Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label LockBit. Show all posts
Ransomware Platform
Cyber Attacks Data Leak LockBit Ransomware Platform

LockBit Ransomware Platform Breached Again, Ops Data Leaked

 

A breach of an administration panel used by the LockBit ransomware outfit resulted in the exposure of information that can be extremely valuable to law enforcement and the cybersecurity community.

The breach was discovered on May 7, when a domain linked with a LockBit administrator panel was vandalised to display the message "Don't do crime, crime is bad xoxo from Prague". The defaced page is also linked to an archive file containing information acquired from the stolen server. 

The leaked data includes private messages exchanged between LockBit affiliates and victims, Bitcoin wallet addresses, affiliate accounts, attack specifics, and malware and infrastructure details. 

Numerous cybersecurity specialists have examined the leaked data. The Bitcoin addresses could assist law enforcement, according to Christiaan Beek, senior director of threat analytics at Rapid7. 

In addition, Luke Donovan, head of threat intelligence at Searchlight Cyber, stated how the leaked data could benefit the cybersecurity community. According to the expert, the leaked user data is most likely related to ransomware affiliates or administrators. In the publicly available data, Searchlight Cyber has found 76 entries, including usernames and passwords.

“This user data will prove to be valuable for cybersecurity researchers, as it allows us to learn more about the affiliates of LockBit and how they operate. For example, within those 76 users, 22 users have TOX IDs associated with them, which is a messaging service popular in the hacking community,” Donovan noted.

He added, “These TOX IDs have allowed us to associate three of the leaked users with aliases on hacking forums, who use the same TOX IDs. By analysing their conversations on hacking forums we’ll be able to learn more about the group, for example the types of access they buy to hack organizations.” 

Searchlight Cyber discovered 208 chats between LockBit affiliates and victims. The messages, which stretch from December 2024 to April 2025, could be "valuable for learning more about how LockBit's affiliates negotiate with their victims". Indeed, Rapid7's Beek noted that the leaked chats illustrate how active LockBit affiliates were during the ransom negotiations. 

“In some cases, victims were pressured to pay just a few thousand dollars. In others, the group demanded much more: $50,000, $60,000, or even $100,000,” Beek stated. 

As for who is responsible for the LockBit hack, Searchlight Cyber's Donovan pointed out that the defacement message is identical to the message displayed last month on the compromised website of a different ransomware outfit, Everest. 

“While we cannot be certain at this stage, this does suggest that the same actor or group was behind the hack on both of the sites and implies that this data leak is the result of infighting among the cybercriminal community,” Beek added. 

On May 8, a statement released on LockBit's breach website admitted the vulnerability of an administration panel but minimised the impact, claiming that victims' decryptors and sensitive data were unaffected. 

LockBitSupp, the mastermind behind the LockBit operation, identified by authorities as Russian national Dmitry Yuryevich Khoroshev, has stated that he is willing to pay for information on the identity of the attacker. 

Law enforcement authorities across the globe have been taking steps to disrupt LockBit, but after inflicting a severe blow last year, the cybercrime operation remains operational and poses a threat to organisations.
Read more »
Software
Cyber Security LockBit Ransomware Software

New Ransomware 'SuperBlack' Abuses Fortinet Firewall Flaws to Launch Attacks

 


A newly discovered ransomware group known as Mora_001 is carrying out cyberattacks by exploiting security weaknesses found in Fortinet's firewall systems. The group is using a custom ransomware strain named SuperBlack to target organizations and lock their data for ransom.

The attackers are taking advantage of two security loopholes that allow them to bypass login protections on Fortinet devices. These issues, listed as CVE-2024-55591 and CVE-2025-24472, were made public by Fortinet earlier this year. Reports indicate that one of these vulnerabilities had been secretly exploited by attackers even before the company officially disclosed it.

Initially, Fortinet clarified that only one of the two bugs had been misused. However, a recent investigation suggests that the second vulnerability was also being exploited during the same period. Researchers from cybersecurity firm Forescout uncovered this while examining attacks that occurred in January and February 2025.


Step-by-Step Breakdown of the Attack

The cybercriminals begin their attack by finding exposed Fortinet firewall devices that haven’t been updated. They then use these security flaws to gain full control over the system.

Once inside, the attackers grant themselves the highest level of access, commonly known as 'super admin' rights. They either use web-based tools or direct network requests to make these changes.

After securing control, they create new administrator profiles with names like forticloud-tech, fortigate-firewall, or adnimistrator. These fake accounts are set up in a way that even if someone deletes them, automated tasks will recreate them instantly.

The hackers then scan the network to understand its layout and start moving from one system to another. They use stolen login details, create new VPN accounts, and rely on common tools like WMIC and SSH to spread across connected machines. They also try to break into systems that use security checks like TACACS+ or RADIUS.

Before locking files, the group copies important data using their own tools. Their main targets include file storage systems, database servers, and computers that control user access across networks. Once the data is stolen, the ransomware is triggered, encrypting files and leaving ransom messages behind.

To make it harder for experts to investigate the attack later, the hackers run a program called ‘WipeBlack’. This tool removes all traces of the ransomware from the system, leaving very little evidence.


Possible Links to a Bigger Ransomware Group

During their investigation, Forescout found that SuperBlack ransomware shares several similarities with the well-known LockBit ransomware group. The coding style and methods used appear to have been copied from LockBit’s earlier leaked tools.

However, it looks like SuperBlack is being operated separately and is not officially part of the LockBit group.

This incident is a reminder of the risks that come with outdated software. Organizations using Fortinet firewalls should install security updates immediately to avoid falling victim to such attacks. Staying updated is crucial in protecting sensitive information from advanced ransomware threats.



Read more »
Ransomware
Cyber Crime LockBit RaaS Ransomware

Look Who’s Back: LockBit Gears Up for a Comeback With Version 4.0

 



The infamous LockBit ransomware group has announced its return with the upcoming release of LockBit 4.0, set for February 2025. This marks a big moment for the group, which has had major setbacks over the last year. A global law enforcement crackdown shut down its operations, with arrests and recovery of nearly 7,000 decryption keys. As other ransomware groups like RansomHub take the lead, it remains uncertain if LockBit can reclaim its former dominance.  


Challenges Facing LockBit’s Return

LockBit's return is definitely not in the cards, though. The group did a lot of damage to itself, mainly because law enforcement was doing their job and newer Ransomware groups were outperforming it. Probably, the development of this 4.0 version involves deep changes in its codebase since the previous variant had been compromised. Experts therefore wonder whether LockBit manages to overcome these obstacles or gets back into the crowded field of ransomware services.

Another emerging favorite is ransomware-as-a-service, where groups start to sell their tools and infrastructure to affiliates in a specific ratio of the profits being extracted by that affiliate. LockBit will find itself competing not just with opponents such as RansomHub but also with variants from the same ransomware assembled using leaked source code.


What to Expect With LockBit 4.0

The group's announcement for LockBit 4.0 has bold claims, enticing potential affiliates with promises of wealth and success. The official launch is scheduled for February 3, 2025, and keys are provided to access their dark web leak site. While specific details about the 4.0 version are unclear, cybersecurity researchers are closely monitoring its development.

The group may also change its tactics to stay off the radar of international law enforcement. In the past, LockBit has been criticized for hitting high-profile victims, including the Toronto Hospital for Sick Children in 2022. After public backlash, the group issued an apology and provided a free decryption key, an unusual move for a ransomware organization.  


The Future

LockBit's ability to stage a successful comeback will depend on its capacity to adapt to the challenges it faces. With competitors gaining ground and its credibility in question, the group's path forward is uncertain. Cybersecurity experts will be watching closely to see how LockBit 4.0 impacts the ransomware infrastructure.

For now, organizations are advised to remain vigilant, as ransomware groups continue to improvise their tactics. Implementing robust security measures and staying informed about emerging threats are critical steps in defending against such attacks.



Read more »
Ransomwares
Akira Ransomware Cyber Security Cyber Threats LockBit Malware Attack malware prevention Malwares RansomHub Ransomwares

2024’s Most Dangerous Malware: A Wake-Up Call for Cybersecurity

 

OpenText, a leader in cybersecurity insights, has released its eagerly awaited “Nastiest Malware of 2024” list, highlighting some of the most destructive and adaptive cyber threats of the year. The list illustrates how ransomware and other malicious software continue to evolve, particularly regarding their impact on critical infrastructure. As cybercriminals refine their tactics, the need to strengthen cybersecurity measures has become increasingly urgent. Organizations around the globe are projected to boost their cybersecurity spending by 14.3% in 2024, raising total investments to over $215 billion, which reflects the magnitude of the challenges posed by these threats. 

