Tag Archive for: LockBit

LockBit copycat DarkVault spurs rebranding rumor

/in


DarkVault, a new ransomware group with a website resembling LockBit’s, may be the latest in a string of copycats mimicking the notorious ransomware-as-a-service (RaaS) gang.  

Security researcher Dominic Alvieri called attention to a redesign of DarkVault’s website on Wednesday. Alvieri’s post on X included a screenshot of a new homepage sporting LockBit’s distinctive style, including a red and white color scheme and similar page headings.

LockBit’s logo was also found on the DarkVault blog. The group’s older website features an image of a black cat lying on a vault, potentially a reference to another ransomware gang, ALPHV/BlackCat.

Cybernews reported that DarkVault may be an attempt by LockBit to rebrand, but Alvieri later clarified that the intention of his post was to make fun of the “copycats.”

DarkVault had posted nine alleged victims on its LockBit imitation site as of Thursday, according to Dark Web Informer, which previously discovered the older DarkVault website with no victims listed on March 29.

LockBit imposters leverage leaked 2022 RaaS builder

DarkVault would not be the first cybercrime group to imitate LockBit, with several using LockBit’s name, branding and leaked ransomware builder in their own attacks.

Trellix noted this trend in a blog published Thursday, which also described the partial revival of the original LockBit since its infrastructure was disrupted by law enforcement in February.  

The builder for the LockBit 3.0 ransomware, also known as LockBit Black, was leaked by one of the gang’s own developers in 2022 – since then, many threat actors have used the builder in their own attacks.

Some use the code as-is with minimal changes, such as the addition of their own version of the ransom note, while others have used the builder as a foundation for new ransomware strains, the researchers from Trellix’s Advanced Research Center wrote.

Dragonforce and Werewolves are two ransomware groups that emerged in 2023 using LockBit Black in their attacks. Dragonforce was found to be using the LockBit code as-is last September, with the exception of the ransom note, while Werewolves is believed to potentially have LockBit affiliates on its team due to…

Source…

LockBit ransomware gang’s power diminished but not eradicated

/in


Although action by UK and US authorities against the LockBit ransomware gang is a major setback for its operations – and is likely to inhibit its ability to recruit affiliates – such criminal groupings are notoriously resilient and will probably just emerge under a different banner in the near future.

That’s according to Check Point Software Technologies’ threat intelligence group manager Sergey Shykevich, who was speaking to TechCentral in an interview on Tuesday.

“LockBit will still have data at its disposal and the possibility that it will use it in some way in the future is highly likely,” he said. “The threat from this criminal gang and other ransomware groups will continue.”

Britain’s National Crime Agency, the US’s Federal Bureau of Investigation, Europol and a coalition of international police agencies cooperated in an operation that took down the LockBit ransomware gang on 19 February.

Graeme Biggar, NCA director-general, said last month law enforcement officers had “successfully infiltrated and fundamentally disrupted LockBit”.

Over the past four years, LockBit has been involved in thousands of ransomware attacks on victims around the world, from high-profile corporate targets to hospitals and schools.

One of its most recent attacks was on the South African Government Employees Pension Fund (GEPF), which noted on 12 March that data purportedly from its administrator, the Government Pensions Administration Agency (GPAA), had been released by LockBit.

The fund said the GPAA had confirmed that preventive action was taken when it became aware of the attempted access to its systems. The action included “shutting down” all systems to isolate affected areas.

Prolific

The GEPF’s clients include about 1.265-million active members from more than 325 government departments as well as some 475 000 pensioners and other beneficiaries, but the GPAA said pension payments were not affected.

LockBit was the most prolific ransomware group globally until its operations were disrupted, and was by far the most active ransomware gang in South…

Source…

STOP ransomware, more common than LockBit, gains stealthier variant

/in


StopCrypt, the most common ransomware family of 2023, has a new variant leveraging more advanced evasion tactics.

StopCrypt, also known as STOP/DJVU, surpassed the LockBit ransomware family in detections in 2023, according to Trend Micro’s 2023 Annual Cybersecurity Report published last week. STOP typically targets smaller targets with an average ransom payment size of $619 in the first half of 2023, according to a mid-year report by Chainalysis.

SonicWall reported Tuesday that a new StopCrypt variant employes several evasion tactics in a multi-stage shellcode deployment process, including a long delay loop, dynamic API resolution and process hollowing, or the replacement of code in a legitimate executable to malicious code.

‘Msjd’ StopCrypt ransomware attempts to dodge anti-virus protection

The StopCrypt variant studied by SonicWall’s Capture Labs begins its stealth mission by copying the same data to a location more than 65 million times in a delay loop likely intended to dodge time-sensitive anti-virus mechanisms such as sandboxing.

It then employs multiple stages of dynamic API resolution — calling APIs at runtime rather than linking them directly. This prevents anti-virus detection of artifacts created by direct API calls from static links in the malware code.  

After taking a snapshot of the current processes using CreateToolHelp32Snapshot, extracting information using Module32First, and calling VirtualAlloc to allocate memory with read, write and execute permissions, the malware enters a second stage in which it dynamically calls additional APIs to perform process hollowing.

Ntdll_NtWriteVirtualMemory is used to write malicious code into a suspended process created with kernel32_CreateProcessA.

When the suspended process is resumed, the final ransomware payload launches icacls.exe to modify access control lists to prevent the ability to modify or delete a new directory and files created by StopCrypt. The ransomware encrypts the user’s files and adds the extension “.msjd.”

The ransomware note found in the variant studied by SonicWall includes a demand for $980, with a “discount” offer of $490 if the victim contacts the threat actor within 72 hours.

The STOP variant…

Source…

BlackCat, LockBit Ransomware Gangs In Disarray as Global Authorities Crack Down

/in


Two of the most notorious ransomware gangs in the world are imploding, leaving high-profile victims in their wake and creating chaos in the cybercriminal underworld.

In the last several years, the BlackCat and LockBit groups have thrived by embracing a ransomware-as-a-service model, leasing their malware to affiliate hackers to target thousands of victims and reap millions in extortion payments. The future of both groups is uncertain after US and authorities elsewhere seized LockBit and BlackCat websites, arrested alleged hackers and taunted the leader of one gang.

Source…