In the realm of ransomware, this past week was rife with significant updates and noteworthy events. Taking center stage was the release of the latest addition to the Ransomware Diaries series by Jon DiMaggio. This particular installment delved deep into the operations of the LockBit ransomware group.
For quite some time, LockBit has held a prominent position in the ransomware arena, often surpassing its peers in victim count, as evidenced by its data leak site.
However, recent developments suggest a shift in LockBit's trajectory. As detailed by DiMaggio, the gang is grappling with a critical storage infrastructure challenge. This issue is directly affecting their capacity to expose pilfered data and apply pressure on victims to meet their ransom demands.
Much like other ransomware campaigns targeting corporate entities, LockBit's modus operandi involves infiltrating networks, surreptitiously accumulating data for future extortion endeavors. Only after securing valuable information and erasing backups do the attackers activate the ransomware to initiate file encryption.
This ill-gotten data becomes a potent bargaining chip, coercing victims into complying with ransom demands under the threat of public data exposure on a leak site.
DiMaggio's research has brought to light LockBit's storage quandary, revealing that their ability to effectively leak data is compromised. This shortcoming has caused frustration among affiliates who heavily rely on the leak site for their extortion strategy.
In response, LockBit has resorted to using propaganda on their leak site and crafting compelling narratives on criminal forums to mask their inability to consistently publish stolen data. Instead, they lean on empty threats and their established reputation to persuade victims to acquiesce. The root of this issue lies in backend infrastructure limitations and constrained available bandwidth.
Complicating matters further, the public face of LockBit, LockBitSupp, went off the grid for a while, leaving affiliates in the dark. This hiatus fueled concerns that the operation might have been compromised, prompting some to explore alternative ransomware avenues.
This turmoil within LockBit's operations hasn't escaped the attention of other cybersecurity experts. Allan Liska also observed a discernible reduction in the gang's activity.
In addition to the spotlight on LockBit, several other ransomware-related developments emerged during the week:
Microsoft shared insights into the BlackCat gang's Sphynx encryptor.
SecureScoreCard provided a technical analysis of the Underground ransomware.
Trend Micro disclosed a new Linux/VMware ESXi encryptor called Monti.
Researcher Will Thomas explored potential collaboration between the Oktapus gang and BlackCat.
The MOVEit data theft incidents continue to pose challenges for organizations worldwide. Colorado issued a warning that 4 million individuals had their data compromised due to these attacks.
A new phishing campaign was discovered, distributing the Knight ransomware under the guise of TripAdvisor complaint emails.
Contributions and insights during the week came from various individuals and organizations, including @malwrhunterteam, @LawrenceAbrams, @fwosar, @BleepinComputer, @billtoulas, @serghei, @Seifreed, @demonslay335, @Jon__DiMaggio, @security_score, @vxunderground, @MsftSecIntel, @TrendMicro, @IBMSecurity, @felixw3000, @uptycs, @BushidoToken, @adlumin, and @pcrisk.
August 12th-17th, 2023
Additionally, noteworthy developments included:
The Knight ransomware making its way through a spam campaign masquerading as TripAdvisor complaints.
The Monti ransomware gang resurfacing after a two-month hiatus, using a new Linux locker to target VMware ESXi servers, government entities, and legal institutions.
A data breach affecting personal and health information, prompting the Colorado Department of Health Care Policy & Financing to alert over four million individuals.
The deployment of the Underground ransomware, the successor to Industrial Spy, by threat actor Storm-0978. This malware halts targeted services, erases Volume Shadow Copies, and clears Windows event logs.
Variants of the STOP ransomware emerging, appending the extensions .tasa and .taoy to encrypted files.
August 15th saw the release of "Ransomware Diaries: Volume 3 – LockBit’s Secrets." This installment shed light on undisclosed details of LockBit's operations and exposed operational flaws.
Identification of new ransomware variants, appending the .allahuakbar and .Retch extensions to encrypted files.
A surprising alliance between the English-speaking Scattered Spider and Russian-speaking BlackCat ransomware groups, as observed by security experts.
Microsoft's discovery of an updated version of the BlackCat ransomware, incorporating the Impacket networking framework and Remcom hacking tool for lateral movement within compromised networks.
The PlayCrypt ransomware group, previously linked to the City of Oakland attack, engaged in a widespread campaign targeting finance, software, legal, shipping, and government entities across multiple countries.
The ransomware landscape remains highly dynamic. With these developments in mind, we bring this week's updates to a close and wish everyone a delightful weekend!