當前位置:首頁 > 資訊 >

Slow Mist: The Mysterious Case of LockBit, the Wor

By: 23pds@SlowMist

Slow Mist: The Mysterious Case of LockBit, the Wor

Team background

In September 2019, the LockBit ransomware made its first official appearance. It was called "ABCD" ransomware because it used the suffix .abcd to mark encrypted victim files. The early version of LockBit 1.0 was very immature. During the crime process, the encryption software not only used fixed mutexes, but even left some debug functions that were easy to be identified and intercepted by anti-virus software, sandboxes and other security software.

As the organization continues to grow in size, LockBit 1.0 begins to operate in a RaaS (Ransomware-as-a-service) model, which develops and distributes ransomware tools for use by other malicious actors, and publishes XSS on a well-known Russian forum. to promote its cooperation plans.

Eight months later, LockBit 1.0 ransomware operators upgraded their extortion tactics and created a site for disclosing victim data, along with file encryption, in an attempt to further pressure the victim in order to achieve the purpose of "double extortion."

After several minor upgrades, LockBit 1.0 has more sophisticated criminal methods than other ransomware. The encryption process for Windows systems uses the RSA + AES algorithm to encrypt files, and uses the IOCP completion port + AES-NI instruction set to improve work efficiency, thereby achieving a high-performance encryption process. Once the file is successfully encrypted, all victim files will be added and cannot be cracked. The .abcd extension suffix.

During the LockBit ransomware 1.0 period, it mainly displayed ransom information by modifying the victim's system desktop wallpaper, and left a ransom note named Restore-My-Files.txt, requiring the victim to log into the dark web and pay in Bitcoin or Monero. ransom.

The gang later became famous for a number of high-profile attacks. For example, in June 2022, they launched LockBit version 3.0 and included a bug bounty program that invited security researchers to test and improve their software. Offering rewards for discovering system vulnerabilities is a unique approach among ransomware.

Since its inception, LockBit has had a significant impact on cybersecurity, with its attacks often resulting in the theft of sensitive data and financial losses for victim parties.

"Glorious" history

Slow Mist: The Mysterious Case of LockBit, the Wor

Before May 2022, LockBit was almost unparalleled, penetrating the defense systems of more than 850 corporate organizations globally, accounting for 46% of all ransomware-related attacks during the same time period.

RaaS proxy mode:

Slow Mist: The Mysterious Case of LockBit, the WorAttack method:

Slow Mist: The Mysterious Case of LockBit, the WorAccording to data from cybersecurity company Dragos, about one-third of the ransomware attacks on industrial systems in the second quarter of 2022 were launched by LockBit, causing a huge blow to many large companies in the industrial control field. A report released by Deep Instinct pointed out that in the first half of 2022, ransomware attacks launched by LockBit accounted for approximately 44% of the total number of attacks.

In just three years, the number of victims of the LockBit ransomware gang has reached more than 1,000, which is twice as many as the old ransomware organization Conti and more than five times as many as Revil.

It is worth mentioning that the LockBit ransomware organization’s ransom collection rate is also higher than that of many established ransomware organizations. Judging from the data in 2022, among its ransom demands of US$100 million, the extortion rate was more than half, which frightened countless companies.

Slow Mist: The Mysterious Case of LockBit, the Wor

status quo

As a result, the gang has attracted the attention of law enforcement agencies around the world. In November 2022, the U.S. Department of Justice (DoJ) charged Mikhail Vasiliev, a dual citizen of Russia and Canada, for his alleged involvement in the LockBit ransomware operation. The man is currently detained in Canada, awaiting extradition to the United States.

In May, Russian national Mikhail Pavlovich Matveev (30), also known as Wazawaka, m1x, Boriselcin and Uhodiransomwar, was charged by the U.S. Department of Justice with participating in multiple ransomware attacks.

The U.S. Department of Justice unsealed two indictments charging the man with using three different ransomware strains to target numerous victims across the U.S., including law enforcement agencies in Washington, D.C., and New Jersey, as well as organizations across the country in healthcare and other sectors:

  • On or about June 25, 2020, Matveev and his LockBit co-conspirators attacked a law enforcement agency in Passaic County, New Jersey;

  • On April 26, 2021, Matveev and his Babuk co-conspirators attacked the Metropolitan Police Department in Washington, D.C.;

  • On or about May 27, 2022, Matveev and his Hive co-conspirators attacked a nonprofit sexual health organization in New Jersey.

  • On February 19, 2024, the website of the notorious extortion gang LockBit was seized in a joint law enforcement operation involving the UK’s National Crime Agency, the US FBI, Europol and the International Alliance of Police Agencies:

Slow Mist: The Mysterious Case of LockBit, the Wortreasury.gov publishes relevant sanctions information involving personnel information, BTC and ETH addresses, etc.:

Slow Mist: The Mysterious Case of LockBit, the WorWe use MistTrack to check the funds of the sanctioned ETH address (0xf3701f445b6bdafedbca97d1e477357839e4120d):

Slow Mist: The Mysterious Case of LockBit, the Wor

Slow Mist: The Mysterious Case of LockBit, the Wor

Slow Mist: The Mysterious Case of LockBit, the WorAnalysis found that the funds on the ETH address had been laundered.

Next, we analyzed the situation of the sanctioned BTC addresses and found that the earliest transactions among these addresses can be traced back to October 2019, and the latest transactions can be traced back to March 2023, and the relevant funds on each address have been transfer.

Among them, the address that received the largest amount is 18gaXypKj9M23S2zT9qZfL9iPbLFM372Q5, which is the address of LockBit affiliate Artur Sungatov. It was marked as a Binance Deposit address by MistTrack, and the funds have been transferred.

Secondly, the address 32pTjxTNi7snk8sodrgfmdKao3DEn1nVJM received an amount of 52.7892 BTC. This address is the address of LockBit affiliate Ivan Kondratyev, which was marked as a Kucoin Deposit address by MistTrack, and this address received another sanctioned address bc1qx9upga7f09tsetqf78wa3qrmcjar58mkwz6ng6 0.4323 BTC transferred.

The US government, along with the UK and Europol, have released more information about the LockBit ransomware group. They also revealed that LockBit has 193 affiliates:

The mystery of being caught

According to a spokesperson for the UK's National Crime Agency, LockBit's services have been disrupted and this is an ongoing and developing operation. The operation is the latest step in a years-long battle between law enforcement agencies and extortion gangs. It is a powerful blow to LockBit’s recent cross-border extortion operations and an effective deterrent to increasingly rampant ransomware attacks.

We looked at LockBit’s nodes and every known LockBit ransomware group website was either offline or showed pages that had been blocked by EUROPOL. Law enforcement has seized or taken down at least 22 Tor sites in what has been dubbed "Operation Kronos."

After this, managers of the LockBit ransomware group confirmed to the media that their website had been blocked:

However, it seems that the seizure did not affect LockBit core personnel, and the LockBit ransomware group later posted a message to individuals on Tox: "FBI screwed up servers using PHP, backup servers without PHP were not affected."

In a twist today, LockBit leadership stated: We spoke with executives from the LockBit ransomware group regarding law enforcement’s announcement that LockBit leadership will be unveiled on Friday, February 23, 2024.

LockBit replied: "Let them reveal it, I'm sure they don't know my identity." Then the LockBit ransomware group changed its name to "FBI Supp" to taunt law enforcement agencies:

According to @vxunderground, it now seems that the final mastermind has not been caught, and LockBit has even publicly offered a larger reward for the public to find him.

The story gets better and better at this point, with law enforcement agencies claiming to be releasing more LockBit group information in the coming days.

What happened next? We'll see.

Summarize

The crackdown is the latest in a series of law enforcement efforts against ransomware gangs. Late last year, the FBI and other agencies have successfully taken down the networks and infrastructure of multiple ransomware gangs such as Qakbot and Ragnar Locker.

At the recent Munich Cybersecurity Conference, the U.S. Deputy Attorney General emphasized the United States’ determination to combat ransomware and cybercrime, proposing a more rapid, proactive strategy focused on preventing and disrupting these criminal activities.

With the development of digital technology, cybercrime relying on cryptocurrency has become a major global challenge. Cybercrimes such as ransomware not only cause losses to individuals and businesses, but also pose serious risks to society as a whole. Last year, cybercriminals extorted more than $1.1 billion from victims around the world, according to statistics.

In addition, ransomware management is a battle between network attackers and security personnel, requiring patience, strategy, and timing.

Take LockBit ransomware as an example. It continues to iteratively update the attack methods, strategies, intrusion points, etc. of each version, which makes it difficult for security personnel to form a complete repair system. Therefore, in the process of ransomware management, prevention is far more important than repair. It is necessary to adopt a systematic, comprehensive policy, system governance, and multi-party joint approach to form a wall to prevent ransomware. It is strongly recommended that everyone take the following protective measures:

Use complex passwords as much as possible: When setting passwords for servers or internal systems within the enterprise, complex login credentials should be used, such as passwords that must include numbers, uppercase and lowercase letters, special symbols, and be at least 8 characters in length, and passwords should be changed regularly.

Two-factor authentication: For sensitive information within the enterprise, it is necessary to add other layers of defense on top of password-based login to prevent hacker attacks, such as installing fingerprint, iris and other biometric verification on some sensitive systems or using physical USB key authenticators, etc. measure.

Four Don’ts: Do not click on emails from unknown sources; do not browse websites with pornographic, gambling and other harmful information; do not install software from unknown sources, and be careful when installing software sent by strangers; do not arbitrarily store USB flash drives, mobile hard disks, flash memory cards, etc. of unknown origin The device is plugged into the device.

Data backup protection: The real guarantee against data loss is always offline backup. Therefore, it is very necessary to back up key data and business systems. Note that the backup should be clear and label the backup at each stage to ensure that it can be retrieved in time if a backup is infected by malware.

Always anti-virus and close ports: install anti-virus software and regularly update the virus database, and perform comprehensive anti-virus regularly; close unnecessary services and ports (including unnecessary remote access service ports 3389, 22 and unnecessary 135, 139, 445, etc. LAN shared port, etc.).

Strengthen employee security awareness: The biggest hidden dangers in production safety lie in personnel, such as phishing, social engineering, poisoning, weak passwords, etc. These key factors are closely related to the security awareness of employees. Therefore, in order to strengthen overall security and improve defense capabilities, it is necessary to Effectively improve personnel's safety awareness.

Patch office terminals and servers in a timely manner: Patch the operating system and third-party applic

猜你喜歡

微信二維碼

微信二維碼