The Week in Ransomware - May 10th 2024 - Chipping away at LockBit

6 months ago 44
BOOK THIS SPACE FOR AD
ARTICLE AD

LockBit

After many months of taunting law enforcement and offering a million-dollar reward to anyone who could reveal his identity, the FBI and NCA have done just that, revealing the name of LockBitSupp, the operator of the LockBit ransomware operation.

On February 19, Operation Cronos took down LockBit's infrastructure and converted its data leak site into a law enforcement press release site where they released information about the police actions.

After being inactive for months, the site went live again on Sunday, teasing new information that would be released, including the possible identity of the LockBit admin.

On Tuesday, the NCA, Europol, and the FBI revealed the identity of LockBitSupp, a 31-year-old Russian national named Dmitry Yuryevich Khoroshev.

Since then, the LockBit operation has been on a revenge spree, leaking the names of 119 victims allegedly attacked by the ransomware operation.

While LockBitSupp says they are not going anywhere and will continue to conduct attacks, it would not be surprising to see them shut down and rebrand a new operation in the near future.

In other news, an attack on healthcare giant Ascension has caused massive disruption to the healthcare system, causing ambulances to be diverted from several hospitals and systems offline, including medical records.

According to CNN, the attack has been linked to the Black Basta ransomware operation.

Other ransomware attacks we learned more about this week are:

The City of Wichita cyberattack was claimed by LockBit ransomware. LockBit demanded a massive $200 million ransom from Boeing in a November cyberattack. Ohio Lottery ransomware attack impacts over 538,000 individuals. Brandywine Realty Trust had data stolen in a ransomware attack. The University System of Georgia finally confirmed 800,000 people were impacted by the 2023 MOVEit data theft attacks.

Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @serghei, @fwosar, @LawrenceAbrams, @malwrhunterteam, @Seifreed, @Ionut_Ilascu, @BleepinComputer, @demonslay335, @snlyngaas, @pcrisk, @AJVicens, @chainalysis, @F_A_C_C_T_ , @zackwhittaker, @H4ckManac, and @JakubKroustek.

May 6th 2024

Examining the Impact of Ransomware Disruptions: Qakbot, LockBit, and BlackCat

A historic surge of ransomware incidents and payment totals in 2023 was not without resistance, as significant actions were taken against ransomware actors in 2023 and early 2024, including notable disruptions on Qakbot malware, and the LockBit and ALPHV-BlackCat ransomware-as-a-service (RaaS) groups.

Lockbit's seized site comes alive to tease new police announcements

The NCA, FBI, and Europol have revived a seized LockBit ransomware data leak site to hint at new information being revealed by law enforcement this Tuesday.

City of Wichita shuts down IT network after ransomware attack

The City of Wichita, Kansas, disclosed it was forced to shut down portions of its network after suffering a weekend ransomware attack.

New STOP ransomware variants

Jakub Kroustek found new STOP ransomware variants that append the .qepi, .qehu, and .baaa extensions.

May 7th 2024

LockBit ransomware admin identified, sanctioned in US, UK, Australia

The FBI, UK National Crime Agency, and Europol have unveiled sweeping indictments and sanctions against the admin of the LockBit ransomware operation, with the identity of the Russian threat actor revealed for the first time.

New XAM ransomware

PCrisk found a new ransomware that appends the .xam extension and drops a ransom note named unlock.txt.

Darkness is coming: a new group of MorLock ransomware has increased the intensity of attacks on Russian businesses

MorLock, like many others we covered in our above-mentioned review, is attacking Russian companies using LockBit 3 (Black) and Babuk ransomware . In the current environment, there is a collaboration of cyber gangs; they use similar tactics, techniques and procedures (TTPs), as well as an arsenal of tools. All this creates certain “interference” that makes it difficult to identify attackers, but it is still possible to identify the attackers’ unique handwriting, which allows them to be attributed to a particular group.

Brandywine Realty Trust says data stolen in ransomware attack

U.S. realty trust giant Brandywine Realty Trust has confirmed a cyberattack that resulted in the theft of data from its network.

May 8th 2024

University System of Georgia: 800K exposed in 2023 MOVEit attack

The University System of Georgia (USG) is sending data breach notifications to 800,000 individuals whose data was exposed in the 2023 Clop MOVEit attacks.

City of Wichita breach claimed by LockBit ransomware gang

The LockBit ransomware gang has claimed responsibility for a disruptive cyberattack on the City of Wichita, which has forced the City's authorities to shut down IT systems used for online bill payment, including court fines, water bills, and public transportation.

Ascension healthcare takes systems offline after cyberattack

?Ascension, one of the largest private healthcare systems in the United States, has taken some of its systems offline to investigate what it describes as a "cyber security event."

Boeing confirms attempted $200 million ransomware extortion attempt

The cybercriminals who targeted Boeing using the LockBit ransomware platform in October 2023 demanded a $200 million extortion payment, the company said Wednesday.

New STOP ransomware variant

Jakub Kroustek found a new STOP ransomware variant that appends the .qeza extension.

May 10th 2024

Ohio Lottery ransomware attack impacts over 538,000 individuals

?The Ohio Lottery is sending data breach notification letters to over 538,000 individuals affected by a cyberattack that hit the organization's systems on Christmas Eve.

Ascension redirects ambulances after suspected ransomware attack

Ascension, a major U.S. healthcare network, is diverting ambulances from several hospitals due to a suspected ransomware attack that has been causing clinical operation disruptions and system outages since Wednesday.

That's it for this week! Hope everyone has a nice weekend!

Read Entire Article