Ruslan Magomedovich Astamirov, 20, was taken into custody on Wednesday, a spokesperson for U.S. Attorney Philip Sellinger, from the District of New Jersey, told CyberScoop after the DOJ unsealed a criminal complaint in the case.

LockBit, which emerged in January 2020, was the most active ransomware variant in 2022 in terms of victims claimed on the group’s data leak site, U.S. cybersecurity officials said in a June 14 advisory. Known LockBit attacks accounted for 16% of state, local, tribal and tribunal government ransomware attacks reported in the U.S. in 2022, as well as roughly 20% of known government ransomware attacks in Australia, Canada and New Zealand, the advisory said. Since January 2020 the group is associated with approximately $91 million in ransoms paid in the U.S., the advisory said.

Astamirov’s case will be tried out of New Jersey, which is handling the cases of two other men accused of participating in LockBit ransomware attacks: Mikhail Vasiliev, a dual Russian and Canadian national, was arrested in November, and Mikhail Pavlovich Matveev, also known as Wazawaka, was indicted in May for alleged roles in LockBit attacks along with other cyber activities. Matveev, a Russian national, remains at large.

“Astamirov is the third defendant charged by this office in the LockBit global ransomware campaign, and the second defendant to be apprehended,” U.S. Attorney Sellinger said in a statement. “The LockBit conspirators and any other ransomware perpetrators cannot hide behind imagined online anonymity. We will continue to work tirelessly with all our law enforcement partners to identify ransomware perpetrators and bring them to justice.”

The announcement comes a day after the joint advisory from top cybersecurity officials in the U.S. and their counterparts in multiple countries detailing the threat from LockBit, which the advisory said was the most deployed ransomware variant in 2022. The variant is associated more than 1,400 attacks in the U.S. and around the world, according to the Department of Justice.

According to the complaint filed by prosecutors, Astamirov owned and controlled email addresses, an IP address and a cloud services account associated with the deployment of LockBit attacks. Astamirov “executed” attacks on victims in Florida, Tokyo, Virginia, France and Kenya dating back to August 2020, according to the complaint. Astamirov received at least 80 percent of the ransom payment made in Bitcoin with one of the attacks, the complaint alleges.

FBI agents interviewed Astamirov in May and searched several devices, including his phone and a laptop computer, according to the complaint.

The post Russian national arrested in Arizona, charged for alleged role in LockBit ransomware attacks appeared first on CyberScoop.

These are just two of the known ransomware attacks that occur daily around the world targeting small and large businesses, government organizations, nonprofits and medical facilities. Names like Royal and PLAY apply to both the strain of malware used in the attacks and the groups that create and operate the platforms behind them, but those names may signify little else to executives and other decision-makers on the frontlines of defending against ransomware.

A new effort is taking on something of a daunting challenge of ranking ransomware outfits to give organizations greater awareness about the criminal cyber operations they’re fighting on a daily basis. The Ransomware Malicious Quadrant, published Wednesday ransomware-focused cybersecurity firm Halcyon and first shared with CyberScoop, takes a range of the most consequential and effective ransomware groups over the past year and gathers the most critical datapoints on each, and categorizes them.

“There’s so much information out there, but there’s not a lot of consistent information,” said Anthony Freed, Halcyon’s director of threat intelligence. Various cybersecurity firms track ransomware groups, but their public products often give the businesses little useable information.

“You’ll get a nice report, and the next year, they may have kind of moved on to the next shiny thing, or the data that they collect isn’t apples to apples to what they had before, or other organizations producing bits and pieces [on various groups],” Freed said.

Those interested in a given ransomware group’s history can get a detailed view of the group’s attacks, the industries they’ve has targeted and where they are most active, giving executives and others a starting point to understand threats relevant to them.

Halcyon’s system is designed to give business leaders and other decision-makers a compact but thorough overview of the plethora of ransomware variants and crews operating at any moment. Data about ransomware operators and their victims is inherently limited to a subset of the full scope of activity, given that what’s known publicly is usually based on what the criminal gangs choose to share publicly.

Nevertheless, based on Halcyon’s research and information published by other firms and government sources, enough information about the groups is known to allow the groups to get sorted on a range of factors. Each group is plotted along the quadrant’s x-y axes — ability to execute and completeness of vision — and the quadrants further characterize each group as either challengers, leaders, niche players or visionaries.

Written entries for each group track a range of factors, including effectiveness in disrupting targeted networks, ability to evade detection, as well as continued development of its platform, target selection and the availability of technical support for affiliates.

