Tag Archive for: LockBit

LockBit Ransomware Threat Persists | MSSP Alert

/in


MSSPs, MSPs and various cybersecurity providers continue to offer analysis and advice in the aftermath of the stunning LockBit ransomware group takedown this week, while urging caution against other ransomware operations seeking the next opportunity to attack.

It’s possible that the threat may not be over yet. Late this week Sophos X-Ops reported through its social media handle that despite the recent law enforcement activity, Sophos X-Ops had observed several attacks over the preceding 24 hours that appeared to be carried out with LockBit ransomware, built using a leaked malware builder tool. Sophos posted this news in an update to its blog post about the ConnectWise ScreenConnect vulnerabilities.

LockBit Law Enforcement Action

On February 20, the U.S. Justice Department announced that the U.K. National Crime Agency’s (NCA) Cyber Division, working in cooperation with the Federal Bureau of Investigation (FBI) and other international law enforcement partners, seized numerous public-facing websites and servers used by LockBit administrators. The effort dealt a major blow to LockBit threat actors’ ability to attack and encrypt networks and extort victims by threatening to publish stolen data.

The LockBit ransomware variant first appeared around January 2020 and had grown into one of the most active and destructive variants in the world, the Justice Department said. Moreover, LockBit members have executed attacks against more than 2,000 victims in the U.S. and around the world, making at least hundreds of millions of U.S. dollars in ransom demands and receiving over $120 million in ransom payments. 

According to Sophos X-Ops’ analysis, over the past four years LockBit has been among the top 10 most reported ransomware infections since 2020. Sophos’ Incident Response team in 2023 found that LockBit accounted for one in five of all ransomware infections.

Chester Wisniewski, field chief technology officer for Sophos, an MSSP Alert MDR Top 40 company, was cautiously optimistic LockBit had been dealt a death blow.

“Much of LockBit’s infrastructure is still online, but I don’t expect them to make a triumphant return,” Wisniewski said. “These groups continually rebrand and…

Source…

Ransomware associated with LockBit still spreading 2 days after server takedown

/in


A stylized skull and crossbones made out of ones and zeroes.

Two days after an international team of authorities struck a major blow at LockBit, one of the Internet’s most prolific ransomware syndicates, researchers have detected a new round of attacks that are installing malware associated with the group.

The attacks, detected in the past 24 hours, are exploiting two critical vulnerabilities in ScreenConnect, a remote desktop application sold by Connectwise. According to researchers at two security firms—SophosXOps and Huntress—attackers who successfully exploit the vulnerabilities go on to install LockBit ransomware and other post-exploit malware. It wasn’t immediately clear if the ransomware was the official LockBit version.

“We can’t publicly name the customers at this time but can confirm the malware being deployed is associated with LockBit, which is particularly interesting against the backdrop of the recent LockBit takedown,” John Hammond, principal security researcher at Huntress, wrote in an email. “While we can’t attribute this directly to the larger LockBit group, it is clear that LockBit has a large reach that spans tooling, various affiliate groups, and offshoots that have not been completely erased even with the major takedown by law enforcement.”

Hammond said the ransomware is being deployed to “vet offices, health clinics, and local governments (including attacks against systems related to 911 systems).”

Muddying the attribution waters

SophosXOps and Huntress didn’t say if the ransomware being installed is the official LockBit version or a version leaked by a disgruntled LockBit insider in 2022. The leaked builder has circulated widely since then and has touched off a string of copycat attacks that aren’t part of the official operation.

“When builds are leaked, it can also muddy the waters with regards to attribution,” researchers from security firm Trend Micro said Thursday. “For example, in August 2023, we observed a group that called itself the Flamingo group using a leaked LockBit payload bundled with the Rhadamanthys stealer. In November 2023, we found another group, going by the moniker Spacecolon,…

Source…

SBU detains LockBit ransomware hackers in Ternopil Oblast

/in


In collaboration with law enforcement from the UK, the United States, and the EU, Ukraine’s SBU security service has detained members of the prominent international hacker group LockBit in Ternopil Oblast, the SBU announced on Feb. 21.

Read also: Top Ukraine officials, NATO allies to discuss securing communications, countering hackers in Kyiv

The entire operation was conducted in various parts of the world, according to the message.

The SBU noted that the suspects included citizens of Ukraine and Russia. The suspects allegedly stole or encrypted confidential information from numerous companies and then demanded a ransom.

Over the course of nearly five years, the hackers carried out more than 3,000 cyberattacks against businesses in Western countries that provide military aid to Ukraine. In one case involving a U.S. company, the suspects demanded over $90 million, according to the SBU.

<span class="copyright">Office of the Prosecutor General</span><span class="copyright"><button class=

Office of the Prosecutor General

To steal information, the hackers used specially designed ransomware and injected malicious software into users’ computers. This computer virus gathered confidential information, crippled the workstations by encrypting the data, and demanded payments to restore functionality.

<span class="copyright">Office of the Prosecutor General</span><span class="copyright"><button class=

Office of the Prosecutor General

Should the victims refuse to pay, the criminals threatened to leak confidential data online.

Ukrainian police reported that in Ukraine, the criminal activities were coordinated by a father and son duo. Individuals, enterprises, state institutions, and health facilities in France suffered from their actions.

Investigators conducted searches at the residences of the hackers in Ternopil, where mobile phones and computer equipment were confiscated.

Simultaneously, law enforcement has blocked over 200 cryptocurrency accounts linked to the criminal activity and has taken down 34 servers located in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States, and the UK.

Authorities stated that LockBit is considered the most prominent hacker group among ransomware operators worldwide.

Read also: Hackers leverage popular encrypted app, disguising malware payloads as military recruitment offers

We’re bringing the voice of Ukraine to the world. Support

Source…

Notorious ransomware provider LockBit taken over by law enforcement

/in


Washington — A ransomware service provider that has targeted over 2,000 systems across the globe, including hospitals in the U.S., with demands for hundreds of millions of dollars was taken down Monday, and Russian nationals were charged as part of an international plot to deploy the malicious software, the Justice Department announced Tuesday. 

Known as LockBit, the network of cybercriminals targets critical components of manufacturing, healthcare and logistics across the globe, offering its services to hackers who deploy its malware into vulnerable systems and hold them hostage until a ransom is paid. The attackers have so far extorted more than $120 million from their victims, officials said, and their program has evolved into one of the most notorious and active.

As part of this week’s operation, the FBI and its law enforcement partners in the United Kingdom seized numerous public-facing platforms where cybercriminals could initiate contact with and join LockBit. Investigators also seized two servers in the U.S. that were used to transfer stolen victim data. 

The front page of LockBit’s site has been replaced with the words “this site is now under control of law enforcement,” alongside the flags of the U.K., the U.S. and several other nations, the Associated Press noted.

A screenshot from Feb. 19, 2024 shows a take down notice that a group of global intelligence agencies issued to a dark web site called Lockbit.

Handout via Reuters


According to Attorney General Merrick Garland, the U.S. and its allies went “a step further” by obtaining the “keys” that can unlock attacked computer systems to help victims “regain access to…

Source…