Request a Quote

Akamai Report: LockBit, Cl0P Expand Ransomware Efforts

We Keep you Connected

Akamai Report: LockBit, Cl0P Expand Ransomware Efforts

Akamai Report: LockBit, Cl0P Expand Ransomware Efforts
Your email has been sent
Phishing is so last year: Akamai’s report finds that zero-day and one-day vulnerabilities caused a 143% increase in total ransomware victims.
Akamai’s ransomware report released at Black Hat 2023 revealed that exploitation of zero-day and one-day vulnerabilities has led to a 143% increase in total ransomware victims with data exfiltration of files at the end of the kill chain, now the primary source of extortion.
Jump to:
The report, Ransomware on the Move, looked at how exploitation techniques are evolving — including attackers’ sharpened focus on zero-day vulnerabilities. It showed how victims of multiple ransomware attacks were more than six times more likely to experience the second attack within three months of the first attack.
The authors from Akamai’s Security Intelligence Group reviewed data from the fourth quarter of 2021 to the second quarter of 2023. The authors reported that LockBit ensnared around 39% of all victim organizations tracked by Akamai, which said LockBit’s victim count is three times that of its nearest competitor, the CL0P group. Number three in volume of victims, ALPHV, aka Black Cat, focused its efforts on developing and exploiting zero-day points of entry (Figure A).
Figure A
Anthony Lauro, director of security technology and strategy at Akamai, explained that LockBit looks for high value targets with zero day vulnerabilities that companies can’t fix quickly. They tend to target and retarget these organizations and the sectors — like manufacturing and technology for example — where security operations are lagging, generally. Also, he explained, malware writers can choose tools and services from a growing dark ecosystem.
The report spotlighted two trends that speak to how large groups — with reach and breadth of products including RaaS — have a stable growth and smaller groups focus on opportunities as they arise:
“Malware writers can now split off operations, which is a change,” said Lauro. “It used to be that the attackers were a single entity or group that would be responsible for malware payload delivery, exploitation and follow up.” He added that, because of the open nature of the malware marketplace, groups like LockBit and Cl0P have been able to co-opt others to perform various tasks in the supply kill chain.
Lauro said within the tactics found more often in the second trend group, “Are the tried and true methodologies, like Windows system vulnerabilities that are not necessarily high severity because these systems aren’t usually available to outside queries. Attackers can still access them. So, there are two major trends: spreading the victim base across easy targets and tactics and ones leveraging CVE and zero days looking at big players as targets.”
ALPHV, for example, second on Akamai’s list of attackers in terms of victim volume, uses the Rust programming language to infect both Windows and Linux systems. Akamai said the group exploited vulnerabilities in Microsoft Exchange server to infiltrate targets.
According to Akamai, the group spoofed a victim’s website last year (using a typosquatted domain). The new extortion technique included publishing the stolen files and leaking them on their website in order to tighten the thumbscrews on victims and encourage ransom payment.
In Akamai’s study, 65% of targeted organizations had reported revenue of up to $50 million dollars, while those worth $500 million dollars and up constituted 12% of total victims, according to Akamai. They also reported that the ransomware data used was collected from the leak sites of approximately 90 different ransomware groups.
If you had invested in a natural gas mining operation, you might “accidentally on purpose” reach out sideways to assets under other peoples’ lawns once you’d tapped out the target. LockBit attackers are likewise reaching out to victim’s customers, informing them about the incident and employing triple extortion tactics with the inclusion of Distributed Denial-of-Service attacks.
Lauro said different stages of exploitation and delivery and execution are the first two steps. Defense is predicated on edge defense elements like visibility, but the rest of it is after the fact, moving laterally and tricking systems, or making requests that look like a “friendly” — all inside the network.
SEE: Look at your APIs! Akamai says observability tools sorely lacking (TechRepublic)
“Once you’re inside most organizations are wide open, because as then, an attacker I don’t have to download special toolkits; I can use installed tools. So there is a lack of good localized network security. We are finding more and more environments in bad shape in terms of internal visibility and over time,” he said.
CL0P, which is number three in terms of its volume of victims over the course of Akamai’s observation period, tends to abuse zero-day vulnerabilities in managed file transfer platforms. Akamai said the group exploited a legacy file transfer protocol that has been officially out of date since 2021, as well as a zero-day CVE in MOVEit Transfer to steal data from several organizations.
“It is worth noting how CL0P has a relatively low victim count until its activity spikes whenever a new zero-day vulnerability is exploited as part of its operation,” said the Akamai report authors. “And unlike LockBit, which has a semblance of consistency or pattern, CL0P’s attacks are seemingly tied to the next big zero-day vulnerability, which is hard to predict (Figure B).”
Figure B
Akamai noted that LockBit, whose website looks like a legitimate web concern, is touting new tools and even a bug bounty program in its latest 3.0 version. Just like white hats, the group is inviting security researchers and hackers to submit bug reports in their software for rewards ranging up to $1 million.
Akamai noted that while the bug bounty program is principally defensive, “It’s unclear if this will also be used to source vulnerabilities and new avenues for LockBit to exploit victims.” (Figure C).
Figure C
 
