Ransomware associated with LockBit still spreading 2 days after server takedown

By | February 22, 2024
A stylized skull and crossbones made out of ones and zeroes.

Two days after an international team of authorities struck a major blow at LockBit, one of the Internet’s most prolific ransomware syndicates, researchers have detected a new round of attacks that are installing malware associated with the group.

The attacks, detected in the past 24 hours, are exploiting two critical vulnerabilities in ScreenConnect, a remote desktop application sold by Connectwise. According to researchers at two security firms—SophosXOps and Huntress—attackers who successfully exploit the vulnerabilities go on to install LockBit ransomware and other post-exploit malware. It wasn’t immediately clear if the ransomware was the official LockBit version.

“We can’t publicly name the customers at this time but can confirm the malware being deployed is associated with LockBit, which is particularly interesting against the backdrop of the recent LockBit takedown,” John Hammond, principal security researcher at Huntress, wrote in an email. “While we can’t attribute this directly to the larger LockBit group, it is clear that LockBit has a large reach that spans tooling, various affiliate groups, and offshoots that have not been completely erased even with the major takedown by law enforcement.”

Hammond said the ransomware is being deployed to “vet offices, health clinics, and local governments (including attacks against systems related to 911 systems).”

Muddying the attribution waters

SophosXOps and Huntress didn’t say if the ransomware being installed is the official LockBit version or a version leaked by a disgruntled LockBit insider in 2022. The leaked builder has circulated widely since then and has touched off a string of copycat attacks that aren’t part of the official operation.

“When builds are leaked, it can also muddy the waters with regards to attribution,” researchers from security firm Trend Micro said Thursday. “For example, in August 2023, we observed a group that called itself the Flamingo group using a leaked LockBit payload bundled with the Rhadamanthys stealer. In November 2023, we found another group, going by the moniker Spacecolon, impersonating LockBit. The group used email addresses and URLs that gave victims the impression that they were dealing with LockBit.”

SophosXOps said only that it had “observed several LockBit attacks.” A company spokesperson said no other details were available. Hammond said the malware was “associated with” the ransomware group and wasn’t immediately able to confirm if the malware was the official version or a knockoff.

The attacks come two days after officials in the UK, US, and Europol announced a major disruption of LockBit. The action included seizing control of 14,000 accounts and 34 servers, arresting two suspects, and issuing five indictments and three arrest warrants. Authorities also froze 200 cryptocurrency accounts linked to the ransomware operation. The actions came after investigators hacked and took control of the LockBit infrastructure.

Authorities said LockBit has extorted more than $120 million from thousands of victims around the world, making it among the world’s most active ransomware groups. Like most other ransomware groups, LockBit operates under a ransomware-as-a-service model, in which affiliates share the revenue they generate in exchange for using the LockBit ransomware and infrastructure.

Given the sheer number of affiliates and their broad geographic and organizational distribution, it’s often not feasible for all of them to be neutralized in actions like the one announced Tuesday. It’s possible that some affiliates remain operational and want to signal that the ransomware franchise will continue in one form or another. It’s also possible that the infections SophosXOps and Huntress are seeing are the work of an unaffiliated group of actors with other motivations.

Besides installing the LockBit-associated ransomware, Hammond said, the attackers are installing several other malicious apps, including a backdoor known as Cobalt Strike, cryptocurrency miners, and SSH tunnels for remotely connecting to compromised infrastructure.

The ScreenConnect vulnerabilities are under mass exploitation and are tracked as CVE-2024-1708 and CVE-2024-1709. ConnectWise has made patches available for all vulnerable versions, including those no longer actively supported.

Source