Kronos Corporate Group Hit by LockBit Ransomware Attack
Incident Date:
August 10, 2024
Overview
Title
Kronos Corporate Group Hit by LockBit Ransomware Attack
Victim
Kronos Corporate Group
Attacker
Lockbit3
Location
First Reported
August 10, 2024
Ransomware Attack on Kronos Corporate Group by LockBit
On August 13, 2024, Kronos Corporate Group, an international holding company dedicated to enhancing lives through meaningful connections, fell victim to a ransomware attack orchestrated by the notorious cybercriminal group LockBit. The attack targeted the company's public-facing domain, kronospublic.com, disrupting its operations and potentially compromising sensitive data.
About Kronos Corporate Group
Kronos Corporate Group is a prominent European management consulting firm specializing in procurement and supply chain solutions. Officially registered as "Kronos Corporate Group," the company operates across various offices located in Belgium, France, and Italy. Known for its commitment to value creation, Kronos Group has established itself as a leading pan-European procurement service provider through strategic partnerships with organizations such as Kloepfel Group and EPSA.
The firm has successfully supported over 60 clients across various sectors throughout Europe and beyond. Kronos Group is characterized by a flexible and agile consulting approach, allowing it to adapt quickly to the needs of its clients and deliver tailored solutions that drive business efficiency. The company's emphasis on dynamic training opportunities for its team enhances their skills and the overall value they provide to clients.
Attack Overview
The ransomware attack on Kronos Corporate Group was executed by LockBit, a highly sophisticated ransomware-as-a-service (RaaS) group. LockBit has been active since September 2019 and is responsible for over one-third of all ransomware attacks in the latter half of 2022 and the first quarter of 2023. The attack on Kronos disrupted its operations and raised concerns about the potential compromise of sensitive data.
About LockBit
LockBit distinguishes itself through its modular ransomware that encrypts its payload until execution, hindering malware analysis and detection. It uses a combination of RSA-2048 and AES-256 encryption algorithms to encrypt victims' files. Employing "double extortion" tactics, LockBit exfiltrates sensitive data and threatens to release it publicly if the ransom is not paid. The ransomware demands payment in Bitcoin, typically ranging from several thousand to several hundred thousand dollars.
LockBit is designed to exploit vulnerabilities in Remote Desktop Protocol (RDP) services and unsecured network shares to spread quickly across a network. Additionally, it performs a check to avoid executing on computer systems with installed languages common to the Commonwealth of Independent States (CIS) region. Indicators of Compromise (IOCs) for LockBit include the creation of a mutual exclusion object (Mutex) when executed, the use of a unique icon, and changes to the victim's computer wallpaper.
Potential Vulnerabilities
The attack on Kronos Corporate Group underscores the vulnerabilities that can arise in cloud-based systems. Despite the company's business model and emphasis on value creation, the incident highlights the critical need for enhanced cybersecurity measures to protect against increasingly sophisticated ransomware attacks. The integration of modern communication platforms and data analytics in workforce management solutions, while beneficial, also presents potential entry points for cyber adversaries.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.