LockBit claimed the title of the most dangerous malware of the year. This ransomware-as-a-service (RaaS) entity has demonstrated its ability to evade law enforcement efforts, including those from the FBI. Its ongoing attacks on critical infrastructure showcase its resilience and technical prowess. According to the FBI, LockBit was responsible for 175 reported attacks on essential systems in 2023 alone. The group’s bold ambition to target one million businesses emphasizes its threat level and solidifies its position in the ransomware landscape. 

Akira, a relatively new player, has rapidly gained infamy for its aggressive tactics. This ransomware has been particularly active in industries such as healthcare, manufacturing, and finance, using advanced encryption methods to cause significant disruption. Its retro-inspired branding contrasts sharply with its destructive potential, making it a popular choice among cybercriminal affiliates. 

Meanwhile, RansomHub, which may have connections to the infamous Black Cat (ALPHV) group, has made headlines with its high-profile attacks, including a daring strike on Planned Parenthood that compromised sensitive patient data. 

Other significant threats include Dark Angels, recognized for its precision-targeted attacks on Fortune 50 companies, and Play Ransomware, which takes advantage of vulnerabilities in FortiOS systems and RDP servers. Redline Stealer, while not technically ransomware, this type of threat significantly endangers organizations by focusing on stealing credentials and sensitive information. Each of these threats illustrates how cybercriminals are continually pushing the limits, employing advanced tactics to stay ahead of defenses. 

Muhi Majzoub, OpenText’s EVP and Chief Product Officer, notes that the increase in ransomware targeting critical infrastructure highlights the growing risks to national security and public safety. At the same time, the heightened emphasis on cybersecurity investments is a positive indication that organizations are recognizing these threats. However, the ability of ransomware groups to adapt remains a significant worry, as these criminals continue to leverage new technologies, including artificial intelligence, to create more sophisticated attacks. 

The findings from this year reveal a harsh truth: while progress in cybersecurity is being made, the rapid pace of innovation in malware development poses an ongoing challenge. As companies enhance their vigilance and dedicate more resources to protect vital systems, the battle against cyber threats is far from finished. The changing nature of these attacks requires ongoing adaptation, collaboration, and investment to protect the essential services that support modern society.
Read more »
Security Expert
Covert Operation Cyber Crime FBI LockBit Ransomware Security Expert

This Security Researcher Infiltrated the LockBit Ransomware Outfit and Exposed its Leader

 

As part of a larger plan to gather intelligence and stop cybercrime from within, security researchers are actively pursuing and even infiltrating the groups that commit cybercrimes. To win the trust of cybercriminals, they frequently adopt a James Bond image, fabricating identities and conducting covert operations. Here is the account of one such investigator. 

Cybersecurity expert Jon DiMaggio has uncovered the mysterious boss of the infamous LockBit ransomware group in a story that reads like a contemporary cyber thriller. Under the guise of a cybercriminal, DiMaggio managed to penetrate the inner ring of the gang and identify its leader, Dmitry Khoroshev, before the authorities could make his identity public. This remarkable operation, which DiMaggio detailed at Def Con, is a tale involving tactical deception as well as the psychological toll that such a game can take. 

DiMaggio, a researcher at Analyst1, began his infiltration by creating sockpuppet identities to contact with people associated with LockBitSupp, Khoroshev's online identity. DiMaggio was able to create a realistic cybercriminal personality by monitoring chats and learning about the gang's culture and preferences. Despite his initial refusal to join the group, DiMaggio continued contact with LockBitSupp and developed a close connection. He engaged in informal chats, enquiring about the gang's operations and strategies. 

DiMaggio submitted a report on his discoveries in January 2023, detailing his infiltration and the burning of his fictitious personas. Surprisingly, LockBitSupp took it lightly, even joking about it in forums, which piqued DiMaggio's interest. The relationship turned into a friendly rivalry, with LockBitSupp utilising DiMaggio's LinkedIn photo as an avatar in forums. DiMaggio also mocked the gang by trying to extort them, which raised concerns among several cybercriminals. 

During this time, DiMaggio noticed that LockBitSupp went missing for roughly 12 days. Upon returning, LockBitSupp appeared agitated but continued to communicate with DiMaggio. At the same time, LockBit claimed responsibility for a cyberattack on a Chicago children's hospital, their second after targeting Toronto's SickKids. These activities frustrated DiMaggio so much that he nearly sent an angry mail to LockBitSupp, expressing his intention to pursue him. However, the researcher eventually decided against it.

After law authorities took down LockBit's website, DiMaggio focused on identifying LockBitSupp. An anonymous tip led him to a Yandex email address, which let him track down Dmitry Khoroshev. Unexpectedly, the police updated the seized LockBit website, declaring their intention to divulge the name of LockBitSupp, the administrator. 