On its site, LockBit seeks ethical AND Unethical hackers. Source: Akamai via Bleeping Computer.
Of all vertical industries, manufacturing saw a 42% increase in total victims during the period Akamai investigated. LockBit was behind 41% of  overall manufacturing attacks.
The health care vertical saw a 39% increase in victims during the same  period, and was targeted primarily by the ALPHV (also known as BlackCat) and LockBit ransomware groups.
SEE: Akamai focused on fake sites in research released at RSA
Akamai’s recommendations on lessening the chance of attack and mitigating the effects of an incursion include adopting a multilayered approach to cybersecurity that includes:
Defense tactics, according to Akamai, should include:
Limit access to services that can be abused for data exfiltration by either using solutions that block known malicious url and DNS traffic, or by using solutions or controls that allow blocking access to specific domains.
Honeypots: use them. Akamai said they can help trap probing attackers, luring them into servers where their activities can be monitored
Use an intrusion detection system to do suspicious network scans. Akamai noted that attackers use identifiable tools to finger targets within an organization’s network. You can detect them.
Akamai suggests using tools for inspection of outgoing internet traffic to block known malware C2 servers. “Solutions must be able to monitor your entire DNS communications in real time and block communications to malicious domains, preventing the malware from running properly and accomplishing its goals,” the firm said.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Akamai Report: LockBit, Cl0P Expand Ransomware Efforts
Your email has been sent
Your message has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
Microsoft is also running a grant competition for ideas on using AI training in community building.
Generative AI will be a game changer in cloud security, especially in common pain points like preventing threats, reducing toil from repetitive tasks, and bridging the cybersecurity talent gap.
Does your business need a payroll provider that offers international payroll services? Use our buyer’s guide to review the best solutions, from ADP to Oyster.
Get up and running with ChatGPT with this comprehensive cheat sheet. Learn everything from how to sign up for free to enterprise use cases, and start using ChatGPT quickly and effectively.
Looking for an alternative to monday.com? Our comprehensive list covers the best monday alternatives, their key features, pricing, pros, cons and more.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
By deploying the right help desk ticket management system, successful growing businesses can document, manage and solve technical problems for employees and customers systematically and efficiently. The following guidelines from TechRepublic Premium will help you evaluate solution criteria and find, document and deploy the best solution for your business. From the guide: When choosing which …
Cybersecurity attacks are inevitable for modern businesses. Therefore, it is vital that businesses deploy countermeasures to mitigate the damage these attacks cause. This quick glossary from TechRepublic Premium explains the terminology behind the most common cybersecurity countermeasures. From the glossary: CHECKSUM Refers to a numerical value that is calculated based on the contents of the …
Properly managed, planned systems outages need not prove contentious or disruptive. With a little foresight, even scheduled service interruptions can be coordinated in ways that catch no one by surprise and minimize productivity issues. Check out the accompanying checklist from TechRepublic Premium to learn more about coordinating scheduled systems outages. From the checklist: CREATE A …
Stories of virus and malware infections, data loss, system compromises and unauthorized access dominate headlines, and your WordPress website may be contributing to the problem. WordPress is the most popular CMS in the world. According to Colorlib, WordPress is used by over 800 million websites worldwide. But unfortunately, that popularity also makes it one of …

source

 

Enterprise Guardian (EnGuard) specializes in HIPAA Compliant Email for the Healthcare Industry.
HIPAA Compliant Email, Telehealth & Cloud Made Easy.

 

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE