In the final instalment of our report on the biggest criminal cyber gangs of 2023, we look at the characteristics and methods used by LockBit, Clop and other emerging threat actors
December 8, 2023
LockBit
Viewed as the disrupters of the ransomware world, LockBit offers several incentives to attract affiliates designed to leave rivals trailing in its wake. Rather than paying affiliates at the end of a job, for instance, it places them in charge of negotiations and payments, and in doing so establishes trust.
Mid pandemic, the gang even put out an academic call for research papers, inviting submissions on topics such as obtaining shells, malware coding, viruses, bot development and monetisation — with an offer of $5k for the best paper.
The marketing savvy gang also boasts its own logo, with reports circulating a couple of years ago on social media that it was offering influencers, at $1,000 a pop, to get themselves branded, literary, with a LockBit tattoo.
Previously, Lockbit ransomware group stated online that they would pay anyone $1,000 if they tattooed the Lockbit ransomware group logo on themselves.
“LockBit is pretty prolific, and they will work with anybody,” notes Securework’s head of threat research Rafe Pilling. “It has a site on the dark web, and just encourages people to contact them and become affiliates,” he notes.
“There’s probably some sort of vetting process that they go through, but I think essentially it’s a case of: if you bring us data, or compromise organisations, then we’ll work with you,” he adds.
According to Pilling, this prolific cybergang — which is thought to have claimed responsibility for just under half (44%) of all ransomware attacks last year — is also prone to badmouthing rival malware on forums.
According to US-Israeli cyber security firm Check Point, on the dark web LockBit’s malware is advertised as “the fastest encryption software all over the world”.
But in common with their rivals, most of their victims, companies big and small, are fair game. The Russian-linked firm targets organisations globally, varying from businesses, government agencies, healthcare institutions, and individuals with valuable or sensitive data, all simply for financial gain.
Early last month one of the world’s largest defence and space contractors, Boeing, fell victim to a LockBit ransomware attack. After refusing to meet its deadline to pay the ransom, 40GB of its data was exposed.
A similar fate befell the UK’s postal service Royal Mail, another LockBit victim, which refused to pay the $80m ransom.
“LockBit is one of the busiest global ransomware operations in commission,” observes Keegan Keplinger, senior threat intelligence research with TRU. “With victims across geographic and vertical domains, ranging from small mom-and-pop businesses to large, industrial manufacturing companies.”
Like BlackCat, LockBit will use a range of techniques to gain access into a victim’s network such as phishing attacks, exploiting vulnerabilities, and the use of purchased of stolen credentials.
As observed by TRU, stolen credentials can be purchased for as little as $10.
TRU Dark Web findings: Partial image of posts in an underground Russian dark market selling login credentials for popular RMM services for as little as $10
“LockBit ransomware attacks typically follow a three-stage process,” details Kevin Curran, senior member of IEEE and cyber security professor at Ulster University.
After gaining access, “they engage in lateral movement and privilege escalation, seeking sensitive data and systems to encrypt while trying to deactivate security measures.”
“The final stage involves deploying the ransomware to encrypt files and data, followed by a ransom demand expected in the form of crypto,” Curran adds.
While cyber security firms are hesitant to approve of paying up, it is up to the company to assess the risk: the financial damage and risk through paying may be a better option than allowing precious data to be leaked.
Like BlackCat, LockBit sometimes claims to take a moral stance, although one of its most destructive attacks happened when one of its many affiliates hit the city of Oakland in California.
The attack caused many of the city’s systems to go down, including several non-emergency phone lines, affecting at least six different government departments and as well as its police station.
The gang also leaked a large amount of sensitive data about city employees, including social security numbers, medical data, and home addresses.
The fact that the gang appears to be at the heigh of its success, however, could prove to be its downfall as the UK’s NCSC (part of GCHQ) and its US counterpart, cyber defence agency, CIS, launched a joint advisory hub to shine a light on LockBit and its methods last June.
Clop
The Clop (Cl0p) ransomware group takes its name from the Russian word for bedbugs, Klop, and the recent outbreak in Europe demonstrates just how infectious these cretins can be.
Clop’s methods are viral, with claims that it’s compromised thousands of companies worldwide, thanks to its talent for exploiting file transfer solutions such as Accellion, Solarwinds, GoAnywhere, Papercut and, most recently, MOVEit.
Kevin Curran, senior member of IEEE and cyber security professor at Ulster University
Earlier this year, multiple large corporations such as British Airways, the BBC, and Boots saw their customers’ sensitive data stolen after the group successfully exploited a bug in MOVEit — a software used by thousands of organisations to move large amounts of sensitive data over the internet.
Recent enterprises Clop victims Siemens Energy and Schneider Electric are typical of the large corporations it targets, “a strategy known as big game hunting,” says Phil Mason, CEO of security firm CyberCX.
“Under this strategy, attackers target larger corporations, essential services and critical infrastructure providers, government entities, surmising that they may be more willing and able to pay large ransoms since a disruption to their services or breach of their sensitive data is incredibly damaging,” Mason adds.
Again, Clop will offer a decryption key in exchange for a ransom, but there’s no guarantee that they will give the data back, or refrain from attacking again.
The hospitality sector in particular has been a recent focus of Cl0p ransomware attacks, something that Pilling says is common as gangs tend to target sectors with a lower level of investment in their cyber security.
Curran explains that the gang uses a diverse set of tools to remotely access information and download it without detection. “These tools allow Clop to conduct complex and multifaceted cyberattacks,” he says.
“Prior to deploying the ransomware, they often exfiltrate sensitive data, using it as a leverage in ransom demands,” he adds.
Clop’s extortion techniques have resulted in huge payouts (estimated to stand at US$500m as of November 2021) but its early successes have marked it out as a target for law enforcement, resulting, two years ago, in the arrest of six people by the Ukrainian authorities.
The self-styled cyber bed bugs have proved resilient to such setbacks, however, and are constantly honing their tactics and latching onto new victims – doing away with encryption, for instance, in favour of a straightforward data grab (as was the case with MOVEit), threatening to leak stolen information in a very short space of time if ransom demands aren’t met.
Groups to watch
While BlackCat, LockBit, and Clop take the top three spots this year, there are many other up-and-coming gangs with various motives.
For instance, ‘hacktivist’ ransomware group MalasLocker surfaced towards the end of March 2023, and instead of requesting ransoms for financial gain, the group demands victims donate the ransom to charities and NGOs.
US-Israeli cyber security firm Check Point explains that this hacktivist Robin Hood is taking advantage of vulnerabilities in the Zimbra Collaboration Suite, a widely-used enterprise cloud-hosted collaboration software and email platform, to extract email data and encrypt files.
Also on the rise is ransomware group BianLian, which mainly focuses on financial institutions, healthcare, manufacturing, education, entertainment and energy sectors — although appears to be financially motivated.
Phil Mason, CEO of security firm CyberCX
Its name is a reference to the Chinese art of face changing and this shape-shifting threat actor is known for its agile adaptation and a rapid evolution in its tactics. While it started as a banking trojan, it has now transformed into a fully fledged ransomware group operating on an international scale.
Check Point has recorded more than 250 victims by this gang since last year and researchers note that it typically initiates [attacks] through spear-phishing emails.
Other gangs that surface for air when the geopolitical winds start to turn include two hacker groups associated with the Russian Intelligence agencies, Cozy Bear (APT29) and Fancy Bear (APT28).
Both frequently target government networks in Europe, NATO member countries, research institutes, and think tanks, with the primary focus of cyber espionage and political motivations, with similar purposes as Fancy Bear.
And early last month, a double extortion ransomware attack and data leak on the iconic British Library on Euston Road uncovered a new kid on the block: Rhysida,
Named after a type of centipede, and bearing a logo of its image, this group is also responsible for attacks on government institutions in Portugal, Chile and Kuwait. In August, it also claimed responsibility for an attack on the US healthcare player Prospect Medical Holdings.
Naming and shaming?
Throughout this report we’ve referred to ‘gangs’ ‘ransomware’ ‘malicious code’ but not to the people who create these malicious digital pyramid schemes which are causing real damage to people’s lives and businesses.
Earlier this year the UK and US governments decided enough was enough and took the rare step of naming seven members of Conti and Trickbot gangs, publishing their real-world names, dates of birth, email addresses and photos.
As well as naming and shaming, other sanctions taken by the UK included freezing these individuals’ assets and imposing travel bans.
The long-term unmasking of cybergangs remains unclear, but as a tactic it would certainly make it harder for groups to reform under a different guise or join other gangs.
*Additional reporting by Ann-Marie Corvin
Missed part 1 where we look at the tactics and characteristics of the BlackCat ransomware gang? Click here.
Before you go – stay in the know by signing up for our weekly TechInformed Editorial Roundup newsletter.
Amy Stettler
SVP Global Marketing, TechInformed
With over 30 years of global marketing experience working with industry leaders like IBM, Intel, Apple, and Microsoft, Amy has a deep knowledge of the enterprise tech and business decision maker mindset. She takes a strategic approach to helping companies define their most compelling marketing stories to address critical obstacles in the buyer – seller journey.
James Pearce
Editor, TechInformed
As founding editor of TechInformed in 2021, James has defined the in-depth reporting style that explores technology innovation and disruption in action. A global tech journalist for over a decade with publications including Euromoney and IBC, James understands the content that engages tech decision makers and supports them in navigating the fast-moving and complex world of enterprise tech.
Let’s Connect
We’d love to talk about how we can help you build your next project
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
Share