At this point, DiMaggio, who had established a working connection with the FBI as a private business partner, contacted them to say that he had identified Khoroshev as LockBit's administrator. DiMaggio intended to prepare a report on his findings and asked the FBI for advice on whether he should postpone publishing it. He reasoned that if the FBI told him to wait, it would probably corroborate that he had identified the right person. However, the FBI recommended him to wait. 

As the Department of Justice prepared to divulge LockBitSupp's name, DiMaggio completed his report. Eventually, the DOJ appointed Dmitry Khoroshev as LockBit's head, allowing DiMaggio to reveal his own detailed findings. 

"This was my first time doxing somebody. And well, they released his name, I released everything else on this dude. I had where he lived, I had his phone numbers, current and previous," DiMaggio stated. "And boy, it was difficult to not just call this guy up on the phone, having his legitimate phone number prior to the indictment, just to see if I had the right guy, but I didn't.” 

DiMaggio sent Khoroshev a note telling him to call it quits from malicious activities. “LockBitSupp, you are a smart guy. You said it's not about the money anymore, and you want to have a million victims before you stop, but sometimes you need to know when to walk away. It is that time, my old friend," DiMaggio wrote. 

Since then, DiMaggio has not heard from Khoroshev. Despite the fact that nothing has happened, he has heard rumours that Khoroshev seeks payback.
Read more »
Ransomware attack
Cyber Attacks cybercriminals data security healthcare sectors LockBit Malware attacks Ransom Demand Ransomware attack

Comparitech Report Reveals Average Ransom Demands of Over $5.2 Million in Early 2024

 

In the first half of 2024, the average ransom demand per ransomware attack reached over $5.2 million (£4.1 million), according to a new analysis by Comparitech. This figure is derived from 56 known ransom demands issued by cybercriminals from January to June 2024. 

The largest of these demands was a staggering $100 million (£78.9 million) following an attack on India’s Regional Cancer Center (RCC) in April 2024. The second-highest confirmed demand was issued to UK pathology provider Synnovis, with attackers demanding $50 million (£39.4 million). This incident led to the cancellation of thousands of operations and appointments at hospitals in South East England, with the Qilin group claiming to have stolen 400GB of sensitive NHS patient data. The third-highest ransom demand in the first half of 2024 targeted Canadian retailer London Drugs in May 2024, with the LockBit group demanding $25 million (£19.7 million). 

Overall, Comparitech’s researchers logged 421 confirmed ransomware attacks during this period, impacting around 35.3 million records. These figures mark a reduction compared to the same period in 2023, which saw 704 attacks affecting 155.7 million records. However, disclosures for the first half of 2024 are ongoing, so these figures may increase. Comparitech also noted an additional 1,920 attacks claimed by ransomware gangs but not acknowledged by the victims. Private businesses experienced the highest number of incidents, with 240 attacks affecting 29.7 million records. 

The government sector followed with 74 attacks impacting 52,390 records, and the healthcare sector reported 63 attacks affecting 5.4 million records. LockBit remains the most prolific ransomware group, responsible for 48 confirmed attacks in the first half of 2024, despite a significant law enforcement operation that temporarily disrupted its activities in February. Following a brief period of dormancy, LockBit resurfaced as the most prominent ransomware group in May 2024, according to an analysis by NCC Group. Other notable ransomware groups during this period include Medusa with 31 attacks, BlackBasta with 27, Akira with 20, 8Base with 17, and INC Ransom with 16. 

The researchers observed an increasing trend among ransomware groups to forego file encryption and instead rely solely on data theft for extortion. This shift in tactics highlights the evolving landscape of ransomware attacks and underscores the need for robust cybersecurity measures.
Read more »
SSNs
Banking Information customer data compromise Data Breach Data Leak IMS Information Security LockBit LockBit ransomware Ransomware attack SSNs

LockBit Ransomware Attack on Infosys McCamish Systems Exposes Sensitive Data of Over Six Million Individuals

 

Infosys McCamish Systems (IMS) recently disclosed that a LockBit ransomware attack earlier this year compromised sensitive information of more than six million individuals. IMS, a multinational corporation specializing in business consulting, IT, and outsourcing services, primarily serves the insurance and financial services industries. The company has a significant presence in the U.S., catering to large financial institutions such as the Bank of America and seven out of the top ten insurers in the country. 

