uTalk

thrive

Member

Registered: 2023-01-04

Posts: 2,018

LockBit Ransomware Steals $91 Million from US Businesses

Following hundreds of attacks against numerous US targets, the threat actors responsible for the LockBit ransomware-as-a-service (RaaS) scheme have demanded $91 million since 2020.
According to a joint bulletin released by the US Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing and Analysis Center (MS-ISAC), and other partner authorities from Australia, Canada, France, Germany, New Zealand, and the UK.

The agencies claimed that the LockBit ransomware-as-a-service (RaaS) draws affiliates to use LockBit for ransomware attacks, resulting in a vast network of unconnected threat actors carrying out wildly different attacks.

According to statistics released by Malwarebytes last week, LockBit, which first appeared on the scene in late 2019, has continued to be disruptive and prolific, targeting as many as 76 victims in May 2023 alone. At least 1,653 ransomware assaults have been blamed on the cartel with ties to Russia so far.

A wide range of crucial infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation, have been targeted by the cybercrime operation.

LockBit has so far undergone three significant upgrades: LockBit Red (June 2021), LockBit Black (March 2022), and LockBit Green (January 2023), the latter of which is based on leaked source code from the now-disbanded Conti gang.

Since then, the ransomware variant has been modified to attack Linux, VMware ESXi, and Apple macOS systems, making it a constantly evolving threat. The RaaS operation is also notable for starting the first-ever bug bounty program and paying people to get tattoos of its insignia.

The main actors in the business model rent out their warez to affiliates who carry out the actual ransomware distribution and extortion. In a surprising move, the group sends a cut to the main crew before allowing the affiliates to receive ransom payments.

Virus known as LockBit.

Fortra GoAnywhere Managed File Transfer (MFT) and PaperCut MF/NG servers, as well as other well-known bugs in Apache Log4j2, F5 BIG-IP and BIG-IQ, and Fortinet devices, have recently been exposed to security vulnerabilities that attack chains involving LockBit have taken advantage of to gain initial access.

Over 30 freeware and open-source tools that enable network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration are also used by the affiliates. Metasploit and Cobalt Strike, two legitimate red team tools, have been found to be further abused by the intrusions.

"LockBit's inventiveness and ongoing improvement of the organization's administrative panel (i.e), a streamlined point-and-click interface that enables ransomware deployment for users with lower levels of technical skill), affiliate supporting functions, and continuous TTP revision, the agencies said.

The change coincides with CISA's publication of Binding Operational Directive 23-02, which directs federal agencies to secure network devices like firewalls, routers, and switches that are exposed to the public internet within 14 days of their discovery and to take actions to reduce the attack surface.

"Too frequently, threat actors are able to use network devices to gain unrestricted access to organizational networks, which ultimately results in full-scale compromise," said Jen Easterly, director of CISA. "Requiring suitable controls and mitigations [. [] is a critical action in lowering risk to the federal civilian enterprise. ".

Additionally, the developments come in response to a fresh advisory that highlights dangers to Baseboard Management Controller (BMC) implementations that may allow threat actors to set up a "beachhead with pre-boot execution potential.". ".

According to CISA and the US government, "hardened credentials, firmware updates, and network segmentation options are frequently disregarded, resulting in a vulnerable BMC.
S.
In a joint alert, the National Security Agency (NSA) made a note.

A malicious actor could also disable security tools like the trusted platform module (TPM) or UEFI secure boot, alter data on any attached storage media, or spread malicious software or disruptive instructions throughout a network infrastructure. ".