Skip to content Skip to footer

Ransomware associated with LockBit still spreading 2 days after server takedown

In the past 24 hours, researchers at two security firms, SophosXOps and Huntress, have detected new attacks exploiting two critical in the ScreenConnect remote desktop application sold by Connectwise. These attacks install associated with LockBit, one of the most prolific syndicates on the internet. Attackers who successfully exploit the go on to install LockBit and other post-exploit malware. The is being deployed to vet offices, health clinics, and local governments, including attacks against systems related to 911 systems. It is still being determined if the installed is the official LockBit version or a version leaked by a disgruntled LockBit insider in 2022. The leaked builder has circulated widely since then and has touched off a string of copycat attacks that aren't part of the official operation.

SophosXOps has observed several LockBit attacks. However, the company spokesperson said that no other details were available. John Hammond, principal security researcher at Huntress, wrote in an email that “we can't publicly name the customers at this time but can confirm the malware being deployed is associated with LockBit, which is particularly interesting against the backdrop of the recent LockBit takedown. While we can't attribute this directly to the larger LockBit group, it is clear that LockBit has a large reach that spans tooling, various affiliate groups, and offshoots that have not been completely erased even with the major takedown by enforcement.”

These attacks come two days after the UK, US, and Europol officials announced a significant disruption of LockBit, which included seizing control of 14,000 accounts and 34 servers, arresting two suspects, and issuing five indictments and three arrest warrants. Authorities also froze 200 cryptocurrency accounts linked to the operation. The actions came after investigators hacked and took control of the LockBit infrastructure. LockBit has extorted over $120 million from thousands of victims worldwide, making it one of the world's most active groups.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

Yes I'm old. Old enough to remember when the MCP was just a chess program!Dumont

Deitasoft © 2024. All Rights Reserved.