In February 2024, IMS informed the public about the ransomware attack that occurred in November 2023. Initially, the company reported that the personal data of around 57,000 Bank of America customers had been compromised. LockBit, the group responsible for the attack, claimed to have encrypted 2,000 computers within the IMS network. A recent notification to U.S. authorities revealed that the total number of affected individuals now exceeds six million. The notification outlined the steps taken by IMS, including the involvement of third-party eDiscovery experts, to conduct a thorough review of the compromised data. 

This review aimed to identify the personal information accessed and determine the individuals impacted. The compromised data includes a wide range of sensitive information, such as Social Security Numbers (SSNs), dates of birth, medical records, biometric data, email addresses and passwords, usernames and passwords, driver’s license or state ID numbers, financial account information, payment card details, passport numbers, tribal ID numbers, and U.S. military ID numbers. To mitigate the risks associated with this data exposure, IMS is offering affected individuals a free two-year identity protection and credit monitoring service through Kroll. 

The notification letters provided instructions on how to access these services. IMS has not disclosed the full list of impacted clients, but the notification mentioned Oceanview Life and Annuity Company (OLAC), an Arizona-based provider of fixed and fixed-indexed annuities, as one of the affected organizations. The list of impacted data owners may be updated as more customers request to be named in the filing. 

This breach highlights the critical importance of robust cybersecurity measures and the significant impact such attacks can have on both individuals and large financial institutions. The LockBit ransomware attack on IMS serves as a stark reminder of the vulnerabilities within the digital infrastructure of major corporations and the far-reaching consequences of data breaches.
Read more »
Ransomware
cyber attack Cyber Attacks LockBit London Drugs Pharmacy Ransomware

LockBit Ransomware Gang Claims Responsibility for London Drugs Cyberattack






In a recent turn of events, the LockBit ransomware gang has claimed responsibility for the cyberattack on Canadian pharmacy chain London Drugs, which occurred in April. The cybercriminals are now threatening to release sensitive data online after reportedly unsuccessful negotiations with the company.

London Drugs, which employs over 9,000 people across 80 stores in Alberta, Saskatchewan, Manitoba, and British Columbia, was forced to shut down all its retail locations following the April 28 cyberattack. At the time, the company assured the public that there was no evidence indicating that customer or employee data had been compromised.

Despite these reassurances, the LockBit gang has now listed London Drugs on its extortion portal, threatening to publish stolen data unless a $25 million ransom is paid. London Drugs, however, has stated that they are both unwilling and unable to meet this ransom demand.

On May 9, Clint Mahlman, London Drugs' President and Chief Operating Officer, reiterated that a forensic investigation conducted by third-party cybersecurity experts found no evidence of compromised customer databases, including health data. Nevertheless, as a precautionary measure, the company has notified all current employees and offered 24 months of complimentary credit monitoring and identity theft protection services.

The company’s website remains down, displaying an error message indicating an internal server issue. London Drugs has acknowledged that the ransomware gang's claims about stealing files from its corporate head office could potentially include employee information, although they have not provided specifics on the nature or extent of the data possibly impacted.

LockBit, a ransomware-as-a-service operation that surfaced in September 2019, has a notorious history of targeting high-profile organisations worldwide. Despite a significant law enforcement operation in February 2024 that dismantled part of their infrastructure and seized numerous decryption keys, the gang continues to be active. They have moved to new servers and dark web domains, continuing to launch attacks and release stolen data.

The ransomware group has stated that negotiations with London Drugs initially involved an offer of $8 million from the company, a claim for which they provided no evidence. London Drugs maintains that they did not offer any ransom and continues to take all available steps to mitigate the impact of the cyberattack.

Shawnigan Lake-based threat analyst Brett Callow noted that his cybersecurity company, Emsisoft, was immediately aware of LockBit's listing due to their dark net tracking tools. He emphasised the real risk that LockBit might follow through on their threat to release the stolen data.

Authorities have highlighted that LockBit, dominated by Russian-speaking individuals, has no known connections to state-sponsored activities. The ransomware group has previously been linked to several high-profile attacks, including those on Boeing, the Continental automotive giant, and the UK Royal Mail.

London Drugs continues to investigate the extent of the breach and is in contact with relevant authorities. The company has also reassured that it will notify affected individuals in compliance with privacy laws should any customer or employee data be found compromised.

The ongoing saga of LockBit's attacks is a telling marker of the persistent threat of ransomware, stressing upon the importance of robust cybersecurity measures and proactive responses to such incidents.


Read more »
Subscribe to: Posts (Atom)