CERT-FR warns of Lockean ransomware attacks against French companies

CERT-France warns of a new ransomware group named Lockean that is behind a series of attacks against French organizations over the past 2 years.

France’s Computer Emergency Response Team (CERT-FR) officials identified a new ransomware gang named Lockean that is responsible for a long list of attacks against French companies over the past two years.The list of targeted French organizations includes the transportation logistics firm Gefco, pharmaceutical groups Fareva and Pierre Fabre, and the newspaper Ouest-France.

CERT-FR published a detailed report on the activity of the Lockean ransomware gang that has been active since June 2020.

“Based on incidents reported to the ANSSI and their commonalities, investigations were carried out by the Agency to confirm the existence of a single cyber criminal group responsible for these incidents, understand its modus operandi and distinguish its techniques, tactics and procedures (TTPs).” reads the report published by CERT-FR. “First observed in June 2020, this group named Lockean is thought to have affiliated with several Ransomware-as-a-Service (RaaS) including DoppelPaymer, Maze, Prolock, Egregor and Sodinokibi. Lockean has a propensity to target French entities under a Big Game Hunting rationale.”

In almost any intrusion attributed to the gang, CERT-FR officials noticed the involvement of the QakBot malware and post-exploitation tool CobaltStrike. The ransomware operators used the Emotet distribution service in 2020 and TA551 in 2020 and 2021 to distribute QakBot via phishing email.

The Lockean group used multiple tools for lateral movements, including AdFind, BITSAdmin, and BloodHound, and the RClone utility for data exfiltration.

The Lockean group used different ransomware strains over the last two years, such as DoppelPaymer, Egregor, Maze, REvil, and ProLock, a circumstance that suggests the group was an affiliate for these RaaS services.

The report published by the French CERT provides further technical details about the attacks and the threat, including indicators of compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Lockean ransowmare)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.