LockBit, one of the most active groups at the moment based on publicly known data, is predictably ranked highest in terms of execution and vision. Royal, the group associated with the attack on Dallas, “has quickly become one of the more concerning ransomware operations,” the report notes, given its prolific attack rate since emerging in September 2022.

Freed says Halcyon is trying to determine how often to update the quadrant given the incredibly fluid nature of the ransomware space. But for now, the company hopes that it can be a resource for decision-makers who aren’t necessarily technical but need to know what’s happening.

“What’s happening in my space? Who are the threat actors that target my industry more, who’s super active? What victims, that these ransomware operators hit kind of look like me? And what lessons can be can be learned from those attacks?” Freed said. “These organizations have to plan not just to prevent a ransomware attack, but to respond to a ransomware attack and be resilient.”

The post Ranking ransomware: The gangs, the malware and the ever-present risks appeared first on CyberScoop.

It was just the latest ominous warning from the group, which is one of the most prolific and profitable ransomware operators in the world. And following the headline-grabbing takedown of the rival group Hive that involved law enforcement in the U.S. and Europe, experts say LockBit is an obvious next target as governments around the world have pledged to go on the offensive against ransomware operators.

“I think something is going to happen to LockBit in the next [six] months,” said Allan Liska, an intelligence analyst with the cybersecurity firm Recorded Future. “I don’t know if it will be law enforcement or internal strife, but something will happen. You can’t be this big for this long as a [ransomware as a service] group without attracting a lot of unwanted attention.”

As if taunting law enforcement officials, the group applauded the Hive operation last month: “Nice news. I love when FBI pwn my competitors.”

Officials in the U.S. and abroad have stepped up actions against ransomware groups in recent months. In the U.S. last year, financial institutions observed nearly $1.2 billion in costs associated with ransomware attacks, the Treasury Department said in November, a figure experts say likely represents just a fraction of the total problem. The announcement came as the White House hosted the Second International Counter Ransomware Initiative Summit, hoping to better coordinate three dozen countries’ approach to attacking cybercrime.

Active since September 2019, LockBit has grown into one of the most prolific ransomware-as-a-service operations, where a core group of developers lease malware to “affiliates” who carry out attacks. Its ransom operations nearly doubled from 2021 to 2o22, according to analysis published Tuesday by NCC Group, an international cyber consultancy based in the U.K. And they aren’t shy about talking about the strength of their technology. LockBit boasted about the speed at which its malware encrypts systems and steals data, according to an August 2021 interview with a Russian tech blog analyzed by cybersecurity firm AdvIntel.

Liska said that based on public postings “LockBit is significantly larger than Hive.” Recorded Future has observed 1,327 victims posted to LockBit’s data leak site, he said, 854 of which have been posted since January of 2022. He said there is not enough data to nail down a firm dollar figure associated with the group, but the Department of Justice alleged in November that LockBit had demanded $100 million in payments and “extracted tens of millions” from its victims in the U.S. and around the world.

Their targets are also getting bigger and more high profile, too. Last week, LockBit attacked ION, a financial trading services group that facilitates trading and settlement of exchange-traded derivatives, according to Reuters, potentially impacting activities related to “thousands of firms.”

The Royal Mail hack has also gained international attention. Originally, LockBit denied any role in the attack and claimed that someone using a leaked version of its encryption malware was responsible, in an interview with Bleeping Computer. Two days later, however, a group representative said they had determined which affiliate was behind the attack and that a decryption key would be provided after a ransom was paid, the news site reported.

Signaling the group may have its own internal differences, a LockBit affiliate in December attacked The Hospital for Sick Children, known as SickKids, in Toronto. The group apologized for the attack and said the action “violated our rules” and that the “partner” that carried out the attack was “no longer in our affiliate program.”

“If I was a ransomware affiliate, I wouldn’t want to work with LockBit,” said Brett Callow, a threat analyst with cybersecurity firm Emsisoft. Its recent string of high-profile attacks will have likely focused law enforcement attention on the group even more than in the past, he said. “I wouldn’t be at all surprised to discover that LockBit’s operation had been subject to a Hive-like infiltration. Law enforcement agencies are getting better and better at counter-ransomware operations and every arrest they make and every bit of intel they collect helps them take action against other groups and individuals.”

For now, however, LockBit could be benefiting from the demise of Hive, Callow noted: “They have recently listed more victims than usual, possibly as a result of Hive affiliates looking for a new home.” Those new affiliates, however, could spell trouble. “Of course, as Hive’s operation was compromised by law enforcement months ago, it’s possible that some of its affiliates were compromised too and that LockBit and its business partners could soon get a nasty surprise,” he said.

A message sent to LockBit’s support chat address Tuesday was not returned. Neither the FBI nor the Department of Justice responded to a request for comment.

The group claims on its website to be located in the Netherlands and “completely apolitical and only interested in money,” although the group communicates largely on Russian-speaking hacking forums and told the Russian tech blog that “We benefit from the hostile attitude of the West (towards Russia). It allows us to do conduct such an aggressive business and operate freely within the borders of the former Soviet (CIS) countries.”

It’s impossible to know the full scope of LockBit’s activities or how it compares to other groups, Callow said, but the group is “certainly in the top 10.”

In November, when the Department of Justice unsealed charges against Mikhail Vasiliev, a dual Russian and Canadian citizen for working with LockBit, the agency alleged the group’s malware had “been deployed against over 1,000 victims in the United States and around the world.”

The post After Hive takedown, could the LockBit ransomware crew be the next to fall? appeared first on CyberScoop.

The Justice Department identified the suspect as Mikhail Vasiliev who, according to court documents unsealed Thursday, faces charges related to conspiracy to damage computers and transmitting ransom demands. Vasiliev faces up to five years in prison and is awaiting extradition to the U.S.

“This arrest is the result of over two-and-a-half-years of investigation into the LockBit ransomware group, which has harmed victims in the United States and around the world,” said Deputy Attorney General Lisa Monaco in an additional statement issued Thursday confirming the arrest. “Let this be yet another warning to ransomware actors: working with partners around the world, the Department of Justice will continue to disrupt cyber threats and hold perpetrators to account.”

Europol called Vasiliev one of its most “high-value targets due to his involvement in numerous high-profile ransomware cases,” the agency said in a statement obtained by CyberScoop.

Investigators from the French Gendarmerie, the FBI and Europol’s European Cybercrime Centre were deployed to Ontario as part of the operation, according to the Europol statement.

Police seized two firearms, eight computers and 32 external hard drives, along with roughly $405,000 in cryptocurrencies in the Oct. 26 arrest, Europol said in its statement.

The arrest follows the Sept. 28, 2021, arrest of two suspects in Ukraine who were part of an “organized crime group” accused of committing “a string of targeted attacks against very large industrial groups in Europe and North America from April 2020 onwards,” Europol said at the time.

LockBit is one of the most active ransomware groups, with at least 1,029 attacks since coming onto the scene in 2019, according to stats collected by The Record.

The post LockBit ransomware suspect arrested in Canada, faces charges in US appeared first on CyberScoop.

Reported incidents increased to 198 in July from 135 in June, according to the firm that issues semi-regular reports on ransomware activity by tracking websites that post victims’ details.

Just this week, ransomware attackers associated with LockBit, which has been deploying a potent new version of its malware, hobbled a French hospital, causing some patients to have to be redirected to other facilities.

LockBit was associated with 62 incidents in July, according to NCC Group, nearly 20 percent higher than its June total of 52 known incidents. LockBit remains “the most threatening ransomware group, and with which all ogranisations should aim to be aware of,” the company wrote.

Hive and BlackBasta are following LockBit in the number of reported attacks. Both of those groups have connections to Conti, once the most prolific ransomware group before a fracturing of sorts in the wake of the Russian invasion of Ukraine. Ransomware groups are made up of a core group of developers working with affiliates, with some splinter outfits working with multiple groups at a time.

NCC Group’s report also noted the continued activity of North Korean cyber criminals tracked broadly under the name Lazarus Group. In April, the group was tied to a $625 million cryptocurrency theft, and in early July a trio of U.S. government agencies warned that a separate North Korean effort was behind the Maui ransomware variant that has been seen attacking healthcare and public health organizations. In June, Lazarus Group was reportedly behind a separate $100 million theft on California-based Harmony’s Horizon Bridge.

Lazarus Group has, at times, become a catch-all for a flurry of distinct and nuanced North Korean cyber activity, ranging from extortion to espionage to cybercrime, cybersecurity firm Mandiant explained in a March analysis.

Nevertheless, Lazarus is a significant, ongoing threat, said Matt Hull, the global head of threat intelligence with NCC Group.

“Lazarus Group seem to be improving their crypto-theft and ransomware operations, so it is more important than ever to monitor their activity closely,” he said in a statement issued with the July report. “Cryptocurrency organisations in the US, Japan and South Korea should remain on high alert.”

The post Ransomware attacks jump as new malware strains proliferate, research finds appeared first on CyberScoop.

Earlier Monday, LockBit 3.0, one of the most active and prolific ransomware groups going, posted a notice to its website claiming it had stolen “100GB: company documents, scans, financial reports, contracts” from the agency, along with six screenshots purporting to show a sample of the files.

A message posted to the agency’s website said that it had “immediately requested feedback and clarifications from SOGEI SPA,” the publicly owned IT company “which manages the technological infrastructures of the financial administration and is carrying out all the necessary checks,” according to a Google translation.

The agency later appended a message to the original that said that an initial analysis found no indications that a cyberattack occurred, “not has data been stolen” from the agency, according to a Google translation. Nevertheless, the statement continued, the investigation remains ongoing.

LockBit 3.0 first emerged as a distinct ransomware-as-a-service variant in September 2019 as the ABCD ransomware and has since evolved several times. It’s grown to become perhaps the most active group in the space. As of May, the group accounted for 46 percent of all ransomware-related breach events in 2022, and had racked up more than 850 victims around the world, Palo Alto Networks’ Unit 42 reported in June.

Experts have warned in the past that LockBit has previously made grand claims that turned out to be bogus, or have claimed information stolen from one entity was actually data from another entity.

Update, 7/26/22: to include the modified statement denying an attack occurred.

The post Ransomware group targets Italian tax agency appeared first on CyberScoop.

The researchers’ observations, published Thursday, are just the latest example of how cybercriminals affiliated with Evil Corp have shifted tactics after U.S. sanctions in 2019 increased scrutiny over transactions with the group.

The group, which had already started pivoting from broader financial crimes to ransomware prior to 2019, has since been tied by multiple researchers to a number of different malware strains including WASTEDLOCKER and HADES ransomware.

But as those strains became synonymous with Evil Corp, users have had to adjust. For instance, after an October 2020 Treasury Department advisory tying WASTEDLOCKER to the group, researchers noticed a drop in activity using the malware. Researchers at Emsisoft even observed Evil Corp affiliates masquerading last year as another notorious group, REvil, to evade sanctions.

Treasury sanctioned Evil Corp in 2019 for its development and distribution of Dridex, a malware used to infiltrate hundreds of financial institutions in more than 40 countries, leading to millions of dollars in damages.

Now, affiliates whom researchers group as “UNC2165” have since taken cover with LOCKBIT, a ransomware-as-a-service with ties to a number of different threat actors.

“The adoption of existing ransomware is a natural evolution for UNC2165 to attempt to obscure their affiliation with Evil Corp,” the Mandiant researchers write. “Both the prominence of LOCKBIT in recent years and its successful use by several different threat clusters likely made the ransomware an attractive choice.”

Also in 2019, prosecutors indicted two Russian nationals, Maksim Yakubets and Igor Turashev, in connection with Evil Corp. Yakubets was accused of providing direct assistance to the Russian government.

Despite scrutiny from the U.S. government, the notorious and prolific Russian crime group has continued to go after U.S. targets. Evil Corp was accused of launching a cyberattack against U.S. media company Sinclair Broadcast Group in October.

The post Evil Corp affiliates are using off-the-shelf ransomware to evade sanctions appeared first on CyberScoop.

LockBit 2.0 posted a notice to the dark web portal it uses to identify and extort its victims saying it had files from the Bulgarian State Agency for Refugees under the Council of Ministers. “All available data will be published!” the notice read under the group’s trademark bright red countdown clock, which has a May 9 publication date but no specific posted ransom demand.

The agency didn’t immediately return an emailed request for comment. A spokesperson at the Bulgarian embassy in Washington, D.C., told CyberScoop Wednesday he didn’t have information on the incident and would look into it.

The agency’s website remains functional, but a notice on the site’s home page includes a notice that “due to network problems, the e-addresses of the State Agency for Refugees at the Council of Ministers are temporarily unavailable!!!” according to a Google translation.

Nearly 5.7 million Ukrainian refugees have fled their country since the Feb. 24 Russian invasion, according to data from the United Nations High Commissioner for Refugees. Nearly 230,000 of those made their way to Bulgaria, with 100,700 remaining in the country, according to the Sofia Globe, a news organization in the country’s capital.

LockBit 2.0 is the successor to LockBit, a ransomware variant first spotted in September 2019, according to cybersecurity firm Emsisoft. Originally known as ABCD ransomware — named for the file extension appended to encrypted files, with the extension later updating to “LockBit” — the crew launched its own leak site in September 2020.

By June 2021, after a string of attacks, the developers behind the malware launched “LockBit 2.0,” along with advertising material boasting of its fast encryption and data exfiltration speeds, relative to other ransomware variants. As of July 2021 Emsisoft estimated that there could have been nearly 40,000 ransomware incidents involving LockBit malware.

“This is simply the latest in a very long list of hits on organizations which provide critical services,” said Brett Callow, a threat analyst at Emsisoft. “Hospitals, [search and rescue], fire departments, and charities for the disabled have all been targeted. The individuals involved with ransomware are conscienceless scumbags and the sooner we find a way to deal with the problem, the better.”

It’s also not the first cyberattack targeting officials trying to aid Ukrainian refugees.

Like other major ransomware efforts, there’s believed to be a core group behind LockBit that works with “affiliates,” who keep 70% to 80% of ransomware proceeds. In an August 2021 interview with a Russian-speaking tech blog, a representative for the group espoused a series of political positions that correlated heavily with the anti-American and anti-Western narratives promoted by Russian government officials and popular Russian media, according to an analysis by Florida-based cybersecurity firm AdvIntel.

The LockBit 2.0 representative said in the interview that the group does not attack “social services and charities,” but the AdvIntel analysis concluded that the group is like other ransomware groups where “‘moral agendas’ never go beyond such flamboyant phrases.”

In late February the group posted a notice to its site claiming neutrality with respect to the Russian invasion, Reuters reported in March. The statement claimed its “pentesters” were mostly Russian and Ukrainians, but that the group included people from around the world, SC Media reported at the time.

The post Russian ransomware group claims attack on Bulgarian refugee agency appeared first on CyberScoop.

The announcement appeared on the leak site of LockBit 2.0, a known ransomware-as-a-service operation that’s been active since at least September 2019, according to cybersecurity firm Emsisoft.

Neither the French Ministry of Justice or the country’s main cybersecurity agency responded to a CyberScoop request for comment about the situation. A ministry spokesperson told Politico that the agency was “aware of the alert and immediately took steps to carry out the necessary checks,” but did not elaborate.

The post viewed by CyberScoop on the leak site — where victim files are publicized either to pressure payments or punish victims if ransoms aren’t paid — indicates that the group may have 9,856 files, but nothing has been posted yet.

Brett Callow, a threat analyst at Emsisoft, said Thursday that the group may not end up posting any files, “as some of their past claims have been bogus.” For example, he said, there have been cases “where information stolen from organization A included information about organization B, they claim to have hit both A and B.”

Originally known as ABCD ransomware based on the file extension of the files it would encrypt on a target’s system, the ransomware evolved to LockBit and then LockBit 2.0 by June 2021, racking up perhaps tens of thousands of victims globally, Emsisoft reported.

LockBit was reportedly used in the July 2021 ransomware attack on global IT consultant firm Accenture that reportedly came with a $50 million ransom demand, CyberScoop reported at the time.

The site currently lists dozens of purported victims from around the world.

The post Ransomware group says it took files from French Ministry of Justice appeared first on CyberScoop.

The SEC filing filed Friday provides additional detail on a breach the company first discovered on July 30 and disclosed in early August. The disclosure coincided with the ransomware gang LockBit 2.0 leaking information from the consulting giant after saying Accenture failed to pay a $50 million ransom by its deadline.

CyberScoop had previously reported other details of the intrusion.

“While the perpetrators were able to acquire certain documents that reference a small number of clients and certain work materials we had prepared for clients, none of the information is of a highly sensitive nature,” read an internal memo that CyberScoop obtained.

A spokesperson didn’t directly answer a question about what kind of “proprietary information” the attackers stole, saying that the company’s original statement covered the matter.

“Through our security controls and protocols, we identified irregular activity in one of our environments,” that statement read. “We immediately contained the matter and isolated the affected servers. We fully restored our affected systems from back up. There was no impact on Accenture’s operations, or on our clients’ systems.”

In its SEC form 10-K, the company said there could be further fallout.

“In addition, our clients have experienced, and may in the future experience, breaches of systems and cloud-based services enabled by or provided by us,” it reads. “To date these incidents have not had a material impact on our or our clients’ operations; however, there is no assurance that such impacts will not be material in the future.”

In a summer filled with headline-making ransomware attacks, the Accenture intrusion flew relatively under the radar, despite a burst of social media attention at the time. Accenture reported $44 billion in 2020 revenue — far more than another summer victim that got more attention, Colonial Pipeline, which reported $1.3 billion in revenue.

But the impact of the Accenture breach was not as tangible as that of the Colonial Pipeline breach and others, with the fuel supplier attack prompting the company to take it systems offline.

The post Accenture lost ‘proprietary information’ in summer ransomware attack appeared first on CyberScoop.