• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Hackers deploy fake SonicWall VPN App to steal corporate credentials

 | 

Mainline Health Systems data breach impacted over 100,000 individuals

 | 

Disrupting the operations of cryptocurrency mining botnets

 | 

Prometei botnet activity has surged since March 2025

 | 

The U.S. House banned WhatsApp on government devices due to security concerns

 | 

Russia-linked APT28 use Signal chats to target Ukraine official with malware

 | 

China-linked APT Salt Typhoon targets Canadian Telecom companies

 | 

U.S. warns of incoming cyber threats following Iran airstrikes

 | 

McLaren Health Care data breach impacted over 743,000 people

 | 

American steel giant Nucor confirms data breach in May attack

 | 

The financial impact of Marks & Spencer and Co-op cyberattacks could reach £440M

 | 

Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 50

 | 

Security Affairs newsletter Round 529 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Iran confirmed it shut down internet to protect the country against cyberattacks

 | 

Godfather Android trojan uses virtualization to hijack banking and crypto apps

 | 

Cloudflare blocked record-breaking 7.3 Tbps DDoS attack against a hosting provider

 | 

Linux flaws chain allows Root access across major distributions

 | 

A ransomware attack pushed the German napkin firm Fasana into insolvency

 | 

Researchers discovered the largest data breach ever, exposing 16 billion login credentials

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • Copycat Criminals mimicking Lockbit gang in northern Europe

Copycat Criminals mimicking Lockbit gang in northern Europe

Pierluigi Paganini January 28, 2023

Recent reports of Lockbit locker-based attacks against North European SMBs indicate that local crooks started using Lockbit locker variants.

Executive Summary

  • During the past months, the Lockbit gang reached very high popularity in the underground ecosystem.
  • The recent Hive infrastructure takedown as well as other major gangs dissolution such as Conti in 2022, is making room in the cybercrime business 
  • The Lockbit locker leaked a few months ago in the underground, is increasing its popularity and adoption among micro-criminal actors.
  • Recent reports of Lockbit locker-based extortions against North European SMBs indicate that local cyber-criminal gangs started adopting Lockbit locker variants.

Incident Insights

Recently, there has been a significant increase in ransomware attacks targeting companies in northern Europe. These attacks are being carried out using the LockBit locker, which is known to be in use by the homonymous criminal affiliation program. The Lockbit group has been targeting companies of all sizes and across a wide range of industries, causing significant disruptions and financial losses.

One of the most concerning aspects of these recent attacks is the way in which they are being conducted. The LockBit Locker group is known for using a combination of advanced techniques, even phishing, and also social engineering, to gain initial access to a company’s network. Once they have access, they use a variety of tools and techniques to move laterally throughout the network, compromising systems and stealing sensitive data.

One of the most recent attacks was reported by Computerland in Belgium against SMBs in the country, but according to the company they were targeted by a group of cybercriminals who appeared to be using a variant of the LockBit locker malware. However, upon further investigation, it was discovered that these attackers were not likely related to the real LockBit group, but rather “wannabes” who had obtained a leaked version of the malware.

Despite not being the true LockBit Locker group, these micro criminals were still able to cause significant damage by encrypting a large number of internal files. However, the company was able to restore its network from backups and no client workstations were affected during the intrusions.

Among the increasing popularity of extortion practices in the criminal underground, even among less sophisticated actors, this incident also highlights the dangers of outdated software and systems.

In fact, in this case, the attackers were able to exploit unpatched vulnerabilities in the company’s FortiGate firewall. Unpached FortiGate firewalls have several vulnerabilities that are currently exploited by cybercriminals according to the CISA’s Known Exploited Vulnerabilities Catalog, but in these recent cases, the exploited flaws were the infamous “Fortifuck” flaws straight back from 2018.

Those flaws have been exploited through unattended exposure through a company’s branch internet gateway. These network gateways are often less well-protected than the company’s main network and typically provide an easier entry point for attackers.

In conclusion, the recent ransomware attacks targeting North European SMBs companies are a serious concern for many reasons: despite the reduced effectiveness due to the lack of experience of the criminal operators, the targeted industries suffered important outages and data exfiltration.

Threat Actor Brief

LockBit is a well-known ransomware affiliation program started back in September 2019, where the developers use third parties to spread the ransomware by hiring unethical penetration testing teams. The gang was one of the first gangs operating double extortion practices and supporting such attacks with dedicated toolkits such as the Stealbit malware.

During his infamous career, Lockbit operators hit high-value targets such as Accenture and Royal Mail, but also a large number of small and medium businesses worldwide. Once an environment is infected, the victim is sent to the gang payment site managed by the ransomware developers who threaten to leak the victim’s data to extort further payments.

About the author: Luca Mella, Cyber Security Expert, Response & Threat Intel | Manager

In 2019, Luca was mentioned as one of the “32 Influential Malware Research Professionals”. He is a former member of the ANeSeC CTF team, one of the firsts Italian cyber wargame teams born back in 2011.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Lockbit)


facebook linkedin twitter

Cybercrime Hacking hacking news IT Information Security Lockbit malware Pierluigi Paganini ransomware Security Affairs Security News

you might also like

Pierluigi Paganini June 25, 2025
Hackers deploy fake SonicWall VPN App to steal corporate credentials
Read more
Pierluigi Paganini June 25, 2025
Mainline Health Systems data breach impacted over 100,000 individuals
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Hackers deploy fake SonicWall VPN App to steal corporate credentials

    Hacking / June 25, 2025

    Mainline Health Systems data breach impacted over 100,000 individuals

    Data Breach / June 25, 2025

    Disrupting the operations of cryptocurrency mining botnets

    Malware / June 25, 2025

    Prometei botnet activity has surged since March 2025

    Cyber Crime / June 25, 2025

    The U.S. House banned WhatsApp on government devices due to security concerns

    Mobile / June 24, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT