LockBit 3.0: usurpers multiply and go upmarket
LockBit 3.0: usurpers multiply and go upmarket
After the one who attacked the Versailles hospital center, a new usurper of the LockBit 3.0 franchise has just been spotted. He has set up a showcase to claim his misdeeds, with already 6 victims displayed.
Valéry Riess-Marchive
par
Valéry Rieß-Marchive, Editor-in-Chief
Posted: Dec 16 2022
A new impersonator of the LockBit 3.0 ransomware franchise has just been spotted. Like the one who attacked the André-Mignot hospital in Chesnay-Rocquencourt at the beginning of December, he does not offer a Web interface accessible via Tor to discuss with his victims and, if necessary, negotiate the requested ransom: exchanges are made via Tox secure instant messaging.
But the new usurper has its differences. With him it is also possible to chat by e-mail. Also, it does not mention any amount in the misnamed ransom note dropped during encryption. Above all, it has set up a showcase to claim its victims, partially copying the graphic charter of that of the LockBit 3.0 franchise. Already 6 organizations have been pinned on this showcase. The oldest dates back to October 30, 2022.
A leak that occurred in September
How to explain the use of LockBit Black ransomware in cyberattacks without the mafia franchise being involved? In September, a "builder" of the franchise was made public. This is the tool used to generate, for a given victim, the ransomware as well as the associated decryption tool.
If this kind of leak can constitute an opportunity for researchers and analysts, with in particular the prospect of discovering exploitable flaws to help possible victims, this is also the case for cybercriminals.
Very soon, the Bl00dy group started using the leaked LockBit Black generator on the Internet. A few days later, a second got started, calling itself the “National Hazard Agency”.
The LockBit 3.0 builder was reportedly leaked by a fairly upbeat former franchise developer . He told Azim Khodjibaev of Cisco's Talos teams that the franchise operators rebilled him for the $50,000 paid to a third party for discovering a flaw in the ransomware.
After the one who attacked the Versailles hospital center, a new usurper of the LockBit 3.0 franchise has just been spotted. He has set up a showcase to claim his misdeeds, with already 6 victims displayed.
Valéry Riess-Marchive
par
Valéry Rieß-Marchive, Editor-in-Chief
Posted: Dec 16 2022
A new impersonator of the LockBit 3.0 ransomware franchise has just been spotted. Like the one who attacked the André-Mignot hospital in Chesnay-Rocquencourt at the beginning of December, he does not offer a Web interface accessible via Tor to discuss with his victims and, if necessary, negotiate the requested ransom: exchanges are made via Tox secure instant messaging.
But the new usurper has its differences. With him it is also possible to chat by e-mail. Also, it does not mention any amount in the misnamed ransom note dropped during encryption. Above all, it has set up a showcase to claim its victims, partially copying the graphic charter of that of the LockBit 3.0 franchise. Already 6 organizations have been pinned on this showcase. The oldest dates back to October 30, 2022.
A leak that occurred in September
How to explain the use of LockBit Black ransomware in cyberattacks without the mafia franchise being involved? In September, a "builder" of the franchise was made public. This is the tool used to generate, for a given victim, the ransomware as well as the associated decryption tool.
If this kind of leak can constitute an opportunity for researchers and analysts, with in particular the prospect of discovering exploitable flaws to help possible victims, this is also the case for cybercriminals.
Very soon, the Bl00dy group started using the leaked LockBit Black generator on the Internet. A few days later, a second got started, calling itself the “National Hazard Agency”.
The LockBit 3.0 builder was reportedly leaked by a fairly upbeat former franchise developer . He told Azim Khodjibaev of Cisco's Talos teams that the franchise operators rebilled him for the $50,000 paid to a third party for discovering a flaw in the ransomware.
