[Post 28 – 30 in 30]

---

As more and more cyber attacks occur, sometimes the threat actors can get lost in the news of the attacks that occur. This is more often the case as they dismantle operations or rename, or regroup. In this article I will discuss 3 relatively new threat actors, their origin and some of the attacks the performed.

Lockbit

LockBit is a ransomware gang that has seen several evolutions since its inception, with LockBit 3.0 being its latest version as of March 2022​.

Lockbit 3.0: This is currently the most active ransomware group of 2023, launching 107 out of the 352 attacks monitored in April, a 10% increase from March​. Originating in September 2019, the LockBit ransomware operation has grown rapidly and has released updated versions of the ransomware, including LockBit 2.0 in mid-2021 and LockBit 3.0 in June 2022.

In its early days, LockBit was known for its attacks on various organizations. It utilized weak passwords and lack of multi-factor authentication protection to gain access to an administrative account at a large unnamed organization. The group also attacked Accenture in August 2021, stealing 6 terabytes of data from the company and demanding a $50 million ransom. In some cases, it was suspected that insiders within the targeted organizations helped the ransomware gang gain access to the networks​.

LockBit then evolved into LockBit 2.0, a ransomware variant that was first noticed in Russian-language cybercrime forums in January 2021. This variant relied on built-in Windows tools such as PowerShell and Server Message Block (SMB) to infect compromised devices. It also adopted the double extortion model which involved stealing sensitive and confidential information before encrypting the system. If the victims refused to pay the ransom, the stolen data would be released or sold. LockBit 2.0 also started a recruitment campaign for insiders within companies they wished to target, promising them a share of the ransom if they provided access to their systems​.

As LockBit 3.0, also known as LockBit Black, the ransomware has added new features and tools. For instance, it encrypts files and requires a key from the command-line argument “-pass” to execute. It also creates various threads to perform numerous tasks in parallel for faster encryption. This version uses the WMI query to enumerate Volume Shadow copies, which it then deletes, preventing attempts to restore a system after the files are encrypted. LockBit 3.0 also has a new extortion model that allows them to sell the data stolen during attacks on their new leak site​.

Interestingly, LockBit 3.0 has introduced a bug bounty program for security researchers and hackers to find flaws in their ransomware project. The bounties range from $1k to $1 million for finding and reporting various issues within the LockBit 3.0 structure. The program’s goal is to make their ransomware bug-free and more stable​.

---

BlackCat

This group was responsible for 50 attacks in April 2023, a 67% increase from the previous month. One notable attack involved digital storage device giant Western Digital, in which the group claimed to have stolen 10 terabytes of data and demanded an 8-figure ransom. I was unable to find detailed information on their origins and specific tactics, but they are currently a significant player in the cyber threat landscape​.

The BlackCat ransomware group first surfaced in mid-November 2021 and since then, the FBI revealed that the operation had infected more than 60 victims by April 2022​. An incident reported by a member organization revealed that the BlackCat group is capable of gaining initial access to systems using compromised user credentials. Once in, the ransomware compromises user and admin accounts in the Active Directory and uses this access to configure malicious Group Policy Objects (GPOs) through the Windows Task Scheduler to deploy its ransomware payload. It disables security features and exfiltrates information before execution. The ransomware then uses several batch and PowerShell scripts to proceed with its infection​¹​.

The BlackCat ransomware group stands out for several reasons:

1. Possible Rebranding of DarkSide: The FBI noted that BlackCat’s operators include many developers and money launderers who originated from the DarkSide Ransomware as a Service (RaaS) platform. They have experience with successfully targeting large enterprise networks and are familiar with the consequences of not being selective with their targets, a lesson learned after the notorious Colonial Pipeline Company incident in spring 2021​.
2. Written in Rust: The BlackCat ransomware is written in Rust, a more secure programming language that offers improved performance and reliable concurrent processing. This enables BlackCat to target a wider range of systems, including both Windows and Linux. It also makes BlackCat a complex ransomware with efficient algorithms aiding in the encryption process of breached systems. Rust also makes the ransomware harder to analyze in sandbox environments, which can be advantageous for the attackers​.

By February 2023, the BlackCat ransomware group was discovered to have developed a new kernel driver that leverages a separate user client executable to control, pause, and kill various processes on target endpoints of security agents deployed on protected computers. This indicates a high level of sophistication and a solid understanding of Windows system operations. It also marks a disturbing escalation in the cyber threat landscape​.

---

Akira

This is a new ransomware player believed to be independent from other well-known groups. In April, Akira made it into the top ten most active groups for the first time, targeting enterprises across a diverse range of industries, from construction through to real estate​.

The Akira Ransomware Group is a relatively recent threat actor, first surfacing around March 2023. News about this group didn’t start breaking until May 7, 2023, but evidence indicates that the crew began their campaign in early to mid-April 2023. They primarily target VMware ESXi servers and Windows servers.

The group hosts a tor hidden service blog which contains entries for each organization they have hit. It allegedly serves the files stolen from victims that did not pay the ransom.

Since its launch in March 2023, Akira has already attacked sixteen companies across various industries, including education, finance, real estate, manufacturing, and consulting. This should not be confused with a ransomware of the same name released in 2017, as they are believed to be unrelated.

Akira ransomware, discovered by MalwareHunterTeam and shared with BleepingComputer for analysis, employs a PowerShell command to delete Windows Shadow Volume Copies, hindering data recovery. The ransomware encrypts files with a wide range of extensions, avoiding system files and directories like the Recycle Bin, System Volume Information, Boot, ProgramData, and Windows folders. Encrypted files have the .akira extension appended to their names.

To ensure successful encryption, Akira uses the Windows Restart Manager API to close processes or shut down Windows services that may interfere with the encryption process. Each compromised folder contains a ransom note named “akira_readme.txt,” which provides information on the attack, links to the Akira data leak site and negotiation site, and threats to sell or expose stolen data if the ransom is not paid.

Akira’s negotiation site features a chat system for victims to communicate with the ransomware gang. The ransom demands range from $200,000 to millions of dollars, with potential discounts for companies only seeking to prevent data leaks rather than decrypt their files. The ransomware gang has already leaked data from four victims on their data leak site, with data sizes ranging from 5.9 GB to 259 GB.

---

Thanks for reading this far.

My aim with this campaign is to provide readers with valuable content, insights, and inspiration that can help in their personal and professional lives. Whether you’re looking to improve your productivity, enhance your creative strategies, or simply stay up-to-date with the latest news and ideas in cybersecurity, I’ve got something for you.

But this campaign isn’t just about sharing our knowledge and expertise with you. It’s also about building a community of like-minded IT and security focused individuals who are passionate about learning, growing, and collaborating. By subscribing to the blog and reading every day, you’ll have the opportunity to engage with other readers, share your own insights and experiences, and connect with people in the industry.

So why should you read every day and subscribe? Well, for starters, you’ll be getting access to some great content that you won’t find anywhere else. From practical tips and strategies to thought-provoking insights and analysis, the blog has something for everyone that wants to get current and topical cybersecurity information. Plus, by subscribing, you’ll never miss a post, so you can stay on top of the latest trends and ideas in the field.

But perhaps the biggest reason to join the 30-in-30 campaign is that it’s a chance to be part of something bigger than yourself. By engaging with the community, sharing your thoughts and ideas, and learning from others, you’ll be able to grow both personally and professionally. So what are you waiting for? Subscribe, and for the next 30 days and beyond, let’s learn, grow, and achieve our goals together!