Ransomware associated with LockBit still spreading 2 days after server takedown

0
104

[ad_1]

Two days after a global crew of authorities struck a major blow at LockBit, one of many Web’s most prolific ransomware syndicates, researchers have detected a brand new spherical of assaults which are putting in malware related to the group.

The assaults, detected up to now 24 hours, are exploiting two crucial vulnerabilities in ScreenConnect, a distant desktop utility bought by Connectwise. In response to researchers at two safety companies—SophosXOps and Huntress—attackers who efficiently exploit the vulnerabilities go on to put in LockBit ransomware and different post-exploit malware. It wasn’t instantly clear if the ransomware was the official LockBit model.

“We won’t publicly title the shoppers at the moment however can verify the malware being deployed is related to LockBit, which is especially attention-grabbing towards the backdrop of the current LockBit takedown,” John Hammond, principal safety researcher at Huntress, wrote in an electronic mail. “Whereas we will not attribute this on to the bigger LockBit group, it’s clear that LockBit has a big attain that spans tooling, varied affiliate teams, and offshoots that haven’t been fully erased even with the key takedown by legislation enforcement.”

Hammond mentioned the ransomware is being deployed to “vet places of work, well being clinics, and native governments (together with assaults towards methods associated to 911 methods).”

Muddying the attribution waters

SophosXOps and Huntress didn’t say if the ransomware being put in is the official LockBit model or a model leaked by a disgruntled LockBit insider in 2022. The leaked builder has circulated extensively since then and has touched off a string of copycat assaults that aren’t a part of the official operation.

“When builds are leaked, it might probably additionally muddy the waters close to attribution,” researchers from safety agency Development Micro said Thursday. “For instance, in August 2023, we noticed a gaggle that known as itself the Flamingo group utilizing a leaked LockBit payload bundled with the Rhadamanthys stealer. In November 2023, we discovered one other group, going by the moniker Spacecolon, impersonating LockBit. The group used electronic mail addresses and URLs that gave victims the impression that they have been coping with LockBit.”

SophosXOps said solely that it had “noticed a number of LockBit assaults.” An organization spokesperson mentioned no different particulars have been obtainable. Hammond mentioned the malware was “related to” the ransomware group and wasn’t instantly in a position to verify if the malware was the official model or a knockoff.

The assaults come two days after officers within the UK, US, and Europol announced a significant disruption of LockBit. The motion included seizing management of 14,000 accounts and 34 servers, arresting two suspects, and issuing 5 indictments and three arrest warrants. Authorities additionally froze 200 cryptocurrency accounts linked to the ransomware operation. The actions got here after investigators hacked and took management of the LockBit infrastructure.

Authorities mentioned LockBit has extorted greater than $120 million from hundreds of victims around the globe, making it among the many world’s most energetic ransomware teams. Like most different ransomware teams, LockBit operates beneath a ransomware-as-a-service mannequin, by which associates share the income they generate in trade for utilizing the LockBit ransomware and infrastructure.

Given the sheer variety of associates and their broad geographic and organizational distribution, it’s usually not possible for all of them to be neutralized in actions just like the one introduced Tuesday. It’s potential that some associates stay operational and need to sign that the ransomware franchise will proceed in a single kind or one other. It’s additionally potential that the infections SophosXOps and Huntress are seeing are the work of an unaffiliated group of actors with different motivations.

In addition to putting in the LockBit-associated ransomware, Hammond mentioned, the attackers are putting in a number of different malicious apps, together with a backdoor referred to as Cobalt Strike, cryptocurrency miners, and SSH tunnels for remotely connecting to compromised infrastructure.

The ScreenConnect vulnerabilities are beneath mass exploitation and are tracked as CVE-2024-1708 and CVE-2024-1709. ConnectWise has made patches obtainable for all weak variations, together with these not actively supported.

[ad_2]

Source link