Feb 20, 2024NewsroomRansomware / Data Protection

The U.K. National Crime Agency (NCA) on Tuesday confirmed that it obtained LockBit’s source code as well as intelligence pertaining to its activities and their affiliates as part of a dedicated task force called Operation Cronos.

“Some of the data on LockBit’s systems belonged to victims who had paid a ransom to the threat actors, evidencing that even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised,” the agency said.

It also announced the arrest of two LockBit actors in Poland and Ukraine. Over 200 cryptocurrency accounts linked to the group have been frozen. Indictments have also been unsealed in the U.S. against two other Russian nationals who are alleged to have carried out LockBit attacks.

Artur Sungatov and Ivan Gennadievich Kondratiev (aka Bassterlord) have been accused of deploying LockBit against numerous victims throughout the U.S., including businesses nationwide in the manufacturing and other industries, as well as victims around the world in the semiconductor and other industries, per the U.S. Department of Justice (DoJ).

Kondratyev has also been charged with three criminal counts arising from his use of the Sodinokibi, also known as REvil, ransomware variant to encrypt data, exfiltrate victim information, and extort a ransom payment from a corporate victim based in Alameda County, California.

The development comes in the aftermath of an international disruption campaign targeting LockBit, which the NCA described as the “world’s most harmful cyber crime group.”

As part of the takedown efforts, the agency said it took control of LockBit’s services and infiltrated its entire criminal enterprise. This includes the administration environment used by affiliates and the public-facing leak site hosted on the dark web.

In addition, 34 servers belonging to LockBit affiliates have also been dismantled and more than 1,000 decryption keys have been retrieved from the confiscated LockBit servers.

LockBit, since its debut in late 2019, runs a ransomware-as-a-service (RaaS) scheme in which the encryptors are licensed to affiliates, who carry out the attacks in exchange for a cut of the ransom proceeds.

The attacks follow a tactic called double extortion to steal sensitive data prior to encrypting them, with the threat actors applying pressure on victims to make a payment in order to decrypt their files and prevent their data from being published.

“The ransomware group is also infamous for experimenting with new methods for pressuring their victims into paying ransoms,” Europol said.

“Triple extortion is one such method which includes the traditional methods of encrypting the victim’s data and threatening to leak it, but also incorporates distributed denial-of-service (DDoS) attacks as an additional layer of pressure.”

The data theft is facilitated by means of a custom data exfiltration tool codenamed StealBit. The infrastructure, which was used to organize and transfer victim data, has since been seized by authorities from three countries, counting the U.S.

According to Eurojust and DoJ, LockBit attacks are believed to have affected over 2,500 victims all over the world and netted more than $120 million in illicit profits. A decryption tool has also been made available via No More Ransom to recover files encrypted by the ransomware at no cost.

“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems,” NCA Director General Graeme Biggar said.

“As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity. LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate.”

Feb 12, 2024NewsroomVulnerability / Data Recovery

Cybersecurity researchers have uncovered an “implementation vulnerability” that has made it possible to reconstruct encryption keys and decrypt data locked by Rhysida ransomware.

The findings were published last week by a group of researchers from Kookmin University and the Korea Internet and Security Agency (KISA).

“Through a comprehensive analysis of Rhysida Ransomware, we identified an implementation vulnerability, enabling us to regenerate the encryption key used by the malware,” the researchers said.

The development marks the first successful decryption of the ransomware strain, which first made its appearance in May 2023. A recovery tool is being distributed through KISA.

The study is also the latest to achieve data decryption by exploiting implementation vulnerabilities in ransomware, after Magniber v2, Ragnar Locker, Avaddon, and Hive.

Rhysida, which is known to share overlaps with another ransomware crew called Vice Society, leverages a tactic known as double extortion to apply pressure on victims into paying up by threatening to release their stolen data.

An advisory published by the U.S. government in November 2023 called out the threat actors for staging opportunistic attacks targeting education, manufacturing, information technology, and government sectors.

A thorough examination of the ransomware’s inner workings has revealed its use of LibTomCrypt for encryption as well as parallel processing to speed up the process. It has also been found to implement intermittent encryption (aka partial encryption) to evade detection by security solutions.

“Rhysida ransomware uses a cryptographically secure pseudo-random number generator (CSPRNG) to generate the encryption key,” the researchers said. “This generator uses a cryptographically secure algorithm to generate random numbers.”

Specifically, the CSPRNG is based on the ChaCha20 algorithm provided by the LibTomCrypt library, with the random number generated also correlated to the time at which Rhysida ransomware is running.

That’s not all. The main process of Rhysida ransomware compiles a list of files to be encrypted. This list is subsequently referenced by various threads created to simultaneously encrypt the files in a specific order.

“In the encryption process of the Rhysida ransomware, the encryption thread generates 80 bytes of random numbers when encrypting a single file,” the researchers noted. “Of these, the first 48 bytes are used as the encryption key and the [initialization vector].”

Using these observations as reference points, the researchers said they were able to retrieve the initial seed for decrypting the ransomware, determine the “randomized” order in which the files were encrypted, and ultimately recover the data without having to pay a ransom.

“Although these studies have a limited scope, it is important to acknowledge that certain ransomwares […] can be successfully decrypted,” the researchers concluded.

The U.S. Justice Department (DoJ) has officially announced the disruption of the BlackCat ransomware operation and released a decryption tool that more than 500 affected victims can use to regain access to files locked by the malware.

Court documents show that the U.S. Federal Bureau of Investigation (FBI) enlisted the help of a confidential human source (CHS) to act as an affiliate for the BlackCat group and gain access to a web panel used for managing the gang’s victims, in what’s a case of hacking the hackers.

The confiscation effort involved collaboration and assistance from multiple law enforcement agencies from the U.S., Germany, Denmark, Australia, the U.K., Spain, Switzerland, and Austria.

BlackCat, also called ALPHV, GOLD BLAZER, and Noberus, first emerged in December 2021 and has since gone on to be the second most prolific ransomware-as-a-service variant in the world after LockBit. It’s also the first Rust-language-based ransomware strain spotted in the wild.

The development puts an end to speculations of a rumored law enforcement action after its dark web leak portal went offline on December 7, only to resurface five days later with just a single victim.

The FBI said it worked with dozens of victims in the U.S. to implement the decryptor, saving them from ransom demands totaling about $68 million, and that it also gained insight into the ransomware’s computer network, allowing it to collect 946 public/private key pairs used to host the TOR sites operated by the group and dismantle them.

One important thing to note here is that creating a hidden service with the .onion URL on the TOR anonymization network generates a unique key pair comprising a private and public key (aka the identifier) that can be used to access and control the URL.

An actor who is in possession of the key pair can, therefore, broadcast a new route redirecting traffic for the .onion site to a different server under their control.

BlackCat, like several other ransomware gangs, uses a ransomware-as-a-service model involving a mix of core developers and affiliates, who rent out the payload and are responsible for identifying and attacking high-value victim institutions.

It also employs the double extortion scheme to put pressure on victims to pay up by exfiltrating sensitive data prior to encryption.

“BlackCat affiliates have gained initial access to victim networks through a number of methods, including leveraging compromised user credentials to gain initial access to the victim system,” the DoJ said.

In all, the financially motivated actor is estimated to have compromised the networks of more than 1,000 victims across the world to earn nearly $300 million in illegal revenues as of September 2023.

Image Source: Resecurity

If anything, the takedown has proven to be a blessing in disguise for rival groups like LockBit, which is already capitalizing on the situation by actively recruiting displaced affiliates, offering its data leak site to resume victim negotiations.

Speaking to malware research group vx-underground, a BlackCat spokesperson said “they have moved their servers and blogs,” claiming that the law enforcement agencies only had access to a “stupid old key” for the old blog site which was deleted by the group a long time ago and has since not been used.

The threat actor’s newest leak website remains operational as of writing. “On December 13, the group published the first victim to its new leak site,” Secureworks said. “As of December 19, five victims were posted to the new site, demonstrating the group retained some operational capacity.”

However, hours after the takedown, the BlackCat group took steps to “unseize” the main leak site using the same set of cryptographic keys necessary to host the hidden service on the TOR network and post its own seizure notice.

It has also given affiliates the green light to infiltrate critical infrastructure entities such as hospitals and nuclear power plants as well as other targets with the exception of those inside the Commonwealth of Independent States (CIS) as a retaliatory measure. The FBI has since re-seized the website.

“The threats seem like ‘now you’ve done it’ posturing but, this group has a documented history of attacking healthcare and energy infrastructure targets already, so it feels like bluster,” Secureworks Counter Threat Unit (CTU) told The Hacker News.

“Given that such activity appears more likely to bring law enforcement attention – which is why many groups explicitly avoid it – it seems unlikely that affiliates will choose to specifically target such organizations, especially as ransomware is a crime of opportunity for the most part and based on available access to victim networks.”

“That said, some less risk averse affiliates may be more willing to target energy and healthcare organizations. The flip side is that it is just as likely that the uncertainty caused by the law enforcement disruption will drive affiliates away from BlackCat into the arms of other ransomware operators, such as LockBit. Such interventions breed distrust and paranoia among ransomware group members and affiliates.”

In a conversation with vx-underground, a LockBit administrator described the situation as “unfortunate” and that security loopholes in their infrastructure are a primary threat to “my business.”

(The story was updated after publication to include additional information about the infrastructure seizure.)