LockBit still showing signs of life, new ransom attacks reported

Multiple attacks using LockBit ransomware have been seen in the wild targeting two critical exploits in ConnectWise ScreenConnect remote access software – this, as the gang claims it's in the process of regrouping.

Even after an unprecedented takedown of the gang’s infrastructure this week by global law enforcement, an unmasking of its leader LockBitSupp, the release of a powerful decryptor tool, and the tagging of 30,000 LockBit Bitcoin addresses as part of Operation Cronos, it seems the infamous ransomware group is still showing signs of life as one of its variants is seen kicking in the wild.

The group apparently also announced Friday it will have a response to a law enforcement trope about its leader, once it has “finished restoring their infrastructure.” (More on that later.)

LockBit ransomware still being released in wild

First, new threat research released Friday by Sophos X-ops, shows some of LockBit affiliates are still operating and using the gang’s 3.0 ransomware variant to attack victims.

“In the last 24 hours, we’ve observed several LockBit attacks, apparently after exploitation of the recent ConnectWise ScreenConnect vulnerabilities, built using a leaked malware builder tool,” Sophos said in its report.

Sophos' research primarily focused on the two ScreenConnect critical vulnerabilities disclosed on February 13th by ConnectWise. The vulnerabilities, an authorization bypass (CVE-2024-1709) and path traversal (CVE-2024-1708), were given CVSS severity score ratings of 10 and 8.4, respectively.

ConnectWise released a fix for the flaws on February 19th, but Huntress Labs, the first to create a proof of concept (POC) for the exploits just this week, said even with the urgent warnings, clients were being slow to patch, creating a storm of potential attacks ready to be unleashed in the wild.

A Shodan report found 8,986 ScreenConnect servers running worldwide, with over 5K located in the US, but less than 500 of them running the updated 23.9.8 software version.

Shodan ScreenConnect report
Shodan.io. Image by Cybernews.

Further Shodan analysis shows Microsoft and Amazon running about 1000 ScreenConnect servers between the two.

LockBit Black makes an appearance

Sophos said it had been “closely monitoring telemetry systems looking for any anomalous or malicious behavior” when it spotted “at least one threat actor” deploying a ransomware executable, apparently built by LockBit to target the ScreenConnect Remote Code Execution (RCE) vulnerability.

Sophos did note that the ransomware did not call itself LockBit, but instead “self-identifies as ‘buhtiRansom,’” was built with a LockBot tool released in 2022, and therefore not necessarily a direct strain created by LockBit developers.

However, another attacker observed in the wild by Sophos attempted to drop a payload that when run in a sandbox environment, automatically triggered the desktop background to change over to a “LockBit Black” ransomware encryption warning note.

Sophos LockBit Black desktop warning
Image by Sophos X-Ops.

LockBit Black, an alternative name for the LockBit 3.0 variant, is considered the most evasive version of all previous LockBit strains.

LockBit: the gang's all here

Next, a post on X by malware repository vx-underground, who is openly in regular contact with both LockBit and its contemporary ALPHV/BlackCat, also insinuated the gang is off life support and still breathing.

“We asked LockBit ransomware group administration their thoughts on this past week,” vx-underground posted on X Friday.

“LockBit ransomware group said they will make formal reply to law enforcement once they're finished restoring their infrastructure,” the post stated.

The post also included a comment from the notorious ALPHV/BlackCat ransomware group, who has been openly making fun of the LockBit seizure all week.

"My Mercedes drives LockBit," ALPHV told the repository, an obvious slam towards LockBit’s leader LockBitSupp.

The statement clearly referencing a post released by law enforcement Friday claiming to have intimate knowledge about the gang leader and the car he drives.

“Who is LockBitSupp?,” authorities posted on the former LockBit dark web blog, now controlled by UK National Crime Agency (NCA), Interpol, and the FBI, among others.

One answer mockingly reads, “LockBitSupp has claimed to have a Lamborghini …”

Law enforcement then continues to answer its own question, “... he drives a Mercedes, (though parts may be hard to source)” it said in bright red lettering.

LockBitSupp identity
Announcement on the former LockBit dark web blog. Image by Cybernews.

On Thursday, ALPHV created what appears to be an AI-generated meme about the takedown depicting a black cat wearing a hoodie with the quote [!] “Law enforcement will not help you,” also stating that “LockBit is a pussy.”

Ironically, ALPHV/BlackCat has had its own website seized by the FBI, which it then unseized hours later in a back and forth cat and mouse game playing out on the dark web this past December.

Although the FBI's short-lived tussle with the FBI put a dent in ALPHV’s operations, by January, the group appeared to have returned to “business as usual,” claiming numerous victims per day on its dark blog, including Canada's Trans-Northern Pipelines this month.

On February 19th, authorities crippled LockBit’s operations by compromising the gang’s primary platform and other critical infrastructure. Thirty-four of the gang’s servers and over 200 cryptocurrency accounts linked to the criminal organization were seized, and arrests were made in Poland and Ukraine.

According to the Cybernews ransomware monitoring tool, Ransomlooker, LockBit accounted for 47% of all publicly announced ransomware victims over the last 12 months, netting the gang profits in the multi-billions. Big gets in 2023 included companies such as Boeing and Allen & Overy, as well as the massive November exploit of the Citrix bug zero-day vulnerability.

The US Justice Department has noted that both the LockBit and ALPHV/BlackCat ransomware variants happen to share similar characteristics, and both groups are thought to have links to Russia.

More from Cybernews:

The unequal nature of working from home

LinkedIn scams and how to avoid them

Avast to pay $16.5M over charges of unfair user data sales

LockBit's admin engaged authorities - law enforcement 

ConnectWise critical exploit, already in wild, is about to 'erupt'

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked