Copycat Criminals mimicking Lockbit gang in northern Europe

Recent
reports
of
Lockbit
locker-based
attacks
against
North
European
SMBs
indicate
that
local
crooks
started
using
Lockbit
locker
variants.

Executive
Summary

• During
  the
  past
  months,
  the
  
  Lockbit
  gang
  reached
  very
  high
  popularity
  in
  the
  underground
  ecosystem.
• The
  recent
  Hive
  infrastructure
  
  takedown
  as
  well
  as
  other
  major
  gangs
  dissolution
  such
  as
  
  Conti
  in
  2022,
  is
  making
  room
  in
  the
  cybercrime
  business 
• The
  Lockbit
  locker
  leaked
  a
  few
  months
  ago
  in
  the
  underground,
  is
  increasing
  its
  popularity
  and
  adoption
  among
  micro-criminal
  actors.
• Recent
  reports
  of
  Lockbit
  locker-based
  extortions
  against
  North
  European
  SMBs
  indicate
  that
  local
  cyber-criminal
  gangs
  started
  adopting
  Lockbit
  locker
  variants.

Incident
Insights

Recently,
there
has
been
a
significant
increase
in
ransomware
attacks
targeting
companies
in
northern
Europe.
These
attacks
are
being
carried
out
using
the
LockBit
locker,
which
is
known
to
be
in
use
by
the
homonymous
criminal
affiliation
program.
The
Lockbit
group
has
been
targeting
companies
of
all
sizes
and
across
a
wide
range
of
industries,
causing
significant
disruptions
and
financial
losses.

One
of
the
most
concerning
aspects
of
these
recent
attacks
is
the
way
in
which
they
are
being
conducted.
The
LockBit
Locker
group
is
known
for
using
a
combination
of
advanced
techniques,
even
phishing,
and
also
social
engineering,
to
gain
initial
access
to
a
company’s
network.
Once
they
have
access,
they
use
a
variety
of
tools
and
techniques
to
move
laterally
throughout
the
network,
compromising
systems
and
stealing
sensitive
data.

One
of
the
most
recent
attacks
was
reported
by
Computerland
in
Belgium
against
SMBs
in
the
country,
but
according
to
the
company
they
were
targeted
by
a
group
of
cybercriminals
who
appeared
to
be
using
a
variant
of
the
LockBit
locker
malware.
However,
upon
further
investigation,
it
was
discovered
that
these
attackers
were
not
likely
related
to
the
real
LockBit
group,
but
rather
“wannabes”
who
had
obtained
a
leaked
version
of
the
malware.

Despite
not
being
the
true
LockBit
Locker
group,
these
micro
criminals
were
still
able
to
cause
significant
damage
by
encrypting
a
large
number
of
internal
files.
However,
the
company
was
able
to
restore
its
network
from
backups
and
no
client
workstations
were
affected
during
the
intrusions.

Among
the
increasing
popularity
of
extortion
practices
in
the
criminal
underground,
even
among
less
sophisticated
actors,
this
incident
also
highlights
the
dangers
of
outdated
software
and
systems.

In
fact,
in
this
case,
the
attackers
were
able
to
exploit
unpatched
vulnerabilities
in
the
company’s
FortiGate
firewall.
Unpached
FortiGate
firewalls

have
several
vulnerabilities
that
are
currently
exploited
by
cybercriminals
according
to
the
CISA’s
Known
Exploited
Vulnerabilities
Catalog,
but
in
these
recent
cases,
the
exploited
flaws
were
the
infamous
“Fortifuck”
flaws
straight
back
from
2018.

Those
flaws
have
been
exploited
through
unattended
exposure
through
a
company’s
branch
internet
gateway.
These
network
gateways
are
often
less
well-protected
than
the
company’s
main
network
and
typically
provide
an
easier
entry
point
for
attackers.

In
conclusion,
the
recent
ransomware
attacks
targeting
North
European
SMBs
companies
are
a
serious
concern
for
many
reasons:
despite
the
reduced
effectiveness
due
to
the
lack
of
experience
of
the
criminal
operators,
the
targeted
industries
suffered
important
outages
and
data
exfiltration.

Threat
Actor
Brief

LockBit
is
a
well-known
ransomware
affiliation
program
started
back
in
September
2019,
where
the
developers
use
third
parties
to
spread
the
ransomware
by
hiring
unethical
penetration
testing
teams.
The
gang
was
one
of
the
first
gangs
operating
double
extortion
practices
and
supporting
such
attacks
with
dedicated
toolkits
such
as
the
Stealbit
malware.

During
his
infamous
career,
Lockbit
operators
hit
high-value
targets
such
as
Accenture
and
Royal
Mail,
but
also
a
large
number
of
small
and
medium
businesses
worldwide.
Once
an
environment
is
infected,
the
victim
is
sent
to
the
gang
payment
site
managed
by
the
ransomware
developers
who
threaten
to
leak
the
victim’s
data
to
extort
further
payments.

About
the
author:

Luca
Mella,
Cyber
Security
Expert,
Response
&
Threat
Intel
|
Manager

In
2019,
Luca
was
mentioned
as
one
of
the
“32
Influential
Malware
Research
Professionals”.
He
is
a
former
member
of
the
ANeSeC
CTF
team,
one
of
the
firsts
Italian
cyber
wargame
teams
born
back
in
2011.

Follow
me
on
Twitter:


@securityaffairs
and


Facebook
and


Mastodon

Pierluigi Paganini

(SecurityAffairs –

hacking,
Lockbit)

Share
On

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts