Ransomware Roundup: 06.10.22

This week’s round up…

  • Deadbolt Ransomware ups the ante on NAS attacks
  • Lockbit claims to ransom Mandiant, Mandiant: Not so much
  • U.S. Sanctions are taking their toll, forcing gangs to adapt
  • Cybersecurity worries surround the U.S. mid-term elections

Deadbolt Ransomware ups the ante on NAS attacks

Researchers at Trend Micro released a report on the Deadbolt ransomware. This strain targets the well-served (tongue thoroughly in cheek here) world of network attached storage devices but introduces the noteworthy feature of providing a decryption key either to the victim, which would unlock their devices, or the vendor, which could unlock all devices struck by the malware.

The catch here – as is always the case with paying a ransom – is that it is not clear that this vendor/victim two-key scheme would actually work.

“Consider this example to understand this particular DeadBolt tactic: A crime group changes every lock in an entire apartment complex. The group then informs the apartment complex owner that they can give the apartment complex owner a master key that would allow the owner to successfully unlock all the apartment doors for his tenants if he pays them a certain amount. But in reality, the locks that the crime group installed are not master-keyed locks, making it impossible for the apartment complex owner to open the locks with one master key,” the Trend Micro researchers wrote in their report.

LockBit claims to ransom Mandiant, Mandiant: Not so much

The LockBit ransomware gang claimed to have reached security firm Mandiant last week, but the company responded that there is no evidence to suggest that the cyber criminals were successful.

"Mandiant is aware of these LockBit-associated claims. At this point, we do not have any evidence to support their claims. We will continue to monitor the situation as it develops," Mark Karayan, Mandiant's Senior Manager for Marketing Communications, told Sergiu Gatlan at BleepingComputer.

The claim of a breach comes after Mandiant released a report that ransomware affiliate Evil Corp switched to utilizing LockBit ransomware as their malicious payload of choice. The timing of these events suggests that their announcement has more to do with hurt feelings than anything else.

U.S. Sanctions are taking their toll, forcing gangs to adapt

David Uberti at The Wall Street Journal reports that sanctions leveled at key cryptocurrency services took their toll on ransomware operations. The most recent example is the legal action taken against Blender.io, a service that obfuscates the chain of possession of digital currency, which was reportedly devastating for the service.

“What we saw as a result of these designations, especially against Suex, is that deposits dropped nearly to zero as soon as the designations rolled out,” WSJ quoted Jackie Koven, head of cyber threat intelligence at Chainalysis Inc.

This has driven some cybercriminals to adapt their methods, reported Michael Behr at Digit. According to the article, “The Russia-linked group have begun using Lockbit, which works as a ransomware-as-a-service (RaaS). In the article, Behr quoted a Mandiant report that “using the RaaS Lockbit makes it harder to attribute the attack to Evil Corp, helping the cybercriminals to evade sanctions.”

Cybersecurity worries surround the U.S. mid-term elections

The United Sates National Security Agency warned that ransomware and other cybersecurity threats could play a negative role in the upcoming mid-term elections. Martin Matishak at The Record by Recorded Future reported on a roundtable the NSA held at the RSA Security Conference.

“The worry in all of election security is trust and confidence that we’ve delivered a safe and secure election,” NSA Director of Cybersecurity Rob Joyce told reporters. “If elections are subject to ransomware, or if there’s a botnet that runs a denial of service, what you’ll find is that’s probably going to, in this day and age… escalate and be an issue of trust.”

These warnings echo the controversy around cyber intrusions involving the Democratic National Committee that allegedly occurred during the 2016 U.S. Presidential election.

Thanks to the reporters and researchers

Shout out to the following people for their original reporting and research referenced in this week’s Ransomware Roundup.


Stephen Hilt, Éireann Leverett, Fernando Mercês at Trend Micro for their research on Closing the Door DeadBolt Ransomware Locks Out Vendors With Multitiered Extortion Scheme.

Sergiu Gatlan at Bleeping Computer for their reporting on Mandiant: “No evidence” we were hacked by LockBit ransomware.

David Uberti at The Wallstreet Journal for their reporting on Sanctions Take Toll on Laundering Tools Used by Ransomware Gangs.

Michael Behr at Digit for their reporting on Switching malware helps Evil Corp evade ransomware sanctions.

Martin Matishak at The Record by Recorded Future for their reporting on Ransomware, botnets could plague 2022 midterms, NSA cyber director says.

The Halcyon Platform

Halcyon is the industry’s first dedicated, adaptive security platform focused specifically on stopping ransomware attacks. Halcyon is built by offensive security experts to stop attackers. Our platform is a lightweight agent that combines multiple proprietary advanced prevention engines along with AI models trained solely on ransomware.

Ready to get a demo? Fill out the form and let’s talk!

Get a Demo

Meet with a Halcyon Anti-Ransomware Expert

Cookie Consent

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.