The time of mysticism, isn't it? All your files are mysteriously encrypted, and the systems 'show no signs of life,' the backups disappeared. But we can correct this very quickly and return all your files and operation of the systems to [sic] original state."

In contrast to the creative ransom note, the authors displayed less innovation in the design of the malware itself. 3AM is a 64-bit executable coded in Rust, a language favored by both hackers and defenders. It attempts to terminate various security and backup-related software on the infected machine before proceeding with its primary tasks: scanning the disk, identifying specific file types, encrypting them, delivering the ransom note, and erasing any Volume Shadow (VSS) backup copies of files that could offer a potential lifeline to the victim.

In this particular attack, the hackers only succeeded in deploying 3AM on three machines, with two of them subsequently blocking the malware. However, the third machine was compromised successfully, where LockBit had failed. While the attackers claimed to have stolen sensitive data from this machine, Symantec couldn't independently verify this claim.

When it comes to defending against ransomware attacks, especially multi-faceted ones like this, O'Brien recommends a defense-in-depth strategy. He emphasizes that organizations should focus on addressing all stages of a potential attack rather than solely concentrating on blocking the ransomware payloads. He underscores the importance of early intervention in thwarting cyberattacks, stating that "the earlier you stop an attack, the better."
Read more »
ransomware attacks
BBC Cyber Attacks Cybersecurity Data Breach HMNB LockBit Ministry Of Defence ransomware attacks

UK's Nuclear Submarine Base Faces Unprecedented Threats: Russia Implicated in Shocking Incidents

 


A Russian-linked group of hackers, which has reportedly obtained hundreds of pages of information about critical sites such as HMNB Clyde, which houses the UK's nuclear weapons arsenal, is believed to have targeted the nuclear weapons arsenal at the naval base.

As reported by the news report, LockBit, a notorious ransomware group claimed to have stolen thousands of documents containing sensitive and highly sensitive national security information, along with information about high-security prisons, in the raid. 

The Sunday Mirror reported that there was another high-security target - a GCHQ listening post and the Porton Down chemical weapons lab - that was also targeted. There were 60 incidents reported to the Clyde Naval Base in 2022, up from 16 in 2021, which is an increase of 275% in one year from 16 incidents reported to the base in 2021. 

Threat actors aligned with the Russian government have reportedly carried out attacks against the UK's Ministry of Defence (MoD) and made stolen information available on military and intelligence websites online. 

The Mirror reports that several UK locations, including a nuclear submarine base, a chemical weapons lab, and a listening post for GCHQ have been targeted by hackers who are targeting the database of Zaun, a company that manages physical security at some of Britain's most secretive locations. 

The BBC asked the Ministry of Defense to explain the increase in breaches and to rule out any suggestion that some of these breaches may have been caused by an increase in Russian hacking and cyber-attacks. A dark web website was then created to post the stolen information. 

It is reported in the Mirror that the leaked data can be used to access top-secret websites within the Ministry of Defence, maybe even by criminals. Zaun was attacked by LockBit, a hacking group that has been responsible for the majority of hacking attacks in the world, last month. 

LockBit has been dubbed the world's most dangerous hacking group. Among the most wanted suspects in the gang is Mikhail Matveev, one of the most influential members of the gang. Since March 2022, there have only been two breaches known to have been recorded, compared with 21 breaches in 2020, 19 incidents in 2019, and 10 incidents in 2018. 

A report was released saying that information about the security of the base was leaked online by hackers associated with Russia. As part of the raid by notorious ransomware group LockBit, the newspaper reported that thousands of pages of data were also stolen, including highly sensitive information regarding high-security prisons as well as information about national security details. 

In some studies, security breaches are referred to as incidents such as lost ID cards, the breach of a zone that protects personal electronic devices, general breaches of data protection regulations, misaccounted documentation, and minor security breaches, among others. 

An unpatched Windows 7 PC was used to gain access to one of the firm's manufacturing machines and was running software for it when the breach occurred. The vulnerability has been closed and the machine has been removed," the company wrote in a statement. 

According to the statement, LockBit was able to gain access to some recently sent emails, orders, drawings, and project files from the company, even though Zaun "does not believe that any classified data has been compromised" or could have been accessible by LockBit. 

A cyber-security alert was issued by the UK National Cyber Security Centre (NCSC) about the threat from state-aligned groups to critical national infrastructure (CNI) organizations in the UK in April. The alert warned that groups sympathetic to Russia's invasion of Ukraine were responsible for the emerging threat.

As a result, CNI organizations are strongly encouraged to follow NCSC recommendations when cyber threat levels are heightened because newly emerging groups could launch "destructive and disruptive attacks" with less predictable consequences than traditional cybercriminals, even though these groups may be more likely to launch destructive and disruptive attacks. 

In connection with this attack, the UK National Cyber Security Centre (NCSC) has been contacted, along with the Office of the Information Commissioner (ICO) regarding the leak of data. Zaun has not revealed any details about the equipment that was stolen, and any ransom demands that may have been made have not been released by Zaun. 

Defending the national security of the country has shown to be a significant concern for Labour MP Kevan Jones, who is a member of the Commons Defence Select Committee. The incident has been described as a huge blow to the infrastructure that supports national security, according to security experts. 

The FBI has been monitoring LockBit since 2020, and during this time they have demanded ransom for more than £80 million in a worldwide campaign. It has been reported that three Russian nationals, Rlan Magomedovich Astamirov, Mikhail Vasiliev, and Anatoliy Minakov, have been charged with hijacking LockBit ransomware and have been arrested in the US. 

During the attack, Zaun informed the police of the cyber attack and claimed that there was no compromise of classified documents. Several issues regarding security have been declined by the Government, according to the Mirror. The UK government has put a great deal of emphasis on the significance of the leaked information. 

According to security and intelligence expert Professor Anthony Glees, every detail helps hostile actors break through the UK's defenses. The official also stressed that sloppy protocols, particularly those that are applied by suppliers, are a threat to the safety of the nation.

According to Tobias Ellwood, chair of the Senate Defense Committee, there are concerns about how defense establishments will continue to function without the threat of attack, and an increased level of defense against interference backed by Russia needs to be put into place.
Read more »
Subscribe to: Posts (Atom)