Fraud Management & Cybercrime , Ransomware

Experts See Surge in Attacks, Including in Russia, Using Leaked LockBit Code Mathew J. Schwartz (euroinfosec) • April 17, 2024    

What do a German healthcare network, a Russian security company and an American bridal clothing retailer have in common?

See Also: The Gorilla Guide to Modern Data Protection

All seem to have been compromised in recent months by attackers who wielded LockBit crypto-locking malware. But none of the attackers appear to have been part of the ransomware-as-a-service operation bearing that name.

The reason is no mystery: Since September 2022, anyone has been able to use the LockBit version 3.0 – aka Black – builder thanks to a key developer leaking it after he fell out with group leader LockBitSupp (see: Victim of Its Own Ransomware Success: LockBit Has Problems).

Their dispute seemed to center on money, detonating during a lucrative hacking spree that gained notoriety for the magnitude of its onslaught. LockBit has amassed more than 1,700 victims in the United States alone since 2020 and earned at least $91 million in ransom payments, the FBI said in mid-2023.

LockBit didn’t let just anyone into its affiliate program, which promised access to its ransomware builder and name-branded support in exchange for a slice of the proceeds. Typically, 70% went to the affiliate and 30% to the operator.

“Joining the LockBit affiliate program is typically challenging, requiring individuals to prove themselves and establish a reputation before gaining access,” cybersecurity firm Trellix said in a blog post earlier this month. The leaked builder was an opportunity for ransomware hackers left on the outside: Get the builder and reap the brand name without having to deal with LockBitSupp. Black “provided an opportunity for threat actors to quickly enter the scene, encrypt smaller enterprises, and reap profits without meeting these stringent requirements.”

Among the LockBit imposters appears to be a group that last Dec. 24 unleashed ransomware inside the German healthcare network Katholische Hospitalvereinigung Ostwestfalen, or KHO, disrupting IT services at more than 1,800 hospital beds across three hospitals.

“An initial check showed that it was probably a cyberattack by LockBit 3.0,” the hospital said in a breach update issued several days after the attack, according to a machine translation. “For security reasons, as soon as it became known, all systems were shut down that night and all necessary people and institutions were informed.”

Following that attribution, LockBit quickly denied having any involvement. In a private Tox message, LockBitSupp told malware researcher vx-underground that the KHO attackers used a leaked builder and non-LockBit contact details in search of a quick payday.

Some attacks appear to be more personal, including in January against AN-Security, a Russian security firm that was infected with LockBit after attackers stole 5 terabytes of data and then demanded a 100-bitcoin ransom – then worth over $3 million.

LockBitSupp again quickly denied being involved, placing the blame on “Signature,” an owner and operator of the Clop ransomware group who operates an affiliate program, according to forum messages published by Trellix. Via a post to the Exploit cybercrime forum, LockBitSupp claimed Signature was seeking revenge over how he’d been banned from Exploit. LockBitSupp also claimed to have reached out to AN-Security to offer the company free assistance, but it remains unclear whether or not anything came of this.

Trellix said it has seen a surge in attacks by newly launched ransomware groups that are using the leaked LockBit code, and at least some of them might be former affiliates. These newer groups include:

• Wing: A threat actor called “blackhunt” debuted Wing ransomware via the RAMP forum in January, Trellix said. After analyzing the code, a forum member, TheShadowHacker, said it was based on the leaked LockBit builder.
• Dragonforce: Trellix said the group in 2023 used multiple strains created from modified versions of the leaked LockBit code.
• Spacecolon: Cybersecurity firm Trend Micro last November reported finding this group operating a LockBit look-alike data leak site, as well as using emails and URLs to impersonate the group, which “gave victims the impression that they were dealing with LockBit.”
• Werewolves: Russian cybersecurity firm F.A.C.C.T. last November reported that a group called Werewolves had begun actively targeting firms in Russia – and elsewhere – starting in June 2023, using both the leaked LockBit code and leaked Conti source code. The group demanded ransoms of up to $1 million in return for a promise it wouldn’t leak stolen data.

Some of those groups’ attacks threatened to get LockBit into hot water by targeting victims located in the Commonwealth of Independent States. “LockBit operators tried to explain that they had nothing to do with these attacks,” said Russian cybersecurity firm Kaspersky in a blog post.

Owing to the threat posed by angering authorities in Russia, where most ransomware groups are based, their crypto-locking malware is typically never executed on any system that appears to be based in a CIS country or that uses certain types of keyboards, such as Cyrillic (see: Russia’s Cybercrime Rule Reminder: Never Hack Russians).

But CIS countries are far from the only target of attackers wielding leaked LockBit code, and firms have reported hits against targets in North American, Europe and beyond. “In our incident response practice, we have come across ransomware samples created with the help of the leaked builder in incidents in Russia, Italy, Guinea-Bissau and Chile,” Kaspersky said. How technically sophisticated the attackers might be remains an open question. While the LockBit 3.0 builder can be customized, “most of the attacks used the default or slightly modified configuration,” it said.

LockBit itself has been on a downward trajectory. Other members of the criminal underground are chafing at LockBitSupp’s arrogance, and affiliates are eschewing the group after its infrastructure proved unreliable. A major setback, of course, was Operation Cronos, a multinational law enforcement operation in February that seized LockBit servers, arrested affiliates and took control of the group’s dark web site (see: Arrests and Indictments in LockBit Crackdown).

The group has since been determined to show it survived the international onslaught, relaunching a dark web presence and claiming responsibility for attacks.

Claimed members of the group appear to be behind a recent series of attacks that exploited ScreenConnect software to infiltrate IT environments, while LockBit’s core team appears to be trying to rebuild the affiliate portal that law enforcement infiltrated, said John Fokker, head of threat intelligence at Trellix.

Some incident responders have seen a surge in attacks that appear to trace to the actual LockBit group but that have resulted in lower-than-usual ransom demands, typically amounting to less than $1 million each.

Still, the group’s post-Operation Cronos efforts appear to be “more flop than pop,” at least compared with the volume, sophistication and reach of its previous efforts, Fokker said in a LinkedIn post. LockBit may be reduced to a “slimmed down core group” no longer capable of outsized past successes, he said.

Together with attackers wielding older versions of the group’s ransomware, a resurgent LockBit would spell double LockBit trouble for potential victims.