LockBit Ransomware Hits Wattle Range Council: 46,000 Files Stolen in South Australia

Incident Date:

July 19, 2024

World map

Overview

Title

LockBit Ransomware Hits Wattle Range Council: 46,000 Files Stolen in South Australia

Victim

Wattle Range Council

Attacker

Lockbit3

Location

Millicent, Australia

, Australia

First Reported

July 19, 2024

LockBit Ransomware Group Targets Wattle Range Council in South Australia

Overview of the Attack

The Wattle Range Council, a local government authority in South Australia, has fallen victim to a ransomware attack orchestrated by the notorious LockBit group. The attack was disclosed on LockBit's darknet leak site, where the group threatened to publish over 46,000 stolen files unless an unspecified ransom is paid by August 4th. The stolen data reportedly includes 103 gigabytes of information spread across more than 7,000 folders, featuring sensitive documents such as complaint notices, rate notices, banking applications, tax invoices, and customer details from a tourist park.

About Wattle Range Council

Wattle Range Council serves the communities of Millicent, Beachport, Penola, and surrounding areas in South Australia. The council is responsible for providing essential services, infrastructure, and community development. With a workforce of 51 to 200 employees, the council is a medium-sized organization. It stands out for its commitment to community engagement and development, organizing events, supporting local businesses, and promoting sustainable environmental practices. The council's proactive approach to involving residents in decision-making processes is a notable feature of its governance.

Vulnerabilities and Impact

The attack on Wattle Range Council highlights several vulnerabilities that may have been exploited by the LockBit group. As a local government entity, the council handles a significant amount of sensitive data, including financial information and personal details of residents and tourists. The council's extensive use of digital systems for managing community services, infrastructure, and economic development activities makes it a lucrative target for ransomware groups. The exfiltration of such a large volume of data indicates potential weaknesses in the council's cybersecurity measures, such as inadequate network segmentation, outdated software, or insufficient employee training on cybersecurity practices.

About LockBit Ransomware Group

LockBit, also known as LockBit Black, is a highly sophisticated ransomware-as-a-service (RaaS) group that has been active since September 2019. It is responsible for a significant portion of ransomware attacks globally. LockBit employs "double extortion" tactics, encrypting victims' files and threatening to release exfiltrated data publicly if the ransom is not paid. The ransomware uses advanced encryption algorithms and exploits vulnerabilities in Remote Desktop Protocol (RDP) services and unsecured network shares to spread quickly across networks. LockBit's ability to avoid execution on systems with languages common to the Commonwealth of Independent States (CIS) region further distinguishes it from other ransomware groups.

Penetration Methods

LockBit likely penetrated Wattle Range Council's systems through vulnerabilities in RDP services or unsecured network shares. The ransomware's modular design and use of command-line parameters to modify its behavior enable it to spread laterally within a network, reboot into Safe Mode, and set custom wallpapers. The group's sophisticated techniques and focus on exploiting specific vulnerabilities underscore the importance of robust cybersecurity measures for organizations handling sensitive data.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.