Last year, the release of the LockBit 3.0 ransomware builder resulted in malicious actors misusing the tool to create new variations.
A Russian cybersecurity firm, Kaspersky, identified a ransomware breach that employed a version of LockBit but with a noticeably different procedure for demanding ransoms.
The attacker in this incident opted for a distinct ransom note, linked to an unknown group called NATIONAL HAZARD AGENCY, as stated by security researchers Eduardo Ovalle and Francesco Figurelli.
Direct ransom notes
The updated ransom note directly specified the payment amount for decryption keys and provided communication details for a Tox service and email. This was unlike the LockBit group, which didn’t mention the payment and had its communication platform.
NATIONAL HAZARD AGENCY isn’t the sole cybercriminal group exploiting the leaked LockBit 3.0 builder. Other threat actors like Bl00dy and Buhti are also known to use it.
Can you believe it?
Kaspersky found 396 unique LockBit samples, of which 312 were generated using the leaked builders. About 77 samples didn’t reference “LockBit” in the ransom note.
You might be the next target!
ADHUBLLKA
Netenrich examined a ransomware strain, ADHUBLLKA, which has rebranded several times since 2019 and targeted individuals and small businesses for low payouts ranging from $800 to $1,600 per victim.
Although these versions had minor alterations in encryption methods, ransom notes, and communication, they were all linked to ADHUBLLKA due to code similarities.
Linux Ransomware Threats
Ransomware constantly evolves, with changes in tactics and targets. It’s now targeting Linux environments, focusing on families like Trigona, Monti, and Akira, with connections to Conti-affiliated actors.
Akira has also been implicated in attacks on Cisco VPN products, exploiting them to gain unauthorized access to enterprise networks.
According to Sophos’ 2023 Active Adversary Report, the median time for ransomware incidents dropped from nine to five days in the first half of 2023, indicating faster operations by ransomware gangs. In contrast, non-ransomware incidents took longer, with a maximum dwell time of 112 days. Most ransomware attacks occurred on Fridays or Saturdays.
Amid a surge in ransomware attacks, the Cl0p ransomware group breached over 1,000 organizations by exploiting flaws in the MOVEit Transfer app, impacting millions of individuals. Estimated profits from this supply chain attack could reach $75 million to $100 million.
Also read: Ransomware Trends
Feeling secure? Not really!
The speed at which ransomware gangs operate, as evidenced by the decrease in dwell time, underscores the urgency in enhancing detection, prevention, and response strategies.
It is imperative for cybersecurity professionals to stay vigilant, adaptive, and collaborative. The time to be secure is now or never!