Last Week in Ransomware: 05.20.2024

Last week in ransomware news we saw U.K. authorities identify key LockBit admin, the FBI and CISA release updated Black Basta alert, and ransomware gangs targeting children of executives...

LockBit Admin Identified

The U.K. National Crime Agency (NCA) has identified Dmitry Yuryevich Khoroshev, a 31-year-old Russian national, as the administrator and developer behind the infamous LockBit ransomware operation.  

Known by aliases such as LockBitSupp and putinkrab, Khoroshev faces international sanctions and travel bans imposed by the U.K., U.S., and Australia, with the U.S. Department of State offering a reward of up to $10 million for information leading to his capture or conviction.

LockBit, a ransomware-as-a-service (RaaS) active since 2019, is recognized for its evasion capabilities and rapid encryption speeds.  

Despite a major international crackdown dubbed Operation Cronos in February 2024, which temporarily disrupted its activities, LockBit quickly resumed operations and launched further attacks throughout the first quarter of 2024.

The group continues to innovate, having released LockBit 3.0 in mid-2022 and introducing the first known macOS ransomware variant in April 2023. Recent developments include a new variant capable of impersonating system administrators and autonomously spreading across networks.  

LockBit 3.0 features modular design, multiple execution paths, advanced anti-analysis tools, and employs the Salsa20 encryption algorithm.

LockBit predominantly exploits vulnerabilities in remote desktop protocols (RDP) and spreads through network tools like Group Policy Objects and PsExec via the Server Message Block (SMB) protocol.  

The group also takes advantage of the Citrix Bleed vulnerability (CVE 2023-4966). For data exfiltration, LockBit utilizes publicly available file-sharing services and a proprietary tool called Stealbit, and maintains LockBit 2.0 operations while promoting its 3.0 platform.

The operation is noted for its effective affiliate program, offering up to 75% of ransom proceeds to its partners and has demanded ransoms as high as $70 million, notably from Taiwan Semiconductor Manufacturing Company (TSMC).  

LockBit's targets typically include large enterprises capable of meeting high ransom demands, with a particular focus on the healthcare sector.

Noteworthy victims of LockBit include major corporations and organizations such as Boeing, SpaceX, and the Industrial and Commercial Bank of China, among others.  

LockBit's persistence and evolving capabilities mark it as a formidable and ongoing threat in the global cybersecurity landscape.

READ MORE HERE

Updated Black Basta Alert Issued

The Black Basta ransomware-as-a-service (RaaS) operation has been identified as a significant cybersecurity threat, with over 500 organizations across North America, Europe, and Australia impacted in a variety of sectors including manufacturing, healthcare, and telecommunications.  

Black Basta employs common initial access strategies such as phishing and exploiting vulnerabilities, followed by a double-extortion approach—encrypting victims' data and threatening to leak it unless a ransom is paid.  

Notably, their ransom notes lack upfront demands, instead providing victims with a unique code to contact the attackers through a secure .onion URL.

Black Basta is believed to have originated in early 2022, potentially evolving from former notorious groups like Conti and REvil. This group is known for selectively collaborating with highly skilled affiliates to execute targeted attacks.  

Their technical capabilities include deploying ransomware that affects both Windows and Linux systems, with the ransomware written in C++ using ChaCha20 for encryption and RSA-4096 for securing the encryption keys.  

Black Basta has also exploited vulnerabilities in VMware ESXi and utilized malware like Qakbot alongside methods such as PrintNightmare. Insecure Remote Desktop Protocol (RDP) setups are also a common vector for their attacks.

The group maintains a leaks website to pressure non-compliant victims, with ransom demands reported up to $2 million. Since its inception, Black Basta has allegedly amassed over $107 million in ransom payments from around 90 victims.  

Notable targets have included major entities like Coca Cola, Southern Water, and ABB among others. The group's ongoing evolution and adaptability make it a formidable threat in the cybersecurity landscape.

READ MORE HERE

Ransomware Operators Target Executives Kids

Ransomware groups are intensifying their coercion techniques, evolving from mere data theft to complex psychological manipulations, targeting not only the data but also the personal lives of their victims.  

This shift marks a disturbing trend in cyber extortion, as highlighted by The Register and experts like Mandiant's CTO, Charles Carmakal.  

These operators are employing tactics such as SIM swapping and caller ID spoofing to make threatening calls appear to come from the personal phone numbers of executives' family members, adding a deeply personal and disturbing layer to the attacks.

This strategy is part of what's known as double extortion, where attackers not only encrypt data but also threaten to leak sensitive information if their demands are not met. Initially, this involved simple threats of releasing or selling exfiltrated data.  

However, ransomware groups have since escalated their threats to include actions such as notifying customers of data breaches, launching denial of service attacks, and even interacting with regulatory bodies like the U.S. Securities and Exchange Commission to undermine victim organizations further.

Recent tactics have seen criminals threatening to expose highly sensitive personal data, such as medical records of breast cancer patients or mental health information of students, to exert pressure.  

More aggressive forms of harassment, such as swatting—calling in false emergencies to provoke a heavy police response to a victim's address—have also been reported.  

These evolving strategies underscore the lack of ethical boundaries in these criminal enterprises, emphasizing their focus solely on profit.

The ongoing challenge for organizations is to enhance their cybersecurity defenses by investing in skills, technologies, and building robust security frameworks that can pre-emptively thwart such attacks.  

The effectiveness of traditional security solutions like endpoint protection (EPP), endpoint detection and response (EDR), and extended detection and response (XDR) is being questioned as they often fail to catch ransomware in its critical stages.  

Experts now advocate for a dedicated anti-ransomware solution to complement these tools, aiming to stop ransomware before it can cause irrevocable harm through data exfiltration or system encryption.  

The key to combating this threat lies in early detection, comprehensive mitigation strategies, and resilient data backup systems that allow organizations to recover without capitulating to extortion demands.

READ MORE HERE

‍

Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.