LockBit Taken Down by NCA

On February 19, 2024, analysts noticed that the LockBit leak site on the Darknet went offline. Some time after, a banner stating about the takedown appeared. On that banner, the UK National Crime Agency claims about this being the result of a successful multinational law enforcement cooperation, called Operation Cronos. The text also contains the offer to visit the page the next day – on February 20 – to get more information.

That is not the first network asset takeover from law enforcement that high-end ransomware group suffers. A couple of months ago, a similar story happened to ALPHV/BlackCat, another infamous ransomware group. In their case, however, not all Onion websites were down, and they managed to get the access back. That in fact turned into a comic story, where the access to the site was more like a reversed hot potatoes game.

Nonetheless, the current takedown appears to be as serious as it can be. All the mirrors of their main Darknet site are now having the said banner. Well, it is possible for any miraculous thing to happen, but in my humble opinion, their onion infrastructure is done. Either this, or NCA will be quite ashamed for announcing details disclosure on 11:30 GMT, and failing to fulfill the promise.

International Law Enforcement Blocks LockBit Infrastructure

Shortly after the original news release, the info from LockBit affiliates arrived. VX-Undeground team shares a unique info and a screenshot taken by one of the gang members upon the attempt to log into the system.

The text states the following:

Another piece of info comes from the gang’s Tox chat. In a short message, they say about the PHP servers being taken over, while the non-PHP reserve servers being OK. Considering the use of obscene language, non-typical for LockBit representatives, the situation is rather tense, to say the least.

LockBit Decryptor Coming Soon?

What is more exciting than the info that will be published tomorrow is the thing that will follow. The takedown supposes leaking the decryption keys along with their proprietary decryptor tool. Maybe not all of them are available that easily, but accessing such a large chunk of internal info is definitely a key for exposing it all.

The fact of the leak and the decryptor being available is just miraculous for the victims. Sure enough, this will not delete the data the frauds have stolen from the network. But getting all the files back at no cost is much more important. And since it will work even for victims that failed the payment deadline, the question arises once again – why would you pay the ransom? It may be a much more reasonable option to just wait, and it looks like more and more ransomware victims stick to that opinion.

UPD 20.02 – LockBit Darknet Site Filled With Leaks and Announcements

On the designated time of 11:30 GMT on February 20, all of the LockBit’s sites that were taken over started redirecting to what used to be their leak page. Now, it is filled with the information gathered by law enforcement agencies. In particular, the information about the backend structure of the cybercrime network was revealed, demonstrating the screenshots of seized servers.

Aside from that, law enforcement added a tempting one – the info about the admin of the group, known as LockBitSupp. “The $10m question” will be answered on February 23, 2024. Some of the lower-ranked staff have already been arrested in Poland and Ukraine. Well, LockBitSupp did not lie by saying their group is multi-national.

What is even better news is the confirmation of decryption keys release, as I’ve predicted in the original text. The keys, along with recovery tools, will be available to any victim upon contacting NCA for UK residents, IC3 for US and NoMoreRansom project for others.

What is LockBit Ransomware?

LockBit is one of the most successful ransomware groups that are currently active on the ransomware market. Its efficient software and meticulous attack planning rendered them dominant over the last few years. Their ransom sums are large, attacks are rapid and methods are as unprincipled as you can ever imagine. To be brief – nothing short of leaders in the cybercrime industry.

It is obvious that LockBit will eventually become a target for law enforcement, sooner or later. They were attacked before, but in a more mild form, that led to the temporal downtime or the urgent shift to a different software. Still, they were recognizing their mistakes and opening the entire bug bounty programs (!!) for people who can find issues in their software. This, along with continuous modernization of their software and updates to the online infrastructure is what made LockBit the image of unbreakable. And that is why the fact of the takedown set the community abuzz.

The post LockBit Ransomware Taken Down by NCA appeared first on Gridinsoft Blog.

Fullerton, LockBit – who are they?

Fullerton India Credit Company, or shortly Fullerton India, is a major lending company that operates in almost all the country. It offers a wide range of lending programs, targeted at both individuals and businesses. The company has almost 700 branches all over India, which allows it to outreach even small towns and villages. Latest reports issued by the company say about ~2.3 million of customers, net assets of over 2.5 billion, and around 13,000 employees. Such companies – pretty large and related to the financial sector – always were in scope of cybercriminals.

LockBit gang is an infamous hacker group, active since 2019. They passed 3 major “epochs” since then, expanding their operations and offering new solutions for their “product”. Gang uses ransomware-as-a-service operation form and offers a wide range of supplementary services to their “main” product – ransomware. Specific approaches used in malware design, together with the mentioned services, allow this malware to be the fastest among the massively used ones. All that made LockBit gang the most successful ransomware on the market: its share in total attacks is over 40%. Seems that at some point, they decided to have a break from ransoming American companies and try out something new.

LockBit Publishes Data Leaked From Fullerton India

Files encryption is not the only problem created by threat actors. Before launching the ciphering process, crooks often steal all the data they can reach. LockBit applies a specific tool that allows them to extract more data for shorter periods of time. Then, hackers ask for the additional ransom – otherwise, the data will be published or sold to the third party. Such a practice is known as double extortion. LockBit, however, is known for applying another way to press on their victims. Aside from threatening to publish data, they launch a DDoS attack upon the victim’s network, and keep it going until the ransom is paid. It is not clear if hackers used that trick as well.

Bearing on the data available in the surface and dark Web, I can assume that the exact breach happened around late March – early April. First deadline was set on April 29, which means Fullerton was listed ~2 weeks before. Now, however, the final date is set to May 3 – four days past the previous date. Hackers also specified that the company can delay the deadline for $1,000/day. Simple maths suppose that the company already spent $4,000, and it is not clear whether they paid a ransom for data decryption. The cybercriminals’ demand for avoiding data publishing – $3 million – is definitely not paid. Fullerton themselves reported about the cyberattack only on April 24.

In the note present among other information about the attacked company, LockBit specifies the amount of leaked data – 600 gigabytes. They also shared some details regarding data categories available in the leak:

How Dangerous is Fullerton Leak?

Most data LockBit gang got their hands on is related to company operations. Thus, the key danger and damage there goes towards the company’s image. Fullerton is not a publicly-traded company, thus info about the hacks cannot harm someone because of share price shed. Nonetheless, ransom amounts typically asked by the LockBit group are tangible – much more tangible in fact than the cost of cybersecurity improvements that could prevent the attacks in future.

The risk of any cyberattack is the fact that hackers can have a peek into a company’s internal architecture. Considering tight relationships between ransomware gangs, especially ones from Russia, it is logical to suppose that another group of hackers may be interested in attacking companies like Fullerton. And instead of doing a long research in order to find the entry point, they can simply ask their “colleagues” – and get all the information immediately. Security measures should be taken as quickly as possible – and that is true for any cybersecurity incident.

How to protect against LockBit ransomware?

Despite having advanced payload and auxiliary software, LockBit shares spreading ways with other ransomware. Email spam is the king of the hill, used in over 60% of all cyber attacks around the world. Though more target-specific approaches may be used – like RDP exploitation or using other network vulnerabilities. Protecting against them requires a multi-directional approach that is quite hard to implement in one step.

First of all, guide your personnel regarding spam emails. Detecting the fake email may be obvious for a knowing person, though not all people know how to do that. The easiest way to uncover the fraud is to check the email address – it will differ from the genuine one. Still, there were cases where hackers have been using compromised business emails to perform further attacks. For that reason, I’d recommend having a peek into a dedicated article about email phishing and ways to recognize it.

Counteracting network breaches requires the use of specific software. Passive approach is possible – yet far less effective than the use of proactive software solutions. The latter, actually, are represented as Network Detection and Response systems. They combine properties of network monitors, firewalls and (partially) anti-malware programs, giving out a secure shield over the entire network.

Adhere to the latest news regarding vulnerabilities. Top-rated security is possible only in an environment which is hard to exploit. When cybersecurity researchers uncover vulnerabilities, or hackers use a new one in the wild, it is recommended to find and fix these breaches. Consider having several cybersecurity blogs on a quick dial – and the numbers of your software vendors as well. Nothing saves you more than a fast reaction.

The post Fullerton India Hacked, LockBit Leaks 600GB of Data appeared first on Gridinsoft Blog.

What is LockBit Ransomware?

LockBit Ransomware is one of the most successful ransomware gangs among the ones active in 2022. Appeared in 2020, it quickly became a big fish – thanks to its extremely fast and reliable encryption, and the same fast data extraction tools. In 2022, after the Conti group shutdown, it rapidly gained market share and became an absolute leader. Available statistics show that almost 60% of ransomware attacks on corporations in the summer of 2022 were commenced by the LockBit group.

They’re also known as a very public group, as they are constantly active on various forums, and even give interviews to various blogs. The main narrative the group were pushing was “Lockbit always does what they promise”. They have likely meant that after paying the ransom(s), the victim will receive the decryption key, and its files will be deleted. Obviously, DDoS-attacks this group started using to create the other stimulus to pay should be stopped as well. Such confidence is likely the result of a diligent hiring program – the administration is definitely sure that group members follow the rules.

LockBit 3.0 Builder leak

Each ransomware sample deployed by the LockBit group is unique. It is delivered to the target system after establishing the connection that follows the initial access. The special tool generates a new build of malware that makes it impossible to detect it with any kind of signature analysis. It is also used in creating the encryption and decryption keys, which makes this app potentially valuable for creating a unified decryptor.

On Wednesday, 21st of September, 2022, a Twitter user nicknamed Ali Qushji posted several tweets where they shared the link to builder download and some details. In particular, there was a claim that this program has been leaked from the LockBit infrastructure after the successful hacking of the latter. There is no evidence that there was any real hacking into LockBit servers, but another tweet (now deleted) from Vx-Underground was confirming the earlier breach (as of September 10, 2022).

A person nicknamed Proton, who appears to be a programmer that works for the group, shared a builder with the admins of the aforementioned Twitter page. That version belonged to the latest version of LockBit 3.0 ransomware and featured several flaws fixes that were present earlier. What creates even more confusion is the fact that both versions – the one shared by Proton and the one from Ali Qushji – are different. Both of them are available on 3xp0rt’s GitHub.

What’s next?

The situation is as unclear as it could be. The chance that LockBit infrastructure was breached is pretty high, and if this turns out to be true – the group will likely have some serious problems. And not only because of security concerns: ones who got inside of the servers have likely leaked all the data needed to create a decryptor. Sure, the group can switch on the other technology – but it will take time, and such an operation will not be very pleasant shortly after switching to LockBit 3.0 ransomware. It is better to wait for the official reaction of a cybercrime gang – and only then make any conclusions.

The post LockBit 3.0 Builder leaked to the public appeared first on Gridinsoft Blog.