The Week in Ransomware - August 18th 2023 - LockBit on Thin Ice
While there was quite a bit of ransomware news this week, the highlighted story was the release of Jon DiMaggio's third article in the Ransomware Diaries series, with the focus of this article on the LockBit ransomware operation.
For some time, LockBit has been at the top of the ransomware "industry," usually leading the pack in the number of victims based on the operation's data leak site.
However, as explained by DiMaggio, the LockBit operation appears to be slipping, with the gang having a serious storage infrastructure problem that impacts its ability to release stolen data and extort victims.
Like all enterprise-targeting ransomware operations, when conducting attacks, the threat actors first breach a network and quietly harvest data to be used in later extortion demands. Only after all the valuable data has been stolen and backups deleted do the threat actors deploy the ransomware to begin encrypting files.
This stolen data is used as leverage while extorting victims by publishing it on a data leak site if a ransom is not paid.
However, DiMaggio has learned that LockBit has a serious storage issue, preventing the operation from properly leaking data and frustrating affiliates who want to use the data leak site as part of their extortion strategy.
"It has used propaganda on its leak site and a strong narrative across criminal forums to hide the fact it often cannot consistently publish stolen data," the researcher explained in his report.
"Instead, it relies on empty threats and its public reputation to convince victims to pay. Somehow, no one but affiliate partners noticed. This problem is due to limitations in its backend infrastructure and available bandwidth.
To make matters worse, the public-facing LockBit representative, LockBitSupp, disappeared for a while, not appearing on Tox or answering questions from affiliates.
This led to affiliates being concerned the operation was compromised, with some telling DiMaggio that they had begun to switch to new ransomware operations.
This chaos in the LockBit operation has not gone unnoticed by other security analysts, with Allan Liska also warning there has been a sharp decrease in the operation's activity.
Other ransomware news
In other ransomware news, we saw some great research released this deep dives on new encryptors:
- Microsoft shared some info on BlackCat's Sphynx encryptor.
- SecureScoreCard shared a technical analysis of the Underground ransomware.
- Trend Micro shared news of a new Linux/VMware ESXi encryptor for Monti.
- Will Thomas released a report on how the Oktapus gang may be working with BlackCat.
The MOVEit data theft attacks continue to be a thorn in the side of organizations worldwide, with Colorado warning that the data of 4 million people was stolen as part of these attacks.
Finally, a new phishing campaign was discovered, pushing the new Knight ransomware as TripAdvisor complaints.
Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @LawrenceAbrams, @fwosar, @BleepinComputer, @billtoulas, @serghei, @Seifreed, @demonslay335, @Jon__DiMaggio, @security_score, @vxunderground, @MsftSecIntel, @TrendMicro, @IBMSecurity, @felixw3000, @uptycs, @BushidoToken, @adlumin, and @pcrisk.
August 12th 2023
Knight ransomware distributed in fake Tripadvisor complaint emails
The Knight ransomware is being distributed in an ongoing spam campaign that pretends to be TripAdvisor complaints.
August 14th 2023
Monti ransomware targets VMware ESXi servers with new Linux locker
The Monti ransomware gang has returned, after a two-month break from publishing victims on their data leak site, using a new Linux locker to target VMware ESXi servers, legal, and government organizations.
Colorado warns 4 million of data stolen in IBM MOVEit breach
The Colorado Department of Health Care Policy & Financing (HCPF) is alerting more than four million individuals of a data breach that impacted their personal and health information.
Underground Ransomware deployed by Storm-0978 that exploited CVE-2023-36884
The Underground ransomware is the successor of the Industrial Spy ransomware and was deployed by a threat actor called Storm-0978. The malware stops a target service, deletes the Volume Shadow Copies, and clears all Windows event logs.
New STOP ransomware variants
PCrisk found new STOP ransomware variants that append the .tasa and .taoy extensions.
August 15th 2023
Ransomware Diaries: Volume 3 – LockBit’s Secrets
In this volume of the Ransomware Diaries, I will share interesting, previously unknown details of the LockBit ransomware operation that LockBit has tried very hard to cover up. Until now, you have been lied to about LockBit’s true capability. Today, I will show you the actual current state of its criminal program and demonstrate with evidence-backed analysis that LockBit has several critical operational problems, which have gone unnoticed.
New Allahu Akbar ransomware variant
PCrisk found a new STOP ransomware variant that appends the .allahuakbar extension and drops a ransom note named how_to_decrypt.txt.
New Retch ransomware variant
PCrisk found a new ransomware variant that appends the .Retch extension and drops a ransom note named HOW TO RECOVER YOUR FILES.txt.
August 16th 2023
Tracking Adversaries: Scattered Spider, the BlackCat affiliate
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention.
August 17th 2023
Microsoft: BlackCat's Sphynx ransomware embeds Impacket, RemCom
Microsoft has discovered a new version of the BlackCat ransomware that embeds the Impacket networking framework and the Remcom hacking tool, both enabling spreading laterally across a breached network.
PlayCrypt Ransomware Group Wreaks Havoc in Campaign Against Managed Service Providers
The Adlumin Threat Research team uncovered a concentrated global campaign employing sophisticated Play ransomware (also identified as PlayCrypt). The campaign is currently targeting mid- market enterprises in the finance, software, legal, and shipping and logistics industries, as well as state, local, tribal and territorial (SLTT) entities in the U.S., Australia, U.K., and Italy. The PlayCrypt ransomware group was previously linked to the City of Oakland attack in March 2023.
New Retch ransomware variant
PCrisk found a new ransomware variant that appends the .Retch extension and drops a ransom note named HOW TO RECOVER YOUR FILES.txt.