LockBit Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 30 May 2024 21:42:50 +0000 en-US hourly 1 https://wordpress.org/?v=62991 200474804 LockBit Leader Identity Revealed, NCA Publishes More Data https://gridinsoft.com/blogs/lockbit-leader-identity-revealed/ https://gridinsoft.com/blogs/lockbit-leader-identity-revealed/#comments Tue, 07 May 2024 18:08:04 +0000 https://gridinsoft.com/blogs/?p=21920 On May 7, 2024, UK National Crime Agency published the detailed dossier on the LockBit ransomware group’s leader. Dmitry Khoroshev, known as LockBitSupp, leads one of the most vicious ransomware groups since its inception in 2020. After unmasking, law enforcement initiated sanctioning the hacker in numerous countries around the world. NCA Unveils LockBitSupp Identity Several… Continue reading LockBit Leader Identity Revealed, NCA Publishes More Data

The post LockBit Leader Identity Revealed, NCA Publishes More Data appeared first on Gridinsoft Blog.

]]>
On May 7, 2024, UK National Crime Agency published the detailed dossier on the LockBit ransomware group’s leader. Dmitry Khoroshev, known as LockBitSupp, leads one of the most vicious ransomware groups since its inception in 2020. After unmasking, law enforcement initiated sanctioning the hacker in numerous countries around the world.

NCA Unveils LockBitSupp Identity

Several days ago, on May 5, 2024, a changed LockBit site variant, that appeared after the law enforcement hack in February of the same year, got back online. Earlier, it used to contain the hefty list of information that law enforcement agencies managed to leak from the network of the threat actor. This time, however, they went further: instead of court judgments, they promised to publish personal information of the LockBit gang leader.

Darknet blog hacked
Hacked leak site that LockBit used before the February takedown is back online

Man under the nickname LockBitSupp always attracted a lot of attention: both due to the success of his ransomware group and unusual publicity of a ransomware group leader that was never seen before. What’s more tempting is the promise to pay $10 million to a person who’d reveal his identity. He was outstandingly confident about his anonymity, and for a good reason, so the huge reward was left unclaimed ever since this “contest” was first announced.

Though now, by the looks of it, Dmitry Yurievich Khoroshev owes $10 million to NCA specialists. During the first summary of Operation Cronos, NCA already threatened to publish his identity, but that was probably a mere bluff. But not this time – the full list of the guy’s personal information was both published and turned into courts in order to imply personal sanctions. They in particular suppose arrest of the personal assets and implying travel bans.

LockBit Leader Compromised: Will This Stop the Gang?

Despite the overall excitement around the identity reveal of LockBitSupp, it won’t make that much difference to the gang. Just another stain on the reputation, that has got the first, and much stronger blow back in February. Deanonymizing of the gang’s leader places it in the row with Evil Corp, whose chief Maksim Yakubets is a long-term guest of the FBI’s wanted board.

A more important news of the fresh release is an updated pack of data about the affiliates and operations of the ransomware group. NCA, together with law enforcement agencies, leaked attack statistics, affiliate counters and names, and the geography of attacks.

As far as the fresh leak says, after the February attack, 2/3 of the LockBit affiliates escaped the business. This was somewhat noticeable by the decline in the group’s activity, but not to that extent. Still, the quality of these attacks noticeably decreased: no loud names in the last two months. At the same time, the number of attacks on the UK companies plummeted to a similar extent (-73%) – definite reaction to the NCA’s effort.

The post LockBit Leader Identity Revealed, NCA Publishes More Data appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/lockbit-leader-identity-revealed/feed/ 1 21920
LockBit is Back With New Claims and Victims https://gridinsoft.com/blogs/lockbit-is-back/ https://gridinsoft.com/blogs/lockbit-is-back/#respond Sun, 25 Feb 2024 10:02:17 +0000 https://gridinsoft.com/blogs/?p=19952 The story around LockBit ransomware takedown on February 19 continues to unfold. After almost a week of downtime and silence, the infamous gang is back online on a new Onion domain, boasting new hacks. To top it all off, an infamous LockBitSupp released a lengthy statement about what happened and what’s next. LockBit Ransomware is… Continue reading LockBit is Back With New Claims and Victims

The post LockBit is Back With New Claims and Victims appeared first on Gridinsoft Blog.

]]>
The story around LockBit ransomware takedown on February 19 continues to unfold. After almost a week of downtime and silence, the infamous gang is back online on a new Onion domain, boasting new hacks. To top it all off, an infamous LockBitSupp released a lengthy statement about what happened and what’s next.

LockBit Ransomware is Back After Law Enforcement Takedown.

Following the rough takedown of all the Darknet sites that belong to LockBit ransomware, the gang representatives were mostly silent until February 24, 2024. At around 21:00 GMT, the chief of the cybercrime gang released a long PGP signed message with the explanation from the hackers’ point of view. In it, they describe the supposed way they were hacked and the future of LockBit. Spoiler – not a lot will change, except for LockBitSupp promises to be less lazy.

LockBit pgp message
PGP signed message that LockBitSupp published on February 24

For the way the law enforcement agencies managed to access the servers, the PHP vulnerability is named. CVE-2023-3824 vulnerability, discovered back in August 2023, allows for remote code execution and received CVSS rating of 9.8/10. Well-deserved, considering how popular PHP is; LockBitSupp even supposes that other threat actors who were hacked recently suffered from this exact vulnerability.

Also, the hacker supposes that the FBI could have access to the network for quite some time. The reason why law enforcement decided to pull the trigger is the publication of data leaked from Fulton County court, specifically documents regarding Donald Trump’s court cases.

Had it not been for the election situation, the FBI would have continued to sit on my server waiting for any leads to arrest me and my associates, but all you need to do to not get caught is just quality cryptocurrency laundering. The FBI can sit on your resources and also collect information useful for the FBI, but do not show the whole world that you are hacked…

Why did it take 4 days to recover? Because I had to edit the source code for the latest version of PHP, as there was incompatibility.LockBitSupp

LockBit Takedown Aftermath

So, what do we see almost a week past the takedown of LockBit? Law enforcement agencies dealt quite a damage to both the group image and hardware. The amount of leaked information, including decryption keys and data stolen from companies’ networks seriously cuts the profits of the ransomware gang. And considering the detainments in Poland and Ukraine, the leaks were not only about operational information – personal data of malware operators was also exposed to some extent.

However, this was barely enough to force the LockBit gang to stop. Sure, they are now starting from scratch, with only a few listings present on the reborn of their leak page. But they will carry on, taking the past mistakes into account. The individuals captured in Eastern Europe are unlikely to be affiliates – more probably just server administrators or money mules. LockBit’s story keeps rolling, and I’m pretty sure they have a couple of aces up their sleeves.

LockBit is Back With New Claims and Victims

The post LockBit is Back With New Claims and Victims appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/lockbit-is-back/feed/ 0 19952
LockBit Ransomware Taken Down by NCA https://gridinsoft.com/blogs/lockbit-ransomware-taken-down/ https://gridinsoft.com/blogs/lockbit-ransomware-taken-down/#respond Mon, 19 Feb 2024 22:07:28 +0000 https://gridinsoft.com/blogs/?p=19780 On February 19, 2024, LockBit ransomware was taken down by the UK National Crime Agency in cooperation with a selection of other law enforcement agencies. The banner typical for such takedowns now illustrates all the web assets of LockBit ransomware. There is quite a hope about the possible release of decryption keys and even a… Continue reading LockBit Ransomware Taken Down by NCA

The post LockBit Ransomware Taken Down by NCA appeared first on Gridinsoft Blog.

]]>
On February 19, 2024, LockBit ransomware was taken down by the UK National Crime Agency in cooperation with a selection of other law enforcement agencies. The banner typical for such takedowns now illustrates all the web assets of LockBit ransomware. There is quite a hope about the possible release of decryption keys and even a decryptor tool.

LockBit Taken Down by NCA

On February 19, 2024, analysts noticed that the LockBit leak site on the Darknet went offline. Some time after, a banner stating about the takedown appeared. On that banner, the UK National Crime Agency claims about this being the result of a successful multinational law enforcement cooperation, called Operation Cronos. The text also contains the offer to visit the page the next day – on February 20 – to get more information.

LockBit takedown NCA banner

That is not the first network asset takeover from law enforcement that high-end ransomware group suffers. A couple of months ago, a similar story happened to ALPHV/BlackCat, another infamous ransomware group. In their case, however, not all Onion websites were down, and they managed to get the access back. That in fact turned into a comic story, where the access to the site was more like a reversed hot potatoes game.

Nonetheless, the current takedown appears to be as serious as it can be. All the mirrors of their main Darknet site are now having the said banner. Well, it is possible for any miraculous thing to happen, but in my humble opinion, their onion infrastructure is done. Either this, or NCA will be quite ashamed for announcing details disclosure on 11:30 GMT, and failing to fulfill the promise.

International Law Enforcement Blocks LockBit Infrastructure

Shortly after the original news release, the info from LockBit affiliates arrived. VX-Undeground team shares a unique info and a screenshot taken by one of the gang members upon the attempt to log into the system.

Affiliate Screenshot

The text states the following:

Hello [removed]

Law Enforcement has taken control of Lockbit’s platform and obtained all the information held on there. This information relates to the Lockbit group and you, their affiliate. We have source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats, and much, much more. You can thank Lockbitsupp and their flawed infrastructure for this situation… we may be in touch with you very soon.
If you would like to contact us directly, please get in touch: [removed]

In the meantime, we would encourage you to visit the Lockbit leaksite.
Have a nice day.
Regards,
The National Crime Agency of the UK, the FBI, Europol, and the Operation Cronos Law Enforcement

Another piece of info comes from the gang’s Tox chat. In a short message, they say about the PHP servers being taken over, while the non-PHP reserve servers being OK. Considering the use of obscene language, non-typical for LockBit representatives, the situation is rather tense, to say the least.

Tox note VXUG

LockBit Decryptor Coming Soon?

What is more exciting than the info that will be published tomorrow is the thing that will follow. The takedown supposes leaking the decryption keys along with their proprietary decryptor tool. Maybe not all of them are available that easily, but accessing such a large chunk of internal info is definitely a key for exposing it all.

