Ransomware Roundup: 06.10.22

This week’s round up…

‍

• Deadbolt Ransomware ups the ante on NAS attacks
• Lockbit claims to ransom Mandiant, Mandiant: Not so much
• U.S. Sanctions are taking their toll, forcing gangs to adapt
• Cybersecurity worries surround the U.S. mid-term elections
  ‍

Deadbolt Ransomware ups the ante on NAS attacks

‍

Researchers at Trend Micro released a report on the Deadbolt ransomware. This strain targets the well-served (tongue thoroughly in cheek here) world of network attached storage devices but introduces the noteworthy feature of providing a decryption key either to the victim, which would unlock their devices, or the vendor, which could unlock all devices struck by the malware.

‍

The catch here – as is always the case with paying a ransom – is that it is not clear that this vendor/victim two-key scheme would actually work.

‍

“Consider this example to understand this particular DeadBolt tactic: A crime group changes every lock in an entire apartment complex. The group then informs the apartment complex owner that they can give the apartment complex owner a master key that would allow the owner to successfully unlock all the apartment doors for his tenants if he pays them a certain amount. But in reality, the locks that the crime group installed are not master-keyed locks, making it impossible for the apartment complex owner to open the locks with one master key,” the Trend Micro researchers wrote in their report.

‍

LockBit claims to ransom Mandiant, Mandiant: Not so much

‍

The LockBit ransomware gang claimed to have reached security firm Mandiant last week, but the company responded that there is no evidence to suggest that the cyber criminals were successful.

‍

"Mandiant is aware of these LockBit-associated claims. At this point, we do not have any evidence to support their claims. We will continue to monitor the situation as it develops," Mark Karayan, Mandiant's Senior Manager for Marketing Communications, told Sergiu Gatlan at BleepingComputer.

‍

The claim of a breach comes after Mandiant released a report that ransomware affiliate Evil Corp switched to utilizing LockBit ransomware as their malicious payload of choice. The timing of these events suggests that their announcement has more to do with hurt feelings than anything else.

‍

U.S. Sanctions are taking their toll, forcing gangs to adapt

‍

David Uberti at The Wall Street Journal reports that sanctions leveled at key cryptocurrency services took their toll on ransomware operations. The most recent example is the legal action taken against Blender.io, a service that obfuscates the chain of possession of digital currency, which was reportedly devastating for the service.

‍

“What we saw as a result of these designations, especially against Suex, is that deposits dropped nearly to zero as soon as the designations rolled out,” WSJ quoted Jackie Koven, head of cyber threat intelligence at Chainalysis Inc.

‍

This has driven some cybercriminals to adapt their methods, reported Michael Behr at Digit. According to the article, “The Russia-linked group have begun using Lockbit, which works as a ransomware-as-a-service (RaaS). In the article, Behr quoted a Mandiant report that “using the RaaS Lockbit makes it harder to attribute the attack to Evil Corp, helping the cybercriminals to evade sanctions.”

‍

Cybersecurity worries surround the U.S. mid-term elections

‍

The United Sates National Security Agency warned that ransomware and other cybersecurity threats could play a negative role in the upcoming mid-term elections. Martin Matishak at The Record by Recorded Future reported on a roundtable the NSA held at the RSA Security Conference.

‍

“The worry in all of election security is trust and confidence that we’ve delivered a safe and secure election,” NSA Director of Cybersecurity Rob Joyce told reporters. “If elections are subject to ransomware, or if there’s a botnet that runs a denial of service, what you’ll find is that’s probably going to, in this day and age… escalate and be an issue of trust.”

‍

These warnings echo the controversy around cyber intrusions involving the Democratic National Committee that allegedly occurred during the 2016 U.S. Presidential election.

‍

Thanks to the reporters and researchers

‍

Shout out to the following people for their original reporting and research referenced in this week’s Ransomware Roundup.

Stephen Hilt, Éireann Leverett, Fernando Mercês at Trend Micro for their research on Closing the Door DeadBolt Ransomware Locks Out Vendors With Multitiered Extortion Scheme.

• LinkedIn
• LinkedIn
• LinkedIn

Sergiu Gatlan at Bleeping Computer for their reporting on Mandiant: “No evidence” we were hacked by LockBit ransomware.

• LinkedIn
• Twitter

David Uberti at The Wallstreet Journal for their reporting on Sanctions Take Toll on Laundering Tools Used by Ransomware Gangs.

• LinkedIn
• Twitter

Michael Behr at Digit for their reporting on Switching malware helps Evil Corp evade ransomware sanctions.

• LinkedIn

Martin Matishak at The Record by Recorded Future for their reporting on Ransomware, botnets could plague 2022 midterms, NSA cyber director says.

• LinkedIn
• Twitter