Pierluigi Paganini
January 28, 2023
Executive Summary
Incident Insights
Recently, there has been a significant increase in ransomware attacks targeting companies in northern Europe. These attacks are being carried out using the LockBit locker, which is known to be in use by the homonymous criminal affiliation program. The Lockbit group has been targeting companies of all sizes and across a wide range of industries, causing significant disruptions and financial losses.
One of the most concerning aspects of these recent attacks is the way in which they are being conducted. The LockBit Locker group is known for using a combination of advanced techniques, even phishing, and also social engineering, to gain initial access to a company’s network. Once they have access, they use a variety of tools and techniques to move laterally throughout the network, compromising systems and stealing sensitive data.
One of the most recent attacks was reported by Computerland in Belgium against SMBs in the country, but according to the company they were targeted by a group of cybercriminals who appeared to be using a variant of the LockBit locker malware. However, upon further investigation, it was discovered that these attackers were not likely related to the real LockBit group, but rather “wannabes” who had obtained a leaked version of the malware.
Despite not being the true LockBit Locker group, these micro criminals were still able to cause significant damage by encrypting a large number of internal files. However, the company was able to restore its network from backups and no client workstations were affected during the intrusions.
Among the increasing popularity of extortion practices in the criminal underground, even among less sophisticated actors, this incident also highlights the dangers of outdated software and systems.
In fact, in this case, the attackers were able to exploit unpatched vulnerabilities in the company’s FortiGate firewall. Unpached FortiGate firewalls have several vulnerabilities that are currently exploited by cybercriminals according to the CISA’s Known Exploited Vulnerabilities Catalog, but in these recent cases, the exploited flaws were the infamous “Fortifuck” flaws straight back from 2018.
Those flaws have been exploited through unattended exposure through a company’s branch internet gateway. These network gateways are often less well-protected than the company’s main network and typically provide an easier entry point for attackers.
In conclusion, the recent ransomware attacks targeting North European SMBs companies are a serious concern for many reasons: despite the reduced effectiveness due to the lack of experience of the criminal operators, the targeted industries suffered important outages and data exfiltration.
Threat Actor Brief
LockBit is a well-known ransomware affiliation program started back in September 2019, where the developers use third parties to spread the ransomware by hiring unethical penetration testing teams. The gang was one of the first gangs operating double extortion practices and supporting such attacks with dedicated toolkits such as the Stealbit malware.
During his infamous career, Lockbit operators hit high-value targets such as Accenture and Royal Mail, but also a large number of small and medium businesses worldwide. Once an environment is infected, the victim is sent to the gang payment site managed by the ransomware developers who threaten to leak the victim’s data to extort further payments.
About the author: Luca Mella, Cyber Security Expert, Response & Threat Intel | Manager
In 2019, Luca was mentioned as one of the “32 Influential Malware Research Professionals”. He is a former member of the ANeSeC CTF team, one of the firsts Italian cyber wargame teams born back in 2011.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Lockbit)
