| Category | Details |
|---|---|
| Threat Actors | LockBit ransomware affiliates, Evil Corp (tracked as GOLD DRAKE), GOLD HERON (DoppelPaymer/Grief operators), and associated entities. |
| Campaign Overview | Phase 3 of Operation Cronos continues law enforcement action against LockBit and its affiliates, with arrests, infrastructure seizures, and sanctions targeting ransomware operators globally. |
| Target Regions (Victims) | LockBit victims worldwide; U.S. and UK-based victims have been consistently targeted. |
| Methodology | – LockBit RaaS model enabling affiliates to execute ransomware campaigns. – Use of Dridex botnet, SocGholish malware, and Cobalt Strike for initial access and post-compromise tools. – Affiliates transitioned to LockBit to avoid costs of maintaining custom ransomware infrastructure. |
| Product Targeted | Ransomware targets across industries; historically impacted organizations in the U.S., UK, and NATO allies. |
| Malware Reference | LockBit ransomware, BitPaymer, WastedLocker, Hades, DoppelPaymer, Grief. |
| Tools Used | – Dridex botnet. – SocGholish malware for initial access. – Cobalt Strike for lateral movement and post-compromise activities. – Custom ransomware payloads like DoppelDridex. |
| Vulnerabilities Exploited | Likely involves phishing, stolen credentials, and exploitation of vulnerable systems for initial access. |
| TTPs | – Ransomware deployment with double extortion tactics. – Masquerading as legitimate groups to evade detection. – Using ransomware-as-a-service (RaaS) for scalability and anonymity. – No deletion of victim data post-payment (exposed by law enforcement). |
| Attribution | – Evil Corp (GOLD DRAKE), sanctioned since 2019, affiliated with LockBit. – GOLD HERON transitioned from DoppelPaymer/Grief to LockBit. – Russian state connections suspected but unclear in current campaigns. |
| Recommendations | – Avoid paying ransoms to sanctioned entities. – Enhance defenses against ransomware (e.g., robust backups, network segmentation). – Use detection tools to identify early-stage malware like Dridex and SocGholish. – Stay updated on law enforcement actions and threat intelligence feeds. |
| Source | Securelist by Kaspersky |
Read full article: https://securelist.com/malware-report-q3-2024-non-mobile-statistics/114695/
Disclaimer: The above summary has been generated by an AI language model
Leave a Reply