Ransomware Roundup: 03.25.22

The researchers over at Splunk ran a nifty little test showcasing the encryption speed of 10 popular ransomware variants. This “murderer’s row” lineup consisted of LockBit, Babuk, Avaddon, Ryuk, REvil, BlackMatter, Darkside, Conti, Maze and Mespinoza with LockBit clocking in at a blazing 5 minutes and 50 seconds to completely encrypt the 54GB sample file. The slowest of the group, Mespinoza, came in at almost two hours – clearly their dev team has a lot of optimization tickets in the backlog. Somewhat surprisingly the notorious Conti ransomware took almost an hour – 59 minutes and 34 seconds – to do its damage. We’re now entering the era with RaaS groups are advertising features like encryption time to their prospective affiliates just like a SaaS company might.

‍

The biggest news this week was obviously the breach announcement by Okta, Microsoft and some other name brand tech companies that their infrastructure had been impacted by the Lapsus$ ransomware gang. In a meteoritic rise (and subsequent fall) the gang first started to gain traction early in the year with some throwback website defacements before moving on to larger data targets and focusing purely on data exfiltration – in some cases entirely skipping the ransom part and just leaking data, possibly just for the lulz. While disorganized and seemingly dysfunctional, they managed to attack multiple large organizations with a variety of methods including straight up bribery for access (we’ve heard up to $20K USD a week was offered).

‍

The party, however, is most likely over for the Lapsus$ gang as the City of London Police state they’ve arrested seven members of the gang including the supposed leader – who happens to be a 16 year old kid from Oxford. There goes all that cyber vendor messaging about how today's attackers aren't just some kid in their mom's basement. Like what we’ve seen recently with Conti, ultimately the downfall came from disagreements within the group leading to information being publicly leaked. What remains to be seen is whether some of the tactics used (use of telegram, direct exfiltration, targeted bribery, etc.) will be used by other, more OpSec-minded groups in the future.

‍

After a warning from the White House that businesses should be prepared for fallout from the Russian invasion of Ukraine, CISA/DHS issued a memo and spoke with critical infrastructure providers in the Energy sector. The FBI also released is 2021 Internet Crime Report (PDF) which heavily focuses on RaaS groups citing REvil, LockBit 2.0, and Conti as the biggest groups behind much of the attacks on US organizations last year.

‍