LockBit Ransomware Group Targets Concord Direct: Detailed Cyberattack Analysis

Incident Date:

July 19, 2024

World map

Overview

Title

LockBit Ransomware Group Targets Concord Direct: Detailed Cyberattack Analysis

Victim

Concord Direct

Attacker

Lockbit3

Location

Concord, USA

New Hampshire, USA

First Reported

July 19, 2024

LockBit Ransomware Group Targets Concord Direct: A Detailed Analysis

Overview of Concord Direct

Concord Direct, a direct response marketing agency headquartered in Concord, New Hampshire, has been a cornerstone in the nonprofit sector since its founding in 1958. Specializing in direct response fundraising, digital marketing strategies, and custom solutions, the agency has built a reputation for delivering measurable marketing results. With a team of over 70 employees, each averaging 10 years of experience, Concord Direct serves a diverse range of nonprofit organizations, including those in health, human services, and environmental sectors. The company reported an estimated revenue of $8.5 million, reflecting its significant role in the competitive marketing landscape.

Details of the Ransomware Attack

On July 12, 2024, the ransomware group LockBit claimed responsibility for a cyberattack on Concord Direct. The attackers have reportedly published sensitive data, including names, positions, companies, locations, multiple personal and business emails, and various phone numbers. This breach highlights the vulnerabilities that even well-established organizations face in the ever-evolving landscape of cyber threats.

About LockBit Ransomware Group

LockBit, also known as LockBit Black, is a highly sophisticated ransomware-as-a-service (RaaS) group that has been active since September 2019. Known for its modular ransomware that encrypts its payload until execution, LockBit employs a combination of RSA-2048 and AES-256 encryption algorithms. The group uses "double extortion" tactics, exfiltrating sensitive data and threatening to release it publicly if the ransom is not paid. LockBit has been responsible for over one-third of all ransomware attacks in the latter half of 2022 and the first quarter of 2023.

How LockBit Penetrated Concord Direct's Systems

LockBit is designed to exploit vulnerabilities in Remote Desktop Protocol (RDP) services and unsecured network shares to spread quickly across a network. The ransomware performs a check to avoid executing on systems with languages common to the Commonwealth of Independent States (CIS) region. Indicators of Compromise (IOCs) for LockBit include the creation of a mutual exclusion object (Mutex) when executed, the use of a unique icon, and changes to the victim's computer wallpaper. The group also accepts various command-line parameters to modify its behavior, such as spreading laterally via group policy or admin shares.

Implications for Concord Direct

The attack on Concord Direct underscores the critical need for robust cybersecurity measures, especially for organizations handling sensitive data. Given Concord Direct's role in supporting nonprofit organizations, the breach could have far-reaching implications, affecting not only the agency but also its clients and their beneficiaries. The incident serves as a stark reminder of the importance of continuous vigilance and advanced security protocols in safeguarding against sophisticated cyber threats.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.