Online blackmail gang out of control: 160 companies caught in one month

Lockbit is something of a rock star among organized online extortion gangs. More businesses are currently being attacked without other encrypted Trojans, also known as ransomware. In October 2022 alone, 160 new extortion victims surfaced on Lockbit’s dark web blog. Among them was the Swiss textile machine manufacturer Saurer from Arbon on Saturday. Lockbit threatens to publish confidential corporate data of the global Saurer Group within days.

160 extortion victims in one month is extraordinary, even for the most active ransomware gang today. However, there are doubts as to whether all of the companies mentioned were actually hacked in October. It is also conceivable that criminals will try to blackmail the companies again with old data from previous hacks.

This could at least be the case with Saurer and the French arms company Thales, which has also been listed as a new victim by Lockbit since Monday. Both companies have been hacked before and neither has confirmed another attack on Watson.

Are the cyber criminals playing a faux pas?

As alleged evidence of the (recent) data theft at Saurer, the cybercriminals published excerpts from stolen company documents on their dark web blog on October 29. These include documents marked as “strictly confidential”. Saurer is apparently believed to be persuaded to pay ransom.

Saurer declined to comment on the threat posed by the cybercriminals and left Watson’s questions unanswered: “We will not comment on your information and will not answer your questions. We will not disclose information on internal business processes on principle,” the company said Monday. .

Saurer was already hit by data theft in August 2021, according to research by Watson. At the time, the Karma ransomware gang was able to encrypt data and access Saurer’s IT systems in data centers in Germany.

Just bluffing?

Whether Saurer was hacked again remains unclear for now. The documents published by the cybercriminals as alleged evidence actually seem to come from Saurer. However, there are no current documents that indicate that the textile machine manufacturer has been hacked again. This concerns documents that – just like the data breach from more than a year ago – seem to mainly relate to Saurer in Germany.

So the suspicion remains that Lockbit is using the documents stolen from Saurer in Germany last year and later published on the Darknet to blackmail the company again. To what extent this promises success for cybercriminals remains to be seen.

Saurer’s environment says that the gaps in the IT systems at the time have been closed and that this has also been assessed externally. If there was a new hack, it must be a completely new incident.

On the Lockbit blog, the countdown for Saurer ends in a few days. Then it could become clear whether the criminals are just bluffing or whether Saurer actually has some other problem.

Criminals wanted $500,000 ransom

The summer 2021 attack was carried out via stolen administrator accounts. There were outages for several days. “We have not paid any ransom,” Saurer told Watson at the time. The police had strongly advised not to respond to the messages from the blackmailers. According to the NZZ, the Karma ransomware gang demanded $500,000. As a result, the criminals released more than 10 gigabytes of company data.

The National Center for Cybersecurity (NCSC) also sheds no light on the alleged new hack: when asked, the federal cybersecurity competence center writes that they generally “don’t comment on specific cyber incidents by companies” and refer to Saurer.

The police of the canton of Thurgau writes that so far no report has been received, but that there is also no obligation to report. The NCSC confirms that there is still “no general obligation to report cyber incidents” in Switzerland. However, due to the increasing threat of cyber incidents to the economy and the population, the Federal Council wants to strengthen the reporting system.

The German Federal Office for Information Security (BSI) has so far left unanswered Watson’s request whether Saurer has reported another cyber incident in Germany.

In the 1990s, Saurer developed into the largest textile machine manufacturer in the world. In 2013, Saurer was sold to the Chinese Jinsheng Group. After China, Saurer is the largest in Germany, although it faced major financial problems there.

Lockbit Gang: Big-mouthed but tech-savvy

French arms and space company Thales said on Monday, they have not yet received a ransom note, but they are taking the hackers’ claim seriously and are investigating the situation. Thales said the same in January 2022. At that time, the cybercriminals executed their threat and published data from the group. Thales confirmed the data breach, but spoke of “low sensitivity data”. This could also explain why no ransom seems to have been paid.

Cybersecurity expert Guillaume Maguet told the French newspaper Le Parisien earlier this year that the Lockbit ransomware gang overestimated their prey to get a prominent name on their victim list. Their encryption software is tech-savvy, but the gang’s statements should be treated with caution.

Thales has so far left unanswered a question from watson as to whether there was a link between the early 2022 ransomware attack and the new data theft alleged by Lockbit.

Blackmail Trojan Horses for Everyone

The Lockbit blackmail gang uses its eponymous encryption trojan, Lockbit, as a ransomware-as-a-service. This means that other criminals can rent the ransomware from the developers and use it against authorities or companies at their discretion. This could be an important reason why ransomware attacks have increased rapidly in recent years.

The flood of new Lockbit victims in October may also have another reason: In September, a supposedly disgruntled developer published the blueprint for the gang’s latest encryption program – Lockbit 3.0. Anyone with relatively little knowledge can now launch their own ransomware attacks, further increasing the threat to businesