Imagine a firm gets attacked by ransomware. It is not a novelty that, besides encrypting the data belonging to the company (to demand ransom for giving the data back,) the crooks also steal the data before its encryption. They can sell the data afterward. It is called a double-extortion scheme.

LockBit Weaponizes Its Victim’s Clients

However, if the enterprise administration doesn’t negotiate with the racketeers, they have thought up a way to make them do so. They contact the clients, partners, and employees of the victimized company and notify them about the company’s total neglect of the safety of data that has to do with people who trust the company and deserve its responsible care. Ransomware group thus encourages affected individuals to push the companies to do something about the leak.

Callow calls it ‘weaponizing’ clients (not only clients, though.) Ransomware gangs share links to specially created web pages where alleged victims can check whether their data ended up in the possession of the malefactors. Sometimes crooks allow paying for excluding an individual’s information from the total pile of the stolen data, while sometimes, it is impossible. However, there is no guarantee that such a procedure is technically possible since ransomware must have the relevant architecture to allow partial decryption of specified data alongside full decoding.

In the LockBit case, clients of victimized companies are warned about auctions that are going to take place before the personal data (including names, addresses, social security numbers, phone numbers, emails, etc.) is published.

Brett Callow notes that LockBit is not the first ransomware gang to practice such ‘client weaponizing.’ ALPHV and Cl0p operators did the same thing earlier this year and last year, respectively.

How do Auctions Look?

Even more interesting is that the LockBit victim companies, while being possibly pushed by their employees and customers, have a chance to play a game of patience on the auction: they are allowed to destroy all the malefactors-controlled data at once by paying a certain amount of money. At the same time, anyone can pay the same amount to download all the information. Both options get cheaper and cheaper simultaneously. On the one hand, nobody forces company administrators to pay the initial amount. On the other hand, as soon as the price gets low enough, someone might want to buy the data to download it. And that’s it!

The post LockBit Weaponizes Its Victims’ Clients – Brett Callow appeared first on Gridinsoft Blog.

Conti and LockBit 2.0 are outstanding operators regarding how many targets they managed to attack. The period analyzed is from November 2019 to March 2022. Within that timespan, Conti went offensive on 805 companies while LockBit 2.0 reached the ominous 666. These two ransomware operators are responsible for almost 45% of all the extortion attacks worldwide within the named period. And that is considering that LockBit reached its current activity level only in July 2021. Taking into account the rumors about the Conti group end, LockBit 2.0 might beat Conti in numbers of successful attacks even sooner than in August 2022, which was the earlier assessment.

Victim Companies Locations

Location-wise, the strategies of the two gangs show significant differences. Although North American and Western European companies lead by the number of enterprises targeted by both racketeering groups, that’s where the similarities end and differences begin. Conti’s much more focused on North America: more than two-thirds of this operator’s victims are there. The second position goes to Europe, and the rest, which is 7%, are all other regions.

As for LockBit 2.0, everything’s different. Both Western Europe and North America occupy roughly four-sixths of targets on LockBit’s victim list; America takes a larger part, of course. But unlike in the Conti case, the remaining number of victims (more than Western Europe, around 20% of the total) is distributed in favor of Asia and the Pacific, another considerable part goes to South America, and the remaining targets are in the Middle East, Eastern Europe, and Africa.

The distribution of targets in the case of LockBit is much closer to the distribution of the gross domestic product worldwide. Except for the Asian region. China‘s economy obviously dominates there, and China’s GDP is the world’s highest. However, this country is seemingly “spared” by ransomware actors in question. In the Asia and Pacific region, Conti makes a clear accent on victimizing English-speaking countries: Australia, New Zealand, Singapore, and India. We will reflect on the reasons for that in the conclusions to this item.

Industries and Company Sizes

Victimized industries are mostly the same for both operators, and no specific sphere is targeted purposefully by either ransomware group. The top most attacked industries are the same for LockBit and Conti: financial, IT, manufacturing, materials, professional services, and construction.

What is more curious is the difference between the size of attacked companies. Conti concentrates on enterprises with a relatively large number of employees. For instance, 237 attack cases (the highest number, considering Trend Micro’s selection of company sizes) fall under enterprises with 51-200 employees. LockBit’s maximum (222 attacks) is directed against companies employing 11-50 people. As for larger entities (201-500 employees), Conti’s haul here is 182 attacks and LockBit’s – 89. One of LockBit’s victims, according to Trend Micro, is a company consisting of one person.

Conclusions

The fact that Hong Kong is an alleged location of the LockBit gang leader might explain the group’s discretion in attacking China. An official investigation might critically jeopardize the group’s commander, his haven, and further operations.

In the case of Conti, everything is different. This ransomware group declared its support of Russia in the context of Russia’s invasion of Ukraine. Therefore, Conti attacks Russia’s opponents, mainly the USA, and holds its hand from victimizing Russia’s allies, such as China and most of the former Soviet Republics.

The distribution of LockBit’s victims and companies arguably proves the group’s claims to be out of politics and only financially motivated. Earlier, LockBit 2.0 even made a media performance promising to disclose data stolen from Mandiant, a cyber security giant, at the full tilt of the RSA cybersecurity conference. What preceded this prank was Mandiant report on LockBit’s connection with the Russian ransomware gang Evil Corp, which LockBit strictly denied.

The post Conti vs. LockBit 2.0 – a Trend Micro Research in Brief appeared first on Gridinsoft Blog.

Specialists at AhnLab Inc, a South Korean security software company, have noticed that LockBit 2.0 affiliates began spreading their encrypting pests via emails that pretend to be copyright infringement messages. Considering the ransomware victims are usually companies, not individuals, it is not surprising that some copyright claims are often credible cases, especially if the victim is a software, let alone a game development company. It is enough for a company’s employee to see a well-known name of an illustrator, visual designer, or composer mentioned in the message. They will open the file, forgetting about any cyber threats.

These fraud cases have been spotted mainly in South Korea. The emails have a compressed file enclosed with another compressed file inside. The goal of the malefactors is to make the victim open what looks like a PDF file which is actually a malicious executable.

It is a curious psychological trick we are observing here. Instead of hiding their malware behind a luring façade, the crooks use a disguise of a different nature – an annoying message. You don’t want to open it, but you have to. It even takes courage to open a message with copyright claims, debts for utility bills, subpoenas, etc. The victims drop their guard, not expecting this message to contain anything else they should fear except that very thing that shows on the letterhead. “I could have left it for tomorrow, but I prefer to look the reality in the eye,” – the victim thinks. Thus it is easier to make a person open an attachment that overtly frightens with financial (or any other losses) than the one that promises benefits.

LockBit 2.0 is one of the most widespread species of ransomware, that has been competing only with Conti group, until the latter has seemingly been disbanded recently. If Conti has openly supported Russia in the context of Russian invasion of Ukraine, LockBit 2.0, on the contrary, denied its connection with Russian ransomware groups in any possible way. Not that it makes the gang good, but at least it makes it somewhat outstanding.
The third generation ransomware has been officially released by LockBit recently with a bug bounty program already working. Users are invited to report on found bugs in newly released software for a significant reward. Thus, the dominance of this gang will probably last.

The post Copyright Claims Used as Bait by LockBit 2.0 Affiliates in Korea appeared first on Gridinsoft Blog.

Conti, a notorious Russian ransomware gang responsible for the attack on Irish medical institutions last year, is believed to be disbanded after the internal correspondence of the gang members got into the possession of journalists. Later on (in March,) the source code of the ransomware used by the group also got leaked. Conti, originating in Russia, previously declared its support of the Russian government regarding the invasion of Ukraine. The group’s Jabber-servers were hacked, and chats were published after that. Later, two websites used by the group to communicate with victims and leak data ceased working.

However, specialists don’t expect the group to disappear. Many former Conti members founded new groups or joined the existing ones even before the gang stopped working. The known ransomware crews where Conti gangsters found their places include BlackCat, Hive, AvosLocker, HelloKitty, Quantum, and others. There are also non-encoding extortion businesses founded by other Conty participants: Karakurt, BlackByte, and Bazarcall Collective. Thus, only brand is gone, but the malefactors will hardly change their ways.

Statistics

May showed an 18% decrease in ransomware activity compared to April. As before, the most attacked sectors were the industrial sector, consumer cyclicals, and technology (31%, 22%, and 10% of attacks, respectively.) Lockbit 2.0 remained the most raging ransomware actor in May, with not less than 95 victims on its account (40% of cases.) The mentioned Conti was also active alongside Hive and recently emerged Black Basta (17 cases, 7%.) The total number of ransomware attacks in May amounted to 236 (against April’s 289.)

NCC Group is a British information security advisor company based in Manchester. With over 15 thousand clients worldwide, NCC Group is presented on the London Stock Exchange and is one of the constituents of the FTSE 250 Index. Every months, the company issues a “Threat Pulse” – a comprehensive report on the world’s cyber threat landscape.

The post NCC Group’s May 2022 Threat Report Reflects Conti’s End appeared first on Gridinsoft Blog.

On June 6, on its portal on the dark web, LockBit 2.0, a ransomware operator, has announced the exposure of data allegedly stolen in a successful hack from Mandiant, a large and influential cybersecurity company. Considering the RSA 2022 conference opening on the same day in San Francisco, the message might bear a certain weight of publicity. Previously, Mandiant made a report unambiguously associating LockBit 2.0 with Evil Corp. More specifically, the researchers suggested that Evil Corp used the LockBit affiliate program to avoid detection. Claimed connection with the Evil Corp, a notorious ransomware group with a high probability of being the FSB’s digital warfare department, put LockBit 2.0 into a rage. The gang’s reply accused Mandiant of unprofessionalism and noted that LockBit 2.0 had no connection to EvilCorp or any state’s special services.

Mandiant, in turn, has informed that they were aware of the intimidation. By the way, LockBit 2.0 required no ransom; the story rather looked like vengeance. The company expressed doubts about the truthfulness of the promise to expose anything, giving no confirmation of any signs of a hack in June or earlier.

Brett Callow, a threat analyst at Emsisoft, a company specializing in ransomware counteraction, noted that LockBit 2.0 allowed itself to make flam statements before, so there is no need to take the browbeat with panic. The reputational shading any cybersecurity company would suffer, should such news be heard during a professional convention, is just another reason to believe the promise of data exposure is a vengeful prank.

The ransomware operators have promised to leak the stolen data soon without specifying what kind of data precisely they possess.

In March 2022, Mandiant value amounted to $5.4 billion for a deal with Alphabet (Google) that is yet to be stricken.

The post LockBit 2.0 Promises to Leak Mandiant Data appeared first on Gridinsoft Blog.