YVERDON-IES-BAINS, SWITZERLAND / ACCESSWIRE / June 21, 2021 / PRODAFT, a Switzerland-based cyber-security company has just published a report on the notorious LockBit 'ransomware' cybercrime operation. According to the firm's report; systems of more than 2100 enterprise victims were compromised and held hostage. Upon months of cyber-intelligence research, PRODAFT's team have not only de-anonymized the attackers, but also rescued most of the victimized systems.
As known, 'Ransomware' has become one of the most popular attack methods which relies on infiltrating enterprise systems, encrypting the data and taking all valuable files hostage. While most people experience these kind of attacks on a more personal and generic manner with their own personal devices; extremely-organized global scale cyber-crime groups also utilize similar techniques for conducting the same operation on a more skillful, professional and dangerous manner. In addition to making the data inaccessible, most of the attackers threaten to publish the victim's data unless the ransom is paid until a certain time ("Double Extortion").
While ransomware has been in use for decades, it has gained much popularity among cyber criminals in recent years due to the level of experience it requires to conduct such attacks and the easiness of using anonymous payment methods. It is expected that losses from ransomware attacks are likely to exceed $20 billion by 2021.
LockBit, according to researchers from PRODAFT, has been an excellent example for these advanced ransomware operations in recent years. According to Ege Balcı, PRODAFT's threat intelligence team lead, 'Lockbit can automatically scan a network for useful targets, spread the infection, and encrypt all computers that are available. This ransomware is used in very unique attacks against companies and other organizations.'
Researchers from PRODAFT has stated that they have come across the LockBit operation following a support request from one of their clients. Following analysis of different malware samples, it was possible for the experts to detect the command and control server, the headquarters of the global operation. Upon overcoming different technical challenges while analyzing the command and control server, PRODAFT's researchers have been able to unfold the entire operation, acquiring details about victim telemetry, money flow analysis, infrastructure analysis and of course, profit estimations.
Koryak UZAN, co-founder of PRODAFT states 'an average ransom, demanded from a victimized enterprise is around 85 thousand dollars. We have been able to access detailed chat logs between victims and criminals involving price negotiations. In some cases, we even detected that IT officers inside victim organizations were negotiating a secret share for themselves, acting on behalf of the criminals'.
It has been further indicated that, ransomware continues to be a top priority in the agenda of public institutions and law enforcement agencies. 'No More Ransomware' project of EUROPOL is an important example for this issue. Acting as a support hub for targeted organizations, 'No More Ransomware' is an initiative that enables companies like PRODAFT to assist law enforcement and other public bodies in their fight against ransomware.
Organizations who have been targeted by LockBit, and did not received their decryption key yet, can simply go to PRODAFT's web site or github page to check if their key has already been published.
Founded in 2012, PRODAFT is a Switzerland-based provider of Cyber Threat Intelligence and Cyber Security solutions. The Company primarily works with critical infrastructures including but not limited to banking institutions, payment gateways, large e-commerce vendors, insurance providers and telecommunication companies. Aside from its commercial activities, PRODAFT's public articles and case-reports are recognized and praised by different SOCs, CERTS, CSIRTS and Law Enforcement agencies from different parts of the globe.
Note: Additional information about the case can be found in the case report:
https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
Additionally, ZDNET's coverage of this topic can be found here for reference: https://www.zdnet.com/article/a-deep-dive-into-the-operations-of-the-lockbit-ransomware-group/
Mr. Koryak UZAN
Co-Founder
[email protected]
SOURCE: PRODAFT SARL