Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label LockBit 3.0. Show all posts
Shimano
Japanese Firm LockBit 3.0 malware Ransomware Shimano

LockBit Leaked 4.5 TB Data of Shimano Industry

 

Shimano Industries, a prominent Japanese multinational manufacturing company specializing in cycling components, fishing tackle, and rowing equipment, fell victim to the world's largest ransomware group, LockBit. The group stole 4.5 terabytes of sensitive company data. 

The company had previously been involved in the production of golf supplies until 2005 and snowboarding gear until 2008. Situated in Sakai, Osaka Prefecture, the corporation operates with 32 consolidated and 11 unconsolidated subsidiaries. Its primary manufacturing facilities are strategically located in Kunshan (China), as well as in Malaysia and Singapore. 

According to Flashpoint, a company specializing in cyber-crime protection, it labels LockBit as the 'most active' ransomware group globally. Flashpoint attributes 27.93 percent of all documented ransomware attacks to this particular group. 

As reported by Cycling News, LockBit is a cybercrime group that uses malicious software to break into companies' sensitive data. Once they have the information, they demand money from the targeted companies, threatening to make the compromised data public if payment is not made. 

The announcement asserts that the group has infiltrated exceptionally sensitive information, encompassing: 

1. Employee details, comprising identification, social security numbers, addresses, and scanned passports. 

2. Financial records, including balance sheets, profit and loss statements, bank statements, various tax forms, and reports. 

3. Client information, involving addresses, internal documents, mail exchanges, confidential reports, legal documents, and results from factory inspections. 

4. Miscellaneous documents, such as non-disclosure agreements, contracts, confidential diagrams and drawings, developmental materials, and laboratory test results. 

The Data has been Leaked? 

Earlier this month, Escape Collective initially disclosed that hackers issued a threat to release 4.5 terabytes of confidential data unless Shimano made an undisclosed ransom payment. The compromised data, as outlined by Escape Collective, encompasses confidential employee information, financial records, a client database, and various other sensitive company documents. 

The hackers imposed a deadline for the ransom, set for November 5, 2023. Subsequently, when the stipulated demands went unmet, the message on LockBit's website changed, indicating that "all available data" had been made public. However, notably, there was no corresponding download link provided for accessing the data.
Read more »
ransomware attacks
CISA Kaspersky LockBit 2.0 ransomware LockBit 3.0 malware MS-ISAC RaaS Ransomware ransomware attacks

LockBit 3.0 Ransomware: Inside the Million Dollar Cyberthreat


US government organizations have recently published a joint cybersecurity advisory stating the indicators of compromise (IoCs) and tactics, techniques and procedures (TTPs) linked with the malicious LockBit 3.0 ransomware. 

The alert comes through the FBI, the CISA, and the Multi-State Information Sharing & Analysis Center (MS-ISAC). 

"The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit," the authorities said. Since the emergence of LockBit ransomware in 2019, the threat actors have invested in particular technical aids in order to develop and finely enhance its malware, issuing two significant updates, ie. Launching LockBit 2.0 in mid-2021, and LockBit 3.0, released in June 2022. The two versions are also termed LockBit Red and LockBit Black, respectively. 

"LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode[…]If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then a password argument is mandatory during the execution of the ransomware," according to the alert. 

 Additionally, the ransomware is made to only infect computers whose language preferences do not match those on an exclusion list, which includes Tatar, Arabic, and Romanian (all of which are spoken in Syria) and Moldova) (Russia). 

The ransomware is also designed to only infect devices whose language choices do not match those on an exclusion list, which includes Tatar, Arabic, and Romanian (all of which are spoken in Syria) and Moldova) (Russia). The victim’s network is being accessed through remote protocol (RDP) exploitation, drive-by compromise, phishing campaigns, exploiting valid accounts, and weaponizing of public-facing applications. 

Before starting the encryption procedure, the malware first attempts to create persistence, increase privileges, perform lateral movement, and purge log files, files in the Windows Recycle Bin folder, and shadow copies. 

"LockBit affiliates have been observed using various freeware and open source tools during their intrusions[…]These tools are used for a range of activities such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration," the agencies said. 

One of the prime attributes of the attacks is the use of custom exfiltration tool, known as StealBit, authorized by the LockBit group to affiliates for double extortion reasons. 

The LockBit ransomware strain has been employed against at least 1,000 victims globally, according to a November report from the US Department of Justice, earning the organization over $100 million in illegal revenues. 

The Upsurge in LokBit Incidents 

Dragons, an industrial cybersecurity reported earlier this year that LockBit ransomware was the one responsible for 21% of the 189 ransomware attacks detected against critical infrastructure in Q4 2022m in an account of 40 such incidents. For a fact, a majority of food and beverage and manufacturing sectors were impacted due to these attacks. 

In its recent report, the FBI’s Internet Crime Complaint Center (IC3) ranked LockBit (149), BlackCat (114), and Hive (87) as the top three ransomware variants targeting the infrastructure sector in 2022. 

Despite LockBit's prolific attack campaign, the ransomware gang was suffered a severe setback in late September 2022 when a dissatisfied developer of LockBit revealed the building code for LockBit 3.0, sparking concerns that other criminal actors would use the situation and produce their own variations. 

The advisory comes months after antivirus company Avast offered a free decryptor in January 2023, at a time when the BianLian ransomware organization has switched its emphasis from encrypting its victims' files to straightforward data-theft extortion attempts. 

In a similar development, Kaspersky has released a free decryptor to assist victims whose data has been encrypted by a ransomware variant based on the Conti source code that emerged after Russia's incursion of Ukraine last year caused internal strife among the core members. 

"Given the sophistication of the LockBit 3.0 and Conti ransomware variants, it is easy to forget that people are running these criminal enterprises," Intel 471 noted last year. "And, as with legitimate organizations, it only takes one malcontent to unravel or disrupt a complex operation."

Read more »
Vulnerabilities and Exploits
FBI LockBit LockBit 3.0 Phishing Attacks Ransomware Attacks. Russian Hacker User Privacy Vulnerabilities and Exploits

Following a Breach at ION Group, LockBit Hackers Received a Ransom

LockBit hackers who took credit for a severe hack at financial data company ION claim that a ransom was paid, although they would not specify the sum or provide any proof that the payment had been transferred. Meanwhile, the ION Group chose not to comment on the situation. 

The British spying intelligence agency GCHQ's National Cyber Security Agency told Reuters there's nothing further to add. A key to access the files should be provided by the hacking gang if a ransom is paid. As per cybersecurity experts, ransomware often demands the individual file-by-file decryption of computer servers, which can involve days or weeks. Additionally, a machine that has had its data decrypted cannot be trusted after that point and must be wiped clean and rebuilt from scratch. PCs often speed up the process.

After a business pays a ransom, additional ransomware gangs might try to extort them once more by using the company's IT system flaws. Considering to be completely secure, ransomware victims might seek to redesign their technical infrastructure.

In addition, victims' files are kidnapped by LockBit, the group behind the ION assault, which also demands payment by February 4 to prevent their disclosure.

Ransoms should not be paid, according to the National Cyber Security Centre of the UK, 42 of ION's clients were impacted by the early-morning Tuesday attack. Eventually, it caused several banks and brokers in Europe and the US to conduct some trades manually, thus setting them back for decades. About the attack, the FBI has contacted ION management.

LockBit Ransomware Group

In certain cases, the affiliate of LockBit 3.0 is required to start the ransomware binary using a 32-character password. The typical assault procedure consists of infecting the device, encrypting files, removing specific services, and changing the device's background image.

The information can be offered for sale on the dark web if the ransom is not paid. Cobalt Strike, a security testing tool, and a series of malware attacks have been linked to LockBit 3.0's abuse of Windows Defender.

Operating with affiliates who may lack the means to develop and launch attacks, LockBit uses a ransomware-as-a-service (RaaS) business model. The associated hacker in this case receives a percentage of the ransom, based on a December 2022 warning from the U.S. Department of Health & Human Services.

Among the most expensive and disruptive concerns for businesses globally in recent years has been ransomware. Several ransomware groups not only encrypt a victim's files in exchange for a ransom payment, but they also steal data and threaten to expose it online as an added inducement to pay up.

Numerous brokers have experienced difficulties as a result of the exchange-traded financial derivatives trading and clearance being impacted by the ransomware attack on ION. Reuters reports that among the numerous ION customers whose operations have been interrupted are ABN Amro Clearing and Intesa Sanpaolo, the largest bank in Italy.

Read more »
ransomware attacks
BlackCat healthcare sectors LockBit 3.0 malware Ransomware ransomware attacks

LockBit Latest Variant LockBit 3.0, With BlackMatter Capabilities

 

Healthcare sectors' cybersecurity intelligence has been requested to review the IOCs and has also been recommended to take proactive steps to fight against BlackCat and LockBit 3.0 ransomware variants which are rampantly targeting healthcare sectors. 

On 2nd December the Department of Health and Human Services Cybersecurity Coordination Center published two new research analyst notes in which it explained and issued alerts against four ransomware   namely Venus, Hive, Lorenz, and Royal.

Dat from the past attacks suggest that well-practiced, properly prepared plans and a clear understanding of the attack are crucial to setting up a successful ransomware response. For the BlackCat and LockBit 3.0 threats in particular; it is highly recommended that the healthcare sector's response against such attacks should be planned and proactive. 

“BlackCat can also clear the Recycle Bit, connect to a Microsoft cluster and scan for network devices. It also uses the Windows Restart,” according to the issued alert. 

As per the data, healthcare is among one of the  most targeted industries, for example, the pharmaceutical sector, which is constantly targeted by hackers. HC3 believes BlackCat will continue to exploit healthcare department in the foreseeable future. 

The sector is urged to take the “threat seriously and apply appropriate defensive and mitigative actions towards protecting their infrastructure from compromise.” 

Historically, LockBit targeted the RaaS model and entities for higher ransoms and leveraged double extortion tactics. The most recent version of LockBit 3.0 comes with advanced extortion tactics and utilised a triple extortion model which asks the victim to pay for their sensitive information. 

“Once on the network, the ransomware attempts to download command and control (C2) tools such as Cobalt Strike, Metasploit, and Mimikatz, encrypted files can only be unlocked with LockBit’s decryption tool,” according to the alert. 

While the group has been targeting health sectors worldwide, the U.S. and its healthcare sectors have been victimized deliberately by the group. HC3 asked the organizations to review the provided IOCs and recommended security measures to prevent further attacks.
Read more »
Subscribe to: Posts (Atom)