Last Week in Ransomware: 01.08.2024

Written by
Halcyon Team
Published on
Jan 8, 2024

Last week in ransomware news we saw LockBit affiliates targeting hospitals despite a ban, more debate on whether to ban ransom payments, and a record of ransomware attacks in 2023...

LockBit Backtracks on Ethical Targeting

In a concerning development, LockBit ransomware gang affiliates have continued their attacks on hospitals, despite purportedly imposing rules against targeting healthcare providers.  

Recent incidents involving SickKids hospital in Toronto and three hospitals in Germany highlight the increasing audacity of LockBit affiliates.  

As the healthcare sector becomes a prime target, the impact on patient care is alarming, with disruptions reported in emergency services and patient care continuity.

LockBit remains a global leader in ransomware and data extortion attacks, with its variant employed in over a quarter of all attacks from January 2022 to September 2023.  

This RaaS operation has been active since 2019, demonstrating a high level of sophistication in security tool evasion and rapid encryption.  

Notably, LockBit 3.0, released in June 2022, introduced the first iteration of a macOS ransomware variant in April 2023, posing an additional threat to diverse operating systems.

LockBit 3.0 employs advanced anti-analysis features and poses a threat to both Windows and Linux systems. The ransomware utilizes a custom Salsa20 algorithm for file encryption and exploits remote desktop protocol (RDP) for infections.  

LockBit propagates within networks using Group Policy Objects, PsExec, and the Server Message Block (SMB) protocol. Additionally, the use of publicly available file-sharing services and a custom tool named Stealbit for data exfiltration underscores the multifaceted nature of LockBit attacks.

LockBit's notoriety extends to its multiple means of extortion, where victims may face ransom demands for both encryption keys and sensitive information exfiltrated during the attack.  

The ransom amounts demanded by LockBit have exceeded $50 million, with notable victims including major enterprises like SpaceX, Taiwan Semiconductor Manufacturing Company (TSMC), and healthcare organizations like SickKids.

LockBit's well-established affiliate program contributes to its prominence, offering attackers a mature platform and high payouts of up to 75% of ransom proceeds. This reputation has attracted affiliates from various criminal circles, further fueling LockBit's global reach and impact.


Controversy Surrounding Ransom Payments

The rising frequency of ransomware attacks prompts a debate on whether a formal ban on ransom payments is necessary. While banning payments could diminish financial incentives for attackers, the complexity arises when critical infrastructure, like hospitals, is targeted.  

Experts advocate against paying ransoms, emphasizing the need for organizations to focus on preventive measures rather than succumbing to extortion.

The dichotomy in opinions regarding ransom payments stems from the diverse risk profiles of organizations. While paying a ransom might be within the risk parameters for a financially robust entity like MGM, hospitals facing potential risks to human life may find the decision more complicated.  

Advocates for paying ransoms argue for the expediency it offers in recovering valuable data, but opponents emphasize the reinforcement of criminal incentives and the lack of guaranteed data restoration.

To combat ransomware effectively, the focus should shift towards early detection, resilience planning, and preventative measures.  

Rather than reacting to attacks after sensitive data has been compromised, organizations must invest in comprehensive security programs to thwart multi-stage operations and mitigate the risk of data loss and prolonged system downtime.


Record-Breaking Ransomware Attacks in 2023?

New research indicates a substantial increase in ransomware attacks in 2023, particularly affecting the healthcare and education sectors.  

The healthcare sector witnessed a 60% rise in successful attacks in the U.S., while K-12 schools and higher education institutions experienced increases of 82% and 48%, respectively.

These alarming figures, however, exclude the extensive attacks through vulnerability exploits, such as the Cl0p ransomware gang's exploitation of the MOVEit managed file transfer software.

Despite the reported surge in attacks, there are indications that the actual numbers are much higher, with over 2,300 successful ransomware attacks in the first half of 2023 alone.  

The reluctance of organizations to report attacks to law enforcement, estimated at 61%, obscures the true extent of the threat.  

Accurate data is crucial for security teams to quantify the risk and make informed recommendations for necessary investments in security programs.

Ransomware remains a pervasive and escalating threat, impacting organizations across sectors. While the debate on ransom payments continues, a collective effort to understand, prevent, and mitigate the root causes of ransomware attacks is imperative.  

The evolving landscape demands not only reactive measures but a proactive approach to safeguarding sensitive data and ensuring the resilience of critical systems.

READ MORE HERE is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to fill endpoint protection gaps and defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

Let's get started
3 is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow to store and process the personal information submitted above to provide you the content requested.