LockBit is on a bit of a roll with publicity stunts. ALPHV and LockBit arguing on a ransomware forum The tiresome gossip and politics of ransomware gangs often takes place on ransomware forums, and last month one of those forums hosted a public spat between ALPHV and LockBit, where the two gangs raked over the BlackMatter rebrand and LockBit's acquisition of its source code. ALPHV is a rebrand of the BlackMatter group, which was itself a somewhat botched rebrand of DarkSide, which disappeared following significant law enforcement attention after its attack on the USA's Colonial Pipeline.ĭespite a veneer of professionalism, one thing RaaS gangs seem unable to resist for long is the opportunity to boast, grandstand, and fall out. The BlackMatter source code may have arrived in LockBit's hands courtesy of a developer who "defected" from the ALPHV group (also known as BlackCat), a dangerous ransomware gang that has spent most of 2022 in LockBit's long shadow. Encrypting and decrypting using LockBit 3.0 Black Anyone tempted to try their hand should be warned though-there is no honor among thieves and we fully expect to see fake versions of LockBit's builder that infect would-be criminals running it instead of creating ransomware builds for them. (You can learn more about that in our article A first look at the builder for LockBit 3.0 Black.) On the other hand, anything that makes ransomware even easier to get hold of is likely to make things worse, not better, and we may see new criminal gangs who aren't affiliated with LockBit using it in future. On the one hand, we were happy to get our hands on it, take it for a test drive and learn everything we could. In September the builder for LockBit 3.0 was leaked by what seems to be a disgruntled developer. Known ransomware attacks by industry sector, September 2022 LockBit 3.0 leakĪ few months ago, the LockBit gang released version 3.0 of its ransomware, LockBit 3.0 Black, which was based on source code from BlackMatter ransomware. The chart of attacks by industry sector has a similarly familiar look, with "Services" being the most seriously afflicted sector in September, just as it has been all year. Known ransomware attacks by country, September 2022 A large number of countries receive just a few attacks each month and small, random fluctuations are enough to see them enter and leave our "Other" category. The presence of Japan and Taiwan in the top 10 is unusual, but only represents a relatively small increase in attacks. The chart of known ransomware attacks by country for September had a familiar look, with 36 percent of known ransomware attacks happening in the USA, and major European countries featuring prominently, if some way behind. The share of known RaaS attacks involving LockBit Ransomware-as-a-Service (RaaS) has been effectively "feature complete" for several years, and innovations tend to happen in the tactics used by ransomware operators rather than in the software. It is common for mature software markets to end up with a single dominant player and there is no reason why criminal software markets should be any different. The gap between LockBit and the its competitors is now huge, which makes us wonder if what we are seeing is consolidation in this criminal space. While there are a large number of ransomware variants, only a handful accounted for more than two known attacks in September, and only six were involved in more than ten attacks. LockBit was involved in almost six times as many attacks as the next most prevalent ransomware, Black Basta, and almost as many attacks as every other variant combined, accounting for 48 percent of known attacks. Known ransomware attacks by gang, September 2022 LockBit was the most prevalent ransomware in September, as it has been for all of 2022. This article is also available to download as a Malwarebytes Threat Intelligence report. This information represents victims who were successfully attacked but opted not to pay a ransom. Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites.
0 Comments
Leave a Reply. |