Two days after a world workforce of authorities struck a serious blow at LockBit, one of many Web’s most prolific ransomware syndicates, researchers have detected a brand new spherical of assaults which can be putting in malware related to the group.
The assaults, detected prior to now 24 hours, are exploiting two important vulnerabilities in ScreenConnect, a distant desktop utility offered by Connectwise. In line with researchers at two safety corporations—SophosXOps and Huntress—attackers who efficiently exploit the vulnerabilities go on to put in LockBit ransomware and different post-exploit malware. It wasn’t instantly clear if the ransomware was the official LockBit model.
“We won’t publicly identify the purchasers at the moment however can affirm the malware being deployed is related to LockBit, which is especially fascinating in opposition to the backdrop of the current LockBit takedown,” John Hammond, principal safety researcher at Huntress, wrote in an electronic mail. “Whereas we won’t attribute this on to the bigger LockBit group, it’s clear that LockBit has a big attain that spans tooling, numerous affiliate teams, and offshoots that haven’t been utterly erased even with the key takedown by regulation enforcement.”
Hammond mentioned the ransomware is being deployed to “vet workplaces, well being clinics, and native governments (together with assaults in opposition to programs associated to 911 programs).”
Muddying the attribution waters
SophosXOps and Huntress didn’t say if the ransomware being put in is the official LockBit model or a model leaked by a disgruntled LockBit insider in 2022. The leaked builder has circulated broadly since then and has touched off a string of copycat assaults that aren’t a part of the official operation.
“When builds are leaked, it may possibly additionally muddy the waters close to attribution,” researchers from safety agency Development Micro mentioned Thursday. “For instance, in August 2023, we noticed a bunch that referred to as itself the Flamingo group utilizing a leaked LockBit payload bundled with the Rhadamanthys stealer. In November 2023, we discovered one other group, going by the moniker Spacecolon, impersonating LockBit. The group used electronic mail addresses and URLs that gave victims the impression that they had been coping with LockBit.”
SophosXOps mentioned solely that it had “noticed a number of LockBit assaults.” An organization spokesperson mentioned no different particulars had been out there. Hammond mentioned the malware was “related to” the ransomware group and wasn’t instantly in a position to affirm if the malware was the official model or a knockoff.
The assaults come two days after officers within the UK, US, and Europol introduced a serious disruption of LockBit. The motion included seizing management of 14,000 accounts and 34 servers, arresting two suspects, and issuing 5 indictments and three arrest warrants. Authorities additionally froze 200 cryptocurrency accounts linked to the ransomware operation. The actions got here after investigators hacked and took management of the LockBit infrastructure.
Authorities mentioned LockBit has extorted greater than $120 million from 1000’s of victims world wide, making it among the many world’s most energetic ransomware teams. Like most different ransomware teams, LockBit operates beneath a ransomware-as-a-service mannequin, wherein associates share the income they generate in change for utilizing the LockBit ransomware and infrastructure.
Given the sheer variety of associates and their broad geographic and organizational distribution, it’s usually not possible for all of them to be neutralized in actions just like the one introduced Tuesday. It’s doable that some associates stay operational and wish to sign that the ransomware franchise will proceed in a single kind or one other. It’s additionally doable that the infections SophosXOps and Huntress are seeing are the work of an unaffiliated group of actors with different motivations.
Moreover putting in the LockBit-associated ransomware, Hammond mentioned, the attackers are putting in a number of different malicious apps, together with a backdoor often known as Cobalt Strike, cryptocurrency miners, and SSH tunnels for remotely connecting to compromised infrastructure.
The ScreenConnect vulnerabilities are beneath mass exploitation and are tracked as CVE-2024-1708 and CVE-2024-1709. ConnectWise has made patches out there for all susceptible variations, together with these not actively supported.