CERT-FR warns of Lockean ransomware attacks against French companies

CERT-France warns of a new ransomware group named Lockean that is behind a series of attacks against French organizations over the past 2 years.

France’s Computer Emergency Response Team (CERT-FR) officials identified a new ransomware gang named Lockean that is responsible for a long list of attacks against French companies over the past two years.The list of targeted French organizations includes the transportation logistics firm Gefco, pharmaceutical groups Fareva and Pierre Fabre, and the newspaper Ouest-France.

CERT-FR published a detailed report on the activity of the Lockean ransomware gang that has been active since June 2020.

“Based on incidents reported to the ANSSI and their commonalities, investigations were carried out by the Agency to confirm the existence of a single cyber criminal group responsible for these incidents, understand its modus operandi and distinguish its techniques, tactics and procedures (TTPs).” reads the report published by CERT-FR. “First observed in June 2020, this group named Lockean is thought to have affiliated with several Ransomware-as-a-Service (RaaS) including DoppelPaymer, Maze, Prolock, Egregor and Sodinokibi. Lockean has a propensity to target French entities under a Big Game Hunting rationale.”

In almost any intrusion attributed to the gang, CERT-FR officials noticed the involvement of the QakBot malware and post-exploitation tool CobaltStrike. The ransomware operators used the Emotet distribution service in 2020 and TA551 in 2020 and 2021 to distribute QakBot via phishing email.

The Lockean group used multiple tools for lateral movements, including AdFind, BITSAdmin, and BloodHound, and the RClone utility for data exfiltration.

The Lockean group used different ransomware strains over the last two years, such as DoppelPaymer, Egregor, Maze, REvil, and ProLock, a circumstance that suggests the group was an affiliate for these RaaS services.

The report published by the French CERT provides further technical details about the attacks and the threat, including indicators of compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Lockean ransowmare)

[adrotate banner=”5″]

[adrotate banner=”13″]