Tag Archive for: Gang

Lockbit Ransomware Gang Returns After International Takedown, Arrests

/in


The Lockbit ransomware group is reportedly back online with new servers.

In a lengthy letter posted online this weekend, Lockbit claims that the international group of government agencies that infiltrated it only obtained decryption keys for 2.5% of the attacks the ransomware group has carried out since its inception.

Last week, the US Department of Justice, FBI, the UK National Crime Agency (NCA), Europol, and others announced their joint infiltration of Lockbit’s servers. The US charged two Russian nationals allegedly connected to the ransomware group, and Ukrainian authorities arrested a father-son duo believed to be Lockbit members. At the time, Lockbit administrators said that while their servers that use PHP were infiltrated, their backup servers were “untouched.”

The UK’s NCA has repeatedly asserted that Lockbit is fully compromised in statements provided to PCMag. “The NCA, working with international partners, successfully infiltrated and took control of Lockbit’s systems, and was able to compromise their entire criminal operation,” an agency spokesperson told PCMag via email Monday. “Their systems have now been destroyed by the NCA, and it is our assessment that Lockbit remains completely compromised.”

“We recognized Lockbit would likely attempt to regroup and rebuild their systems,” the NCA continued. “However, we have gathered a huge amount of intelligence about them and those associated to them, and our work to target and disrupt them continues.”

In the letter from a purported Lockbit administrator shared by malware data collector VXUnderground, the admin claims that Lockbit members became “lazy” after they stole enough money to let them live a luxurious lifestyle “on a yacht with titsy [sic] girls.”

The admin then implies that they are a US voter and says Lockbit’s new servers are running a new version of PHP, promising that anyone who reports any critical vulnerabilities for Lockbit’s new systems “will be rewarded.” Their lengthy letter makes a number of other allegations and contradictory statements, including some regarding the FBI’s supposed motives.

The admin admits, however, that even a PHP update “will not be enough” to stop the FBI and other agencies from…

Source…

Loandepot’s recent hack perpetrated by ransomware gang Alphv, Blackcat

/in


Alphv, or Black Cat, a ransomware gang, is taking responsibility for the hack that took down Loandepot’s systems in early January and exposed the data of past and current customers. The same group has allegedly targeted other players in the mortgage industry, including Academy Mortgage and Fidelity National

The criminal organization claims Loandepot initially offered $6 million for the stolen data, but then asked for more time to secure a bigger ransomware payment. After which, the mortgage lender allegedly “disappeared,” a post by Alphv shared by cybersecurity outlets, said. Alphv announced it is in the process of selling said customer information on the dark web after the alleged negotiations with the mortgage lender broke down. It previously threatened to do the same with data stolen from Academy Mortgage in May.

Loandepot declined to respond to a request for comment Monday.

At least 16.6 million current and former Loandepot customers‘ personally identifiable information was exposed. Alphv claims in its post that the attack was much wider in scope. 

The criminals allege that Loandepot did not fully disclose the amount of data stolen and that “multiple databases” were downloaded from credit bureaus that included the personal identifiable information on customers that weren’t Loandepot borrowers.

In mid-December, the Department of Justice claimed to have launched a disruption campaign targeting Alphv’s operations. Per the department’s announcement, the FBI developed a decryption tool that allowed law enforcement to offer over 500 affected victims the capability to restore their systems. That same month international authorities seized the ransomware gang’s dark-web leak internet site. 

Despite this, Alphv has continued to target companies in the financial industry space.

The FBI has publicly discouraged companies from paying ransoms, because a payment doesn’t guarantee data recovery and could encourage further attacks. 

At least three class action suits are currently pending against Loandepot, which allege the mortgage lender failed to adequately protect PII of customers.

One of the suits brought by Jonathan Rosa, a Loandepot borrower, claims the company “[willfully failed] to…

Source…

LockBit ransomware gang disrupted by international law enforcement operation

/in


LockBit — the most prolific ransomware group in the world — had its website seized Monday as part of an international law enforcement operation that involved the U.K.’s National Crime Agency, the FBI, Europol and several international police agencies.

“This site is now under the control of the National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’,” a seizure notice on the group’s website said. “We can confirm that Lockbit’s services have been disrupted as a result of International Law Enforcement action — this is an ongoing and developing operation.”

The group has far outpaced other ransomware gangs since it emerged in late 2019, with researchers at Recorded Future attributing nearly 2,300 attacks to the group. Conti — the second most active group — has only been publicly linked to 883 attacks.

2024_0209 - Ransomware Tracker - Most Prolific Groups.jpg

But LockBit has also gained a reputation for the damage it has caused and the organizations it has targeted. Although the group previously claimed to have rules prohibiting attacks on hospitals, it hit Canada’s largest children’s hospital during the 2022 Christmas season, as well as multiple healthcare facilities in the U.S. and abroad. Last month, the group said it was behind a November attack on a hospital system that forced multiple facilities in Pennsylvania and New Jersey to cancel appointments.

“In a highly competitive and cutthroat marketplace, LockBit rose to become the most prolific and dominant ransomware operator,” said Don Smith, vice president of threat research at Secureworks CTU. “It approached ransomware as a global business opportunity and aligned its operations, accordingly, scaling through affiliates at a rate that simply dwarfed other operations.”

The takedown is just the latest in a series of law enforcement actions targeting ransomware gangs — late last year, the FBI and other agencies took down sites and infrastructure belonging to Qakbot, Rangar Locker and other groups.

“This has been a year of action for the Justice Department in our efforts to pivot to a strategy of disruption,” Deputy Attorney General Lisa Monaco said Friday at…

Source…

DarkGate gang using CAPTCHA to spread malware

/in


Legal advertising tools are being leveraged by cybercriminals to conceal their illicit campaigns and track victims to see how responsive they are to malware links, an analyst warns.

Hewlett Packard’s latest threat insights disclosure was revealed today (February 15th) and shines a light on DarkGate, a consortium of web-based criminals who are using legal advertising tools to augment their spam-based malware attacks.

Hewlett’s threat research team, HP Wolf Security, says it tracked DarkGate, observed operating as a malware provider since 2018, and noticed a shift in tactics last year that entailed using legitimate advertisement networks “to track victims and evade detection.”

It added: “By using ad services, threat actors can analyze which lures generate clicks and infect the most users – helping them refine campaigns for maximum impact.”

DarkGate targets potential victims with a carefully crafted email phishing campaign that encourages them to click on an infected PDF file – so far, so normal.

But instead of rerouting the target directly to the payload once they do click, the DarkGate campaign sends them to a legitimate online ad network first.

“The ad URL contains identifiers and the domain hosting the file,” said Wolf Security. “In the backend definition of the ad link, the threat actor defines the final URL, which is not shown in the PDF document. Using an ad network as a proxy helps cybercriminals to evade detection and collect analytics on who clicks their links.”

Turning defense into attack

This ploy also allows DarkGate to lean into the ad company’s own defenses – cunningly using these to conceal its own nefarious activities.

“Since the ad network uses CAPTCHAs to verify real users to prevent click fraud, it’s possible that automated malware analysis systems will fail to scan the malware because they are unable to retrieve and inspect the next stage in the infection chain, helping the threat actor to evade detection,” said Wolf Security.

This has the added benefit of making the lure appear more plausible – being routed through a legitimate ad network domain and asked to pass a CAPTCHA test only adds to the campaign’s veneer of…

Source…