Skull and crossbones

Ransomware in October 2022

Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their dark web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom.

As we enter the final three months of 2022, LockBit remains preeminent among the criminal gangs selling ransomware-as-a-service (RaaS).

LockBit posted just less than half as many victims on its dark web leak site in October (59) as it did in September (109). However, this apparent decline is simply a return to the level of activity typical for 2022.

Since the disappearance of Conti in the first half of the year, LockBit has been by far the most widely used form of RaaS, based on known attacks. A comparison with its nearest rivals, ALPHV and Black Basta, is instructive. Since we began monitoring ransomware leak data in March, neither has come close to matching LockBit’s activity, which has at times accounted for almost half of all RaaS activity.

In October, the USA was the country most afflicted by ransomware, by some distance.

Our analysis of the most affected industry sectors also tells a familiar story, with services the most afflicted sector, as has been the case all year.

Money laundering

In October, VX Underground published an interview it said was with the founder of the LockBit group, who it called “Lockbit administrator” (LBO). In amongst the usual adolescent self-aggrandizing, LBO provided some interesting information about the size of the LockBit organization, and how ransoms paid in cryptocurrency are laundered into hard cash.

According to LBO, LockBit has “over 10 members”, consisting of “pentesters, developers, money launderers, testers, and negotiators”. If “over 10” is close to ten, that would appear to make LockBit’s staff almost an order of magnitude smaller than Conti, which was thought to have around 100 staff before it disbanded.

The scalability of RaaS comes from the use of affiliates—partner organizations that actually carry out attacks using LockBit RaaS, and pay for it with a share of their ransoms. According to LBO, LockBit has “no more than 100 people” working as affiliates. By our numbers, those 100 people are responsible for about one third of all RaaS attacks, which hints that the number of professional criminals actively engaged in ransomware attacks is probably quite low. Given the huge sums of money that have been extorted by ransomware gangs over the past five years into relatively few hands, this suggests there must be a significant money operation.

According to LBO, it transfers ransom money “to Chinese exchangers, from there to another exchange.” The money is then transfered to cards using a variety of methods, to avoid detection. Money mules are then sent to cash out up to $7,000 at a time from ATMs.

According to the Ransomware Task Force, victims paid $350 million in ransoms in 2020. Using laundering techniques like the one described above would require a minimum of 50,000 ATM transactions, which might explain why cryptocurrency transfers and money laundering seem to have been prime targets for law enforcement efforts in the last two years.

LockBit clones

In September, the software builder for LockBit 3.0 ransomware was leaked (yes, we got a copy). At the time we predicted that we would see gangs using using it to create their own ransomware, outside of the LockBit affiliate operation.

In October that started to happen. The Bl00dy ransomware gang is thought to have used it (Bl00dy does not appear on our list this month because it did not post any leaks in October); a LockBit clone was rumoured to have been used in an attack on the Bank of Brazil; and a bitcoin address seen in ransom notes dropped by an unknown group using modified LockBit software has received about $20,000 in payments.

New gang

The only new gang added to our monitoring in October is Mallox.

Updated 2022-11-10, Continental

LockBit is making headlines in Germany, following an August cyberattack on the automotive parts giant Continental. According to a transcript of the negotiations, obtained from LockBit’s dark web site, ransom negotiations began on September 23 and progressed slowly for a month. In the transcript, Continental seeks proof that the ransomware group has the 40 terabytes of internal company data it claims to have stolen, and then asks for assurances that the group will delete the data if the ransom is paid.

The final message attributed to Continental, dated October 24, reads “Hello, we have to hold a management meeting and will come back to you tomorrow end of business day.”

It seems that the meeting did not go the way that LockBit hoped, and after several fruitless days trying to restart the negotiation, the ransomware group has made the Continental data available on its dark web site—for sale or destruction—for $50 million.

Updated 2022-11-10, LockBit arrest

The US Justice Department reports that a dual Russian and Canadian national, Mikhail Vasiliev, is in custody in Canada, awaiting extradition to the United States. Vasiliev is alleged to have “participated in the LockBit campaign”, and is charged with conspiracy to intentionally damage protected computers and to transmit ransom demands. The announcement says the arrest is the result of a two-and-a-half-years investigation into LockBit that began in March 2020, just two months after the group first appeared.

As we noted in August, being the most sucessful of the current crop of ransomware gangs isn’t necessarily good for business in the long run. Although the ransomware ecosystem has proven highly resilient, the gangs within it haven’t.