Category: Lockbit Ransomware

In a world plagued by numerous cyberattacks and their devastating aftermath, a recent incident involving the Industrial & Commercial Bank of China (ICBC) has drawn significant attention. ICBC, one of the world’s largest banks, was forced to resort to a rather unconventional method for transporting critical data due to a malicious cyberattack.

The ICBC fell victim to a disruptive ransomware attack, which brought their entire digital infrastructure to a standstill. This unforeseen disruption impacted banking transactions and online services, paralyzing their daily operations. However, a critical situation required urgent action: the need to send essential settlement details to the US Treasury Trades.

With online services rendered useless, ICBC’s administrative staff had to think on their feet. They opted to load the crucial data onto USB sticks and physically transport the information to the federal organization. While this may seem like a secure means of information transfer, it comes with its own set of challenges, including the allocation of additional manpower and miscellaneous expenses.

The New York-based Industrial & Commercial Bank of China suspects that the cyberattack was the handiwork of the LockBit Ransomware group, believed to be operating out of Russia. ICBC’s security experts are currently engaged in gathering evidence and exploring the possibility of negotiating a resolution with the hackers through forensic efforts.

Simultaneously, ICBC is committed to handling the incident professionally. Their approach involves recovering the stolen data from backups and collaborating with law enforcement agencies to prevent the illicit sale or leakage of sensitive information on the internet.

Despite the enormous financial significance of ICBC, with trading operations in financial securities centers like London, Tokyo, and New York, the bank refuses to succumb to the hackers’ ransom demands, which could reach a staggering figure in the millions. Paying these criminals not only incentivizes further criminal activity but also does not guarantee the receipt of a decryption key.

Regrettably, the LockBit group shows no signs of letting up in their malicious endeavors. Recent victims of this cybercriminal gang include notable companies such as Boeing, ION Trading UK, and the UK’s Royal Mail. As the group communicates in the language associated with Putin-led Russia, there is speculation that they may have connections to the Kremlin, a concern raised by the Pentagon.

The post Cyber Attack on US Bank forces it to transit data via USB Sticks appeared first on Cybersecurity Insiders.

The historical Municipality of Montreal, situated in Canada, has fallen victim to the LockBit Ransomware, an event that underscores the increasing menace of cyber threats. This century-old establishment faced a critical juncture as it chose not to comply with the hackers’ ransom demands, leading to the release of a teaser of pilfered information from their servers. The hackers have ominously promised a more comprehensive data dump in the upcoming week.

Montreal, the sprawling metropolis in Quebec Province, exhibited resilience by retrieving the encrypted data using its meticulously designed data continuity strategy. It is evident that the city’s administration is not inclined to negotiate with the hacking syndicate, exemplifying a strong stance against cybercriminal activities.

However, the gravity of the situation lies in the compromised data originating from the IT infrastructure of the Commission Des Services Electriques de Montreal (CSEM). The organization responsible for managing electricity distribution confirmed that the ransomware assault occurred on August 3, 2023. In response to the victim’s failure to meet their financial demands, the perpetrators opted to unveil a fraction of the stolen data as proof of their successful infiltration.

Assurances provided by CSEM indicate that the exfiltrated data holds minimal real-world threat. This is attributed to the fact that the information, originating from the engineering and management divisions, is already accessible to the public through the organization’s website. Consequently, the leaked data is deemed to pose a marginal risk to the victim.

Recent developments have highlighted the nefarious tactics employed by the LockBit gang. The Spanish National Police issued an alert regarding a surge in phishing emails originating from this group, targeting architectural firms specifically.

It’s worth noting that LockBit ransomware perpetrators demand a minimum ransom of $3 million, payable in cryptocurrencies such as BTC or Monero. LockBit, which traces its origins back to the infamous ABCD Ransomware discovered in 2019, has undergone evolution, with LockBit 3.0 emerging in 2022. This version deviates from its predecessor by appending a random nine-character file extension instead of the conventional “.lockbit” extension.

The post LockBit Ransomware targets a province in Quebec Canada appeared first on Cybersecurity Insiders.

A Russian man identified by KrebsOnSecurity in January 2022 as a prolific and vocal member of several top ransomware groups was the subject of two indictments unsealed by the Justice Department today. U.S. prosecutors say Mikhail Pavolovich Matveev, a.k.a. “Wazawaka” and “Boriselcin” worked with three different ransomware gangs that extorted hundreds of millions of dollars from companies, schools, hospitals and government agencies.

An FBI wanted poster for Matveev.

Indictments returned in New Jersey and the District of Columbia allege that Matveev was involved in a conspiracy to distribute ransomware from three different strains or affiliate groups, including Babuk, Hive and LockBit.

The indictments allege that on June 25, 2020, Matveev and his LockBit co-conspirators deployed LockBit ransomware against a law enforcement agency in Passaic County, New Jersey. Prosecutors say that on May 27, 2022, Matveev conspired with Hive to ransom a nonprofit behavioral healthcare organization headquartered in Mercer County, New Jersey. And on April 26, 2021, Matveev and his Babuk gang allegedly deployed ransomware against the Metropolitan Police Department in Washington, D.C.

Meanwhile, the U.S. Department of Treasury has added Matveev to its list of persons with whom it is illegal to transact financially. Also, the U.S. State Department is offering a $10 million reward for the capture and/or prosecution of Matveev, although he is unlikely to face either as long as he continues to reside in Russia.

In a January 2021 discussion on a top Russian cybercrime forum, Matveev’s alleged alter ego Wazawaka said he had no plans to leave the protection of “Mother Russia,” and that traveling abroad was not an option for him.

“Mother Russia will help you,” Wazawaka concluded. “Love your country, and you will always get away with everything.”

In January 2022, KrebsOnSecurity published Who is the Network Access Broker ‘Wazawaka,’ which followed clues from Wazawaka’s many pseudonyms and contact details on the Russian-language cybercrime forums back to a 33-year-old Mikhail Matveev from Abaza, RU (the FBI says his date of birth is Aug. 17, 1992).

A month after that story ran, a man who appeared identical to the social media photos for Matveev began posting on Twitter a series of bizarre selfie videos in which he lashed out at security journalists and researchers (including this author), while using the same Twitter account to drop exploit code for a widely-used virtual private networking (VPN) appliance.

“Hello Brian Krebs! You did a really great job actually, really well, fucking great — it’s great that journalism works so well in the US,” Matveev said in one of the videos. “By the way, it is my voice in the background, I just love myself a lot.”

Prosecutors allege Matveev used a dizzying stream of monikers on the cybercrime forums, including “Boriselcin,” a talkative and brash personality who was simultaneously the public persona of Babuk, a ransomware affiliate program that surfaced on New Year’s Eve 2020.

Previous reporting here revealed that Matveev’s alter egos included “Orange,” the founder of the RAMP ransomware forum. RAMP stands for “Ransom Anon Market Place, and analysts at the security firm Flashpoint say the forum was created “directly in response to several large Dark Web forums banning ransomware collectives on their site following the Colonial Pipeline attack by ransomware group ‘DarkSide.”

As noted in last year’s investigations into Matveev, his alleged cybercriminal handles all were driven by a uniquely communitarian view that when organizations being held for ransom decline to cooperate or pay up, any data stolen from the victim should be published on the Russian cybercrime forums for all to plunder — not privately sold to the highest bidder.

In thread after thread on the crime forum XSS, Matveev’s alleged alias “Uhodiransomwar” could be seen posting download links to databases from companies that have refused to negotiate after five days.

Matveev is charged with conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers. If convicted, he faces more than 20 years in prison.

Further reading:

Who is the Network Access Broker “Wazawaka?”

Wazawaka Goes Waka Waka

The New Jersey indictment against Matveev (PDF)

The indictment from the U.S. attorney’s office in Washington, D.C. (PDF)

Pendragon Group, that is into commercial car sales, was reportedly hit by a ransomware attack recently and Lockbit group is suspected to be behind the incident. The car dealer having over 200 dealerships has straight away denied paying a ransom of $60 million dollars and cleared the air that it is going to revive the encrypted data through a data continuity plan.

Kim Costello, the Chief Marketing Officer(CMO) has acknowledged the incident and confirmed that Lockbit criminal gang was behind the encryption of its servers.

UK’s NCSC received a report on the cyber attack and has passed on to other law enforcement agencies for investigation.

Unconfirmed sources said that the cyber criminal group could have stolen about 8% of data from the database and might have gained hands on more, if the IT staff of the car seller did not react on time and contained the malware spread through steps.

Interestingly, the digital attack took place when Sweden-based company Hedin Mobility Group was about to acquire Pendragon for £400 million.

NOTE- Paying a ransom to hackers doesn’t guaranty the return of the decryption key in exchange and there is a high probability that the criminal gang can hack twice or thrice the same target in a financial year. The FBI conveyed the same in November 2019; however, the law enforcement bureau has also asked victims to act according to the situation and decide whether to pay.

 

The post Lockbit Ransomware Attack on Pendragon Group appeared first on Cybersecurity Insiders.