Carding 4 Carders
Professional
LockBit on the market: new tools, new attacks, new threats.
The LockBit group, which attacked thousands of organizations around the world, faced a leak of its tools in September 2022 due to the dissatisfaction of one of its partners. Cybersecurity experts immediately expressed concerns that less experienced hackers might be able to create their own ransomware using stolen tools.
Sophos found that the concerns were not unfounded. In recent weeks, at least two cases have been reported where hackers used homemade versions of ransomware created using tools from the LockBit suite to attack organizations by exploiting popular vulnerabilities.
One of these cases is the use by hackers of the vulnerability CVE-2023-40044, which affects the WS_FTP Server product from Progress Software. The vulnerability was discovered three weeks ago, and Progress released a patch to fix it, but Sophos researchers claim that they are still finding unpatched servers.
Christopher Budd of Sophos said that in the attacks investigated, his team only noticed ransomware compiled on the basis of the LockBit source code leak that occurred last year.
Sophos also shared a copy of the ransom note allegedly sent by The Reichsadler Cybercrime Group. In the note, the hackers demanded a ransom in bitcoins in the amount equivalent to $500.
In addition, a case was recorded when hackers, using a LockBit clone, tried to attack outdated and unsupported Adobe ColdFusion servers. In this case, the hackers named their ransomware BlackDogs2023. Although the attack was blocked until it was completed, the attackers demanded a ransom of 205 Monero (approximately $30,000) for decrypting the "stolen" data.
"This is the second time recently that attackers have tried to use the stolen LockBit source code to create new variants of ransomware," the company said.
"It should be noted that installing patches closes vulnerabilities, but does not guarantee full protection. Therefore, organizations should also check their servers for possible compromises, especially if they use unsupported software, to avoid such attacks," concluded Sophos.
The LockBit group, which attacked thousands of organizations around the world, faced a leak of its tools in September 2022 due to the dissatisfaction of one of its partners. Cybersecurity experts immediately expressed concerns that less experienced hackers might be able to create their own ransomware using stolen tools.
Sophos found that the concerns were not unfounded. In recent weeks, at least two cases have been reported where hackers used homemade versions of ransomware created using tools from the LockBit suite to attack organizations by exploiting popular vulnerabilities.
One of these cases is the use by hackers of the vulnerability CVE-2023-40044, which affects the WS_FTP Server product from Progress Software. The vulnerability was discovered three weeks ago, and Progress released a patch to fix it, but Sophos researchers claim that they are still finding unpatched servers.
Christopher Budd of Sophos said that in the attacks investigated, his team only noticed ransomware compiled on the basis of the LockBit source code leak that occurred last year.
Sophos also shared a copy of the ransom note allegedly sent by The Reichsadler Cybercrime Group. In the note, the hackers demanded a ransom in bitcoins in the amount equivalent to $500.
In addition, a case was recorded when hackers, using a LockBit clone, tried to attack outdated and unsupported Adobe ColdFusion servers. In this case, the hackers named their ransomware BlackDogs2023. Although the attack was blocked until it was completed, the attackers demanded a ransom of 205 Monero (approximately $30,000) for decrypting the "stolen" data.
"This is the second time recently that attackers have tried to use the stolen LockBit source code to create new variants of ransomware," the company said.
"It should be noted that installing patches closes vulnerabilities, but does not guarantee full protection. Therefore, organizations should also check their servers for possible compromises, especially if they use unsupported software, to avoid such attacks," concluded Sophos.
