Ransomware on the Move: LockBit, Knight, BianLian, 8Base

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:

‍

LockBit

‍

LockBit, a notorious ransomware group operating since 2019, has made headlines with its audacious attacks on several high-profile organizations.  

‍

Manchester Fertility, a renowned clinic specializing in reproductive medicine, and Talon International, a global supplier of apparel fasteners, both fell victim to LockBit's encryption onslaught.  

‍

The fertility clinic's plight came to light when LockBit posted details of the attack on their dark web channel, while Talon International faced potential exposure of sensitive data, including client records and financial information.

‍

But LockBit's reach extends beyond healthcare and manufacturing sectors. Maritime transport company Portline, Italian logistics company Logtainer, Brazil-based TGestiona Logística, and Barbados-based law firm Lex Caribbean also suffered attacks by LockBit.

‍

Also targeted in LockBit attacks last week were Canadian equipment company Vimar Equipment, and Stone fruit grower and distributor Prima have all suffered LockBit's ransomware assaults, though specifics regarding the extent of the damage remain undisclosed.

‍

LockBit, operating as a Ransomware-as-a-Service (RaaS) since 2019, has established itself as a formidable threat in the cybersecurity landscape. Known for its adeptness at evading security measures and rapid encryption capabilities, LockBit continues to evolve its tactics to maximize its extortion efforts.  

‍

LockBit's innovation and proliferation have propelled it to infamy within the cybercriminal community. Following the release of LockBit 3.0 in 2022, the group introduced novel tactics, including the development of a macOS ransomware variant, challenging conventional notions of operating system security.  

‍

Moreover, LockBit's modular design and advanced encryption algorithms, such as the custom Salsa20 algorithm, pose significant challenges to victims and cybersecurity experts alike.

‍

The ransomware group's preferred methods of infiltration, including exploiting vulnerabilities in remote desktop protocol (RDP) and leveraging network propagation techniques, underscore the urgency for organizations to bolster their cybersecurity defenses.  

‍

LockBit's indiscriminate targeting of enterprises, coupled with its capability to execute high-stakes ransom demands, reinforces the critical need for proactive cybersecurity measures and robust incident response strategies.

‍

Knight

‍

The ransomware group Knight, a rebrand of the Cyclops operations, has also left its mark on the cybersecurity landscape. Vietnamese software outsourcing company Dirox Digital Solutions bore the brunt of Knight's data theft, with 50GB of confidential banking data and client information compromised.  

‍

Abel Santos & Asociados, a consulting firm serving the pharmaceutical and cosmetic industries, was also targeted, though details regarding the attack are scarce.

‍

Knight is a RaaS platform that emerged in early summer of 2023 as a rebrand of the Cyclops ransomware operations that preceded it. As part of their operation, they continue to recruit affiliates through the RAMP hacking forum to enhance their ability to steal data from both Windows and Linux systems.  

‍

In addition to their regular encryptors, the Knight ransomware operation offers a 'lite' version suitable for spam, spray-and-pray, and batch distribution campaigns. The Knight ransomware gang employs an HTML attachment labeled 'TripAdvisor-Complaint-[random].PDF.htm,' which redirects users to a deceptive web browser interface impersonating TripAdvisor.  

‍

Within this simulated browser window, users are prompted to review a restaurant complaint, but it is, in fact, a ruse. When users click on the 'Read Complaint' button, an Excel file titled 'TripAdvisor_Complaint-Possible-Suspension.xll' is downloaded onto their system.  

‍

This download subsequently triggers the activation of ransomware. The Knight Lite ransomware encryptor, injected into a new explorer.exe process, is utilized to encrypt files on targeted computers.  

‍

BianLian

‍

Meanwhile, BianLian, once a typical Ransomware-as-a-Service (RaaS) provider, has pivoted to data exfiltration and extortion attacks.  

‍

Chaney-Couch-Callaway-Carter-and-Associates-Family-Dentistry and Cislo & Thomas LLP, among others, have been subjected to BianLian's data extortion tactics, resulting in the compromise of sensitive business, financial, medical, and legal information.  

‍

The group's transition to pure data extortion attacks highlights the efficacy of the double extortion strategy favored by ransomware groups.

‍

BianLian leverages open-source tooling and command-line scripts to engage in credential harvesting and data exfiltration.  

‍

It is unclear how much BianLian typically requests for a ransom amount, or if they are keen to negotiate the demand down. BianLian successfully attacked several high-profile organizations before a free decryption tool was released to help victims recover files encrypted by ransomware.  

‍

The group abandoned the RaaS model in favor of pure data extortion attacks where data is exfiltrated and ransom demand issued, but no ransomware is deployed. BianLian has been observed deploying a custom Go-based backdoor for remote access.

‍

8Base

‍

Lastly, the 8Base ransomware group, emerging in 2022, has quickly risen to prominence with a surge in cyber activity. French accounting firm CERALP and New Zealand-based chartered accountants YRW Limited are among the victims of 8Base's ransomware campaigns.  

‍

The group's sophisticated tactics, including data exfiltration and modification of security measures like Windows Defender Firewall, underscore the evolving nature of ransomware threats.

‍

The sophistication of the 8Base operation suggests they are an offshoot of experienced RaaS operators - most likely Ransomhouse, a data extortion group that first emerged in December of 2021 and was quite active in late 2022 and early 2023.  

‍

Other researchers see a connection to the leaked Babuk builder. Like most groups today, 8Base engages in data exfiltration for double extortion and employs advanced security evasion techniques including modifying Windows Defender Firewall for bypass.‍  

‍

8Base quickly ascended the ranks of active ransomware operators with a high volume of attacks in late spring and throughout the summer of 2023, making them one of the most active groups.‍ It is unclear how much 8Base typically demands for a ransom.  

‍

8Base does not appear to have its own signature ransomware strain or maintain an RaaS for recruiting affiliate participation openly, but it is assessed they may service a group of vetted affiliate attackers privately.  

‍

Like RansomHouse, they appear to use a variety of ransomware payloads and loaders in their attacks, most prevalently customized Phobos with SmokeLoader. Attacks also include wiping of Volume Shadow Copies (VSS) to prevent rollback of the encryption.

‍

‍

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.