The fact of the leak and the decryptor being available is just miraculous for the victims. Sure enough, this will not delete the data the frauds have stolen from the network. But getting all the files back at no cost is much more important. And since it will work even for victims that failed the payment deadline, the question arises once again – why would you pay the ransom? It may be a much more reasonable option to just wait, and it looks like more and more ransomware victims stick to that opinion.

UPD 20.02 – LockBit Darknet Site Filled With Leaks and Announcements

On the designated time of 11:30 GMT on February 20, all of the LockBit’s sites that were taken over started redirecting to what used to be their leak page. Now, it is filled with the information gathered by law enforcement agencies. In particular, the information about the backend structure of the cybercrime network was revealed, demonstrating the screenshots of seized servers.

LockBit site law enforcement leaks

Aside from that, law enforcement added a tempting one – the info about the admin of the group, known as LockBitSupp. “The $10m question” will be answered on February 23, 2024. Some of the lower-ranked staff have already been arrested in Poland and Ukraine. Well, LockBitSupp did not lie by saying their group is multi-national.

Decryptor tools LockBit

What is even better news is the confirmation of decryption keys release, as I’ve predicted in the original text. The keys, along with recovery tools, will be available to any victim upon contacting NCA for UK residents, IC3 for US and NoMoreRansom project for others.

What is LockBit Ransomware?

LockBit is one of the most successful ransomware groups that are currently active on the ransomware market. Its efficient software and meticulous attack planning rendered them dominant over the last few years. Their ransom sums are large, attacks are rapid and methods are as unprincipled as you can ever imagine. To be brief – nothing short of leaders in the cybercrime industry.

LockBit ransom note
Ransom note may appear as a wallpaper on the desktop of the attacked system

It is obvious that LockBit will eventually become a target for law enforcement, sooner or later. They were attacked before, but in a more mild form, that led to the temporal downtime or the urgent shift to a different software. Still, they were recognizing their mistakes and opening the entire bug bounty programs (!!) for people who can find issues in their software. This, along with continuous modernization of their software and updates to the online infrastructure is what made LockBit the image of unbreakable. And that is why the fact of the takedown set the community abuzz.

LockBit Ransomware Taken Down by NCA

The post LockBit Ransomware Taken Down by NCA appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/lockbit-ransomware-taken-down/feed/ 0 19780
LockBit Ransomware Uses Resume Word Files to Spread https://gridinsoft.com/blogs/lockbit-ransomware-resume-word-files/ https://gridinsoft.com/blogs/lockbit-ransomware-resume-word-files/#respond Fri, 19 Jan 2024 10:01:25 +0000 https://gridinsoft.com/blogs/?p=19138 A recent investigation by ASEC reveals the new tactics of an infamous LockBit ransomware. “Post-paid pentesters” started masquerading as innocuous summaries in Word documents. Ironically, this similar tactic is reminiscent of its past modus operandi. This clever tactic allows the ransomware to infiltrate systems unnoticed. LockBit Ransomware in action The LockBit ransomware, known for its… Continue reading LockBit Ransomware Uses Resume Word Files to Spread

The post LockBit Ransomware Uses Resume Word Files to Spread appeared first on Gridinsoft Blog.

]]>
A recent investigation by ASEC reveals the new tactics of an infamous LockBit ransomware. “Post-paid pentesters” started masquerading as innocuous summaries in Word documents. Ironically, this similar tactic is reminiscent of its past modus operandi. This clever tactic allows the ransomware to infiltrate systems unnoticed.

LockBit Ransomware in action

The LockBit ransomware, known for its damaging impacts, has been observed to be distributed through Word files disguised as resumes. Also, this method was first noted in 2022 and has become a prevalent tactic for distributing this ransomware.

The primary tactic involves embedding harmful macros within Word documents. These documents, once opened, trigger the download of additional code from external URLs, which subsequently executes the LockBit ransomware. The filenames of these malicious Word files often resemble typical names or phrases associated with job applications.

Below is a list of the names of Word files that were found spreading malware:

  • [[[231227_Yang**]]].docx
  • 231227_Lee**.docx
  • 231227Yu**,docx
  • Kim**.docx
  • SeonWoo**.docx
  • Working meticulously! A leader in communication!.docx
  • Candidate with a kind attitude and a big smile.docx
  • I will work with an enthusiastic attitude.docx

When a user opens one of these Word files, the document connects to an external URL to download another document containing a malicious macro. Once this macro is executed, it triggers the deployment of the LockBit ransomware through PowerShell commands.

LockBit Ransomware in action
Malicious document requests permission to run a macros

The downloaded document files contain obfuscated macro code which is similar to the cases of VBA macro identified in 2022. Ultimately, PowerShell is executed to download and run LockBit ransomware.

malicious code
Comparison of macro code (VBA macro code 2022/VBA macro code discovered recently)

After finishing the encryption, ransomware alters the desktop so the user sees a notification. In addition, the ransomware creates a ransom note in each folder that states that all data in the system has been encrypted and stolen. The user is then threatened that the data will be leaked on the Internet if they refuse to pay the ransom.

Text file from ransomware
Ransom note

Recommendations

Security professionals are advised to blacklist IP addresses associated with LockBit 3.0 ransomware.

  • hxxps://viviendas8[.]com/bb/qhrx1h.dotm
  • hxxps://learndash.825testsites[.]com/b/fgi5k8.dotm
  • hxxps://neverlandserver.nn[.]pe/b/ck0zcn.dotm

Despite blocking these addresses, we recommend following these tips:

  • Be wary of opening Word documents from unknown or unsolicited sources, especially those purporting to be resumes. Also, avoid allowing execution of macros or other exploitable Microsoft Office elements.
  • Also, organizations should prioritize cybersecurity awareness training for their employees, emphasizing the risks associated with opening unsolicited email attachments.
  • Regularly backup critical files to minimize the damage in case of a ransomware attack. Ideally, there should be an offline backup, inaccessible to the attackers.
  • Utilize network monitoring tools to proactively detect suspicious activities and potential indicators of compromise. NDR solutions are capable of providing a comprehensive view of the event within the perimeter and protecting from pretty much any threat.

LockBit Ransomware Uses Resume Word Files to Spread

The post LockBit Ransomware Uses Resume Word Files to Spread appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/lockbit-ransomware-resume-word-files/feed/ 0 19138
LockBit Ransomware Exposes Boeing’s 50GB of Data Leaked https://gridinsoft.com/blogs/lockbit-boeing-hack-data-leak/ https://gridinsoft.com/blogs/lockbit-boeing-hack-data-leak/#respond Tue, 14 Nov 2023 08:54:55 +0000 https://gridinsoft.com/blogs/?p=17638 In a cybersecurity nightmare, Boeing, a global aerospace and defense titan, has fallen victim to the notorious LockBit ransomware group. It resulted in the exposure of a staggering 50 gigabytes of sensitive data. The breach came to light on November 15, 2023, as LockBit made good on its threat. They published Boeing’s confidential information after… Continue reading LockBit Ransomware Exposes Boeing’s 50GB of Data Leaked

The post LockBit Ransomware Exposes Boeing’s 50GB of Data Leaked appeared first on Gridinsoft Blog.

]]>
In a cybersecurity nightmare, Boeing, a global aerospace and defense titan, has fallen victim to the notorious LockBit ransomware group. It resulted in the exposure of a staggering 50 gigabytes of sensitive data. The breach came to light on November 15, 2023, as LockBit made good on its threat. They published Boeing’s confidential information after the aerospace giant refused to meet ransom demands.

Who is the LockBit Ransomware Gang?

LockBit, operating as a ransomware-as-a-service (RaaS) entity, has been a persistent threat for over four years. With a track record of targeting diverse sectors, including Continental, the UK Royal Mail, the Italian Internal Revenue Service, and the previously known Boeing leak from October 27th., LockBit has extorted approximately $91 million since 2020 in nearly 1,700 attacks against US organizations.

LockBit Leaks Boeing Data on the Darknet

Before the data leak unfolded, LockBit hackers issued stern warnings, accusing Boeing of neglect and threatening to expose a sample of 4GB of the most recent files. Boeing, a cornerstone in aviation and defense, stood steadfast against the ransom demands.

LockBit Leaks Boeing Data
Boeing page on LockBit data leak site

On November 10, LockBit carried out its threat, publishing over 43 GB of files from Boeing on the Darknet. The leaked data includes backups for various systems, with the most recent backups timestamped on October 22. Notably, the files encompass configuration backups for IT management software, logs for monitoring and auditing tools, and backups from Citrix appliances, raising concerns about the exploitation of the Citrix Bleed vulnerability.

Boeing Data on the Darknet
Supposedly leaked Boeing data

While Boeing confirmed the cyberattack, it has yet to divulge details on the breach’s specifics. The leaked data, however, does not compromise flight safety, according to Boeing statements. However the decision not to pay the ransom suggests that the stolen data may not hold critical relevance to Boeing’s information security or its clients.

The exposed data allegedly includes names, locations, and contact details of Boeing’s suppliers and distributors across Europe and North America. Details about the supported functions within Boeing’s structure. It including airframe manufacturing, structural mechanics, computer and electronics, are also part of the compromised information.

Navigating the Aftermath

Boeing’s breach serves as a stark reminder for organizations to reassess their cybersecurity posture continually. The imperative to implement proactive measures, including employee cybersecurity training, network fortification, and timely security patches, is underscored by the evolving tactics of ransomware groups like LockBit.

As Boeing grapples with the fallout of this unprecedented cyberattack, the incident serves as a clarion call for heightened vigilance across industries. Also the exposed vulnerabilities highlight the critical need for organizations to invest in robust cybersecurity frameworks to mitigate the ever-growing threat landscape. In the wake of LockBit’s audacious move against Boeing, the imperative for international collaboration to combat cyber threats becomes more evident than ever.

The post LockBit Ransomware Exposes Boeing’s 50GB of Data Leaked appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/lockbit-boeing-hack-data-leak/feed/ 0 17638
Boeing Hack Confirmed, LockBit Group Resposible https://gridinsoft.com/blogs/boeing-hack-confirmed-lockbit-group-resposible/ https://gridinsoft.com/blogs/boeing-hack-confirmed-lockbit-group-resposible/#respond Fri, 03 Nov 2023 14:22:04 +0000 https://gridinsoft.com/blogs/?p=17495 Boeing, a major aircraft manufacturer and aerospace & defence contractor in the US, has confirmed the ransomware attack. A week before, on October 27, it was listed by LockBit ransomware on their Darknet site. Now, Reuters agency has confirmed that the incident was real. Boeing Hacked by LockBit On October 27, 2023, LockBit cybercrime group… Continue reading Boeing Hack Confirmed, LockBit Group Resposible

The post Boeing Hack Confirmed, LockBit Group Resposible appeared first on Gridinsoft Blog.

]]>
Boeing, a major aircraft manufacturer and aerospace & defence contractor in the US, has confirmed the ransomware attack. A week before, on October 27, it was listed by LockBit ransomware on their Darknet site. Now, Reuters agency has confirmed that the incident was real.

Boeing Hacked by LockBit

On October 27, 2023, LockBit cybercrime group added a record of the Boeing company on their Darknet website. Hackers use this page to claim the successful attacks; they keep the listings until the victim pays the ransom. Further, if the bill is not paid off, hackers publish the leaked data or negotiate its re-selling to a third party.

Boeing LockBit Darknet site
Listing of the Boeing company on the LockBit’s Darknet leak site

This model though has a couple of features to talk about. There were enough cases when LockBit was listing the company they have never actually hacked into, and instead hacked one of the subsidiaries or contractors. Once researchers noticed the Boeing company listed on the Darknet leak site, they were hoping that this is exactly what happened. But, as it turned out, things are less optimistic.

Boeing hack Twitter
One of the researchers had a hope that the listing was due to the hack of a subordinary

A couple of days later, Boeing’s listing disappeared from the negotiation website. Soon after, VX-Underground researchers got confirmation from LockBit representatives that they began negotiations with the company. And in several days on, Boeing themselves claimed about the “cyber incident”. This is a doubtless confirmation that the company itself was the target.

VX-Underground LockBit talks

Boeing Confirms Ransomware Attack

On Wednesday, November 1, 2023, the Boeing company officially claimed the investigation of a cyberattack that touched several of its divisions. The company particularly names distribution and parts businesses being main points of impact. From the other side, LockBit claims to possess a huge amount of sensitive data stolen from the hacked network.

Well, there is a silver lining – Boeing says there’s no threat to flight security. Other things are less promising, especially considering Boeing’s massive contracts with the US military. Uncle Sam will not be happy to see blueprints and documents to the military equipment and weapons leaked. This becomes especially sour once we remember about possible relations of the LockBit gang to Russia.

Either way, the leak of such information would be a disaster, so it is clear why the company agreed upon paying the ransom. Actually, they did not claim it, but the deadline for the payment was on November 2, and the listing on the LockBit Darknet site did not reappear. And for sure, these hackers are not those who would kick the can and delay the publication of such a leak.

What then?

Over the last few months, Boeing hack has become one of a few hacked companies. A lot of ransomware groups switched to attacks on educational orgs, and keep going in this streamline so far. The Boeing hack should become a cold shower for companies who may have thought that they are not in the reticle anymore, and there’s no need to enhance their cybersecurity.

Passive protection measures like network monitors and security solutions are helpful, that is out of the doubt. But keep in mind that preventing the most common attack vectors is what can provide the best security. Cybersecurity training for personnel, network architecture that excludes most common entry points, latest security patches implementation – all this will save money, image and time.

Boeing Hack Confirmed, LockBit Group Resposible

The post Boeing Hack Confirmed, LockBit Group Resposible appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/boeing-hack-confirmed-lockbit-group-resposible/feed/ 0 17495
3AM Ransomware Backs Up LockBit In Cyberattacks https://gridinsoft.com/blogs/3am-ransomware-lockbit-backup/ https://gridinsoft.com/blogs/3am-ransomware-lockbit-backup/#respond Fri, 15 Sep 2023 14:50:59 +0000 https://gridinsoft.com/blogs/?p=16929 Cybersecurity researchers have discovered a new family of ransomware called 3AM. Attackers attempted to use it as an alternative attack method during the failed LockBit deployment. 3AM Ransomware – The Fallback Variant of LockBit According to a recent report, cybersecurity experts have discovered a new type of ransomware known as 3AM. Since this ransomware has… Continue reading 3AM Ransomware Backs Up LockBit In Cyberattacks

The post 3AM Ransomware Backs Up LockBit In Cyberattacks appeared first on Gridinsoft Blog.

]]>
Cybersecurity researchers have discovered a new family of ransomware called 3AM. Attackers attempted to use it as an alternative attack method during the failed LockBit deployment.

3AM Ransomware – The Fallback Variant of LockBit

According to a recent report, cybersecurity experts have discovered a new type of ransomware known as 3AM. Since this ransomware has not been used before and its use is still limited, experts agree that this is a relatively new malware. The attackers used 3AM as a backup to LockBit, as the attempt to infect a LockBit victim was blocked. By the way, although the attacker installed the ransomware on three machines on the organization’s network, it was blocked on two.

What is LockBit Ransomware?

In a nutshell, LockBit is a type of ransomware that was first seen in September 2021. It is a modular ransomware, meaning attackers can customize it with different components. It makes it a versatile and powerful tool to target many victims. LockBit encrypts files on the victim’s computer and then demands a ransom payment to get the files back. The ransom amount is typically $1 million or more, based on the victim.

In addition to requiring payment, LockBit threatens to sell the victim’s data on the Dark web if the ransom is unpaid. LockBit has been used to attack various organizations, including healthcare providers, government agencies, and businesses, causing significant disruptions in some cases. In fact, is it one of predominant ransomware gangs active in 2023. After the Conti shutdown, it quickly gained the vacated market share, and became #1 threat for companies.

3AM Ransomware Overview

3AM is written in Rust, and once infected, it tries to stop several services on the infected computer before it starts encrypting. The attackers also use Cobalt Strike to try to escalate privileges and then number other servers for further horizontal movement. The attackers also created a new user to save and transfer the victim’s files to their FTP server.

The program then scans the entire disk, encrypts files matching the pre-defined criteria, and deletes the original files. Ultimately, the encrypted files have the extension *.threeamtime. In addition, the malware attempts to delete shadow copies of volumes. In each folder with encrypted files, the program leaves a text file called “RECOVER-FILES.txt,” a ransom note.

3AM ransom note

Although the emergence of new families of ransomware programs is frequent, most of them never gain significant popularity, and some disappear just as quickly. However, since 3AM was used by a LockBit affiliate as an alternative, experts suggest that it may be of interest to attackers and could be seen again in the future.

How to protect against ransomware?

Ransomware is a severe threat to companies of all sizes. Unfortunately, there is no ultimate protection against it. However, there are preventative measures organizations can take to mitigate the risk:

  • Keep your software up to date. Software updates include essential security patches that protect against ransomware attacks. Most software programs have an option for automatic updates. This will ensure your software is always updated with the latest security patches.
  • Back up your data regularly. The best way to protect data` is an offline backup of data stored on hard disks. An offline backup is a backup located on a device not connected to your computer or network. This means the ransomware cannot encrypt the backup files, so you can restore them without paying the ransom.
  • Cloud-based backup solutions will be superior to classic ones. This method can also protect data from encryption as an alternative to the traditional way of storing data backups. It also makes it easier to restore your data if it is encrypted by ransomware.
  • Educate your employees. It’s no secret that the weakest link in the line of defense is the human factor. Educating employees on the basics of cyber hygiene and conducting hands-on training to identify red flags is critical. For example, you can show them examples of phishing emails and ask them to determine what is wrong with them.
  • Use a managed security service provider. An MSSP can help you to implement and maintain security measures to protect your company from ransomware attacks. In addition, you can free up your internal IT staff to focus on their tasks and be confident that experts are handling your security.

In addition to the above, there are some universal recommendations to help prevent a ransomware infection. These include using strong passwords, multi-factor authentication, and a firewall.

3AM Ransomware Backs Up LockBit In Cyberattacks

The post 3AM Ransomware Backs Up LockBit In Cyberattacks appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/3am-ransomware-lockbit-backup/feed/ 0 16929
Fullerton India Hacked, LockBit Leaks 600GB of Data https://gridinsoft.com/blogs/fullerton-india-lockbit-ransomware/ https://gridinsoft.com/blogs/fullerton-india-lockbit-ransomware/#respond Tue, 09 May 2023 11:43:56 +0000 https://gridinsoft.com/blogs/?p=14456 Fullerton India, a large lending institution from India, appears to be hacked back in early April 2023. It is confirmed by the LockBit ransomware Darknet blog, where hackers listed the company, and now, over a month later, published all the leaked information. Fullerton, LockBit – who are they? Fullerton India Credit Company, or shortly Fullerton… Continue reading Fullerton India Hacked, LockBit Leaks 600GB of Data

The post Fullerton India Hacked, LockBit Leaks 600GB of Data appeared first on Gridinsoft Blog.

]]>
Fullerton India, a large lending institution from India, appears to be hacked back in early April 2023. It is confirmed by the LockBit ransomware Darknet blog, where hackers listed the company, and now, over a month later, published all the leaked information.

Fullerton, LockBit – who are they?

Fullerton India Credit Company, or shortly Fullerton India, is a major lending company that operates in almost all the country. It offers a wide range of lending programs, targeted at both individuals and businesses. The company has almost 700 branches all over India, which allows it to outreach even small towns and villages. Latest reports issued by the company say about ~2.3 million of customers, net assets of over 2.5 billion, and around 13,000 employees. Such companies – pretty large and related to the financial sector – always were in scope of cybercriminals.

LockBit gang is an infamous hacker group, active since 2019. They passed 3 major “epochs” since then, expanding their operations and offering new solutions for their “product”. Gang uses ransomware-as-a-service operation form and offers a wide range of supplementary services to their “main” product – ransomware. Specific approaches used in malware design, together with the mentioned services, allow this malware to be the fastest among the massively used ones. All that made LockBit gang the most successful ransomware on the market: its share in total attacks is over 40%. Seems that at some point, they decided to have a break from ransoming American companies and try out something new.

LockBit Publishes Data Leaked From Fullerton India

Files encryption is not the only problem created by threat actors. Before launching the ciphering process, crooks often steal all the data they can reach. LockBit applies a specific tool that allows them to extract more data for shorter periods of time. Then, hackers ask for the additional ransom – otherwise, the data will be published or sold to the third party. Such a practice is known as double extortion. LockBit, however, is known for applying another way to press on their victims. Aside from threatening to publish data, they launch a DDoS attack upon the victim’s network, and keep it going until the ransom is paid. It is not clear if hackers used that trick as well.

Fullerton India on LockBit site
Fullerton India page on the LockBit’s Darknet leak site

Bearing on the data available in the surface and dark Web, I can assume that the exact breach happened around late March – early April. First deadline was set on April 29, which means Fullerton was listed ~2 weeks before. Now, however, the final date is set to May 3 – four days past the previous date. Hackers also specified that the company can delay the deadline for $1,000/day. Simple maths suppose that the company already spent $4,000, and it is not clear whether they paid a ransom for data decryption. The cybercriminals’ demand for avoiding data publishing – $3 million – is definitely not paid. Fullerton themselves reported about the cyberattack only on April 24.

Fullerton Press release
Press release regarding “malware incident” issued by Fullerton India

In the note present among other information about the attacked company, LockBit specifies the amount of leaked data – 600 gigabytes. They also shared some details regarding data categories available in the leak:

Loan agreements with individuals and legal companies. Status of customer and organizational accounts. Agreements with banks and other financial institutions. Data on international transfers. Financial documents, including sales information. Mail correspondence on important transactions with attachments. Personal data of the company’s customers. And much more.LockBit's note in the company listing.

How Dangerous is Fullerton Leak?

Most data LockBit gang got their hands on is related to company operations. Thus, the key danger and damage there goes towards the company’s image. Fullerton is not a publicly-traded company, thus info about the hacks cannot harm someone because of share price shed. Nonetheless, ransom amounts typically asked by the LockBit group are tangible – much more tangible in fact than the cost of cybersecurity improvements that could prevent the attacks in future.

The risk of any cyberattack is the fact that hackers can have a peek into a company’s internal architecture. Considering tight relationships between ransomware gangs, especially ones from Russia, it is logical to suppose that another group of hackers may be interested in attacking companies like Fullerton. And instead of doing a long research in order to find the entry point, they can simply ask their “colleagues” – and get all the information immediately. Security measures should be taken as quickly as possible – and that is true for any cybersecurity incident.

How to protect against LockBit ransomware?

Despite having advanced payload and auxiliary software, LockBit shares spreading ways with other ransomware. Email spam is the king of the hill, used in over 60% of all cyber attacks around the world. Though more target-specific approaches may be used – like RDP exploitation or using other network vulnerabilities. Protecting against them requires a multi-directional approach that is quite hard to implement in one step.

First of all, guide your personnel regarding spam emails. Detecting the fake email may be obvious for a knowing person, though not all people know how to do that. The easiest way to uncover the fraud is to check the email address – it will differ from the genuine one. Still, there were cases where hackers have been using compromised business emails to perform further attacks. For that reason, I’d recommend having a peek into a dedicated article about email phishing and ways to recognize it.

Malicious attachment email
Example of the email message that contains malware

Counteracting network breaches requires the use of specific software. Passive approach is possible – yet far less effective than the use of proactive software solutions. The latter, actually, are represented as Network Detection and Response systems. They combine properties of network monitors, firewalls and (partially) anti-malware programs, giving out a secure shield over the entire network.

Adhere to the latest news regarding vulnerabilities. Top-rated security is possible only in an environment which is hard to exploit. When cybersecurity researchers uncover vulnerabilities, or hackers use a new one in the wild, it is recommended to find and fix these breaches. Consider having several cybersecurity blogs on a quick dial – and the numbers of your software vendors as well. Nothing saves you more than a fast reaction.

The post Fullerton India Hacked, LockBit Leaks 600GB of Data appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/fullerton-india-lockbit-ransomware/feed/ 0 14456
Ransomware Attacks Increasingly Using AuKill Malware to Disable EDR https://gridinsoft.com/blogs/ransomware-attacks-increasingly-using-aukill-malware-to-disable-edr/ https://gridinsoft.com/blogs/ransomware-attacks-increasingly-using-aukill-malware-to-disable-edr/#respond Sun, 07 May 2023 19:35:20 +0000 https://gridinsoft.com/blogs/?p=14450 A new cybercrime tool called “AuKill” has emerged, which attackers use to disable endpoint detection and response (EDR) defenses used by enterprises before deploying ransomware. AuKill malware uses malicious device drivers to infiltrate systems. Recently, researchers from Sophos discovered an attacker using AuKill before deploying Medusa Locker ransomware and another attacker using it on an… Continue reading Ransomware Attacks Increasingly Using AuKill Malware to Disable EDR

The post Ransomware Attacks Increasingly Using AuKill Malware to Disable EDR appeared first on Gridinsoft Blog.

]]>
A new cybercrime tool called “AuKill” has emerged, which attackers use to disable endpoint detection and response (EDR) defenses used by enterprises before deploying ransomware.

AuKill malware uses malicious device drivers to infiltrate systems. Recently, researchers from Sophos discovered an attacker using AuKill before deploying Medusa Locker ransomware and another attacker using it on an already compromised system before installing the LockBit ransomware. The trend is a response to the growing effectiveness of EDR tools, which provide security vendors with a significant advantage in spotting attacks. Threat actors are targeting the tools, causing them the most trouble.

AuKill drops a driver named PROCEXP.SYS from release version 16.32 of Process Explorer into the exact location as the legitimate version of the Process Explorer driver (PROCEXP152.sys). Once on a system, the tool abuses the legitimate driver to execute instructions to shut down EDR and other security controls on the compromised computer. Sophos has analyzed six different versions of AuKill and noticed some substantial changes with each new version. Newer versions now target more EDR processes and services for termination.

The maliciously installed Process Explorer driver, highlighted in red, in the Drivers folder alongside the legitimate Process Explorer driver, proxexp152.sys
The maliciously installed Process Explorer driver, highlighted in red, in the Drivers folder alongside the legitimate Process Explorer driver, proxexp152.sys
AuKill has distributed multiple types of ransomware, including Medusa Locker and LockBit, since the beginning of 2023. Researchers have discovered six different variations of the malware thus far, with the earliest one having a timestamp indicating it was compiled in November of 2022.

Ransomware Attacks Increasingly Using AuKill Malware to Disable EDR

These attacks are similar to a series of incidents reported by Sophos, Microsoft, Mandiant, and SentinelOne in December. In those attacks, threat actors used custom-built drivers to disable security products on already compromised systems, leaving them open to other exploits. Like other drivers, the vulnerable Process Explorer driver that AuKill leverages has privileged access to installed systems and can interact with and terminate running processes.

The post Ransomware Attacks Increasingly Using AuKill Malware to Disable EDR appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ransomware-attacks-increasingly-using-aukill-malware-to-disable-edr/feed/ 0 14450
Clop and LockBit Ransomware Exploit Fresh Vulnerabilities in PaperCut https://gridinsoft.com/blogs/clop-lockbit-and-papercut/ https://gridinsoft.com/blogs/clop-lockbit-and-papercut/#respond Fri, 28 Apr 2023 13:51:33 +0000 https://gridinsoft.com/blogs/?p=14393 Microsoft has linked recent attacks on PaperCut servers to ransomware operations by Clop and LockBit, which used vulnerabilities to steal corporate data. In March 2023, print management solutions provider PaperCut fixed vulnerabilities CVE-2023-27350 (9.8 out of 10 on the CVSS scale, equalling the recently-discovered MSMQ vulnerability) and CVE-2023-27351 (8.2 out of 10). on the CVSS… Continue reading Clop and LockBit Ransomware Exploit Fresh Vulnerabilities in PaperCut

The post Clop and LockBit Ransomware Exploit Fresh Vulnerabilities in PaperCut appeared first on Gridinsoft Blog.

]]>

Microsoft has linked recent attacks on PaperCut servers to ransomware operations by Clop and LockBit, which used vulnerabilities to steal corporate data.

In March 2023, print management solutions provider PaperCut fixed vulnerabilities CVE-2023-27350 (9.8 out of 10 on the CVSS scale, equalling the recently-discovered MSMQ vulnerability) and CVE-2023-27351 (8.2 out of 10). on the CVSS scale).

They allowed to bypass authentication and execute arbitrary code on compromised PaperCut servers with SYSTEM privileges, as well as extract usernames, full names, email addresses, and other sensitive data. It was emphasized that such attacks do not require user interaction.

In mid-April, it became known that hackers were already exploiting vulnerabilities, and a PoC exploit for the most dangerous of them appeared in the public domain.

Clop and LockBit ransomware is behind these attacks on PaperCut servers, Microsoft analysts now report, using bugs to steal corporate data from vulnerable servers.

Microsoft links recently reported attacks using the CVE-2023-27350 and CVE-2023-27351 vulnerabilities in PaperCut print management software to the delivery of Clop ransomware and attackers tracked as Lace Tempest (aka FIN11 and TA505).written by Microsoft Threat Intelligence experts.

According to the researchers, hackers have been using vulnerabilities in PaperCut since April 13, 2023, and with their help they gain access to corporate networks. After gaining access to the server, the attackers deploy the TrueBot malware in the system, which is associated with Clop extortionate operations, as well as the Cobalt Strike “beacon”, which is used to traverse the victim’s network sideways and steal data using the MegaSync file-sharing application.

Microsoft says some of the incidents ended with LockBit ransomware attacks, but it’s not clear if these attacks started before or after the exploits were published.

By the way, the media wrote that Canadian Polices Arrests Russian Man Involved in LockBit Ransomware Attacks.

Experts urge all administrators to install the available patches as soon as possible, since other attackers are likely to soon take on fresh bugs as well. For example, PaperCut MF and NG are strongly recommended to upgrade to versions 20.1.7, 21.2.11 and 22.0.9.

The post Clop and LockBit Ransomware Exploit Fresh Vulnerabilities in PaperCut appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/clop-lockbit-and-papercut/feed/ 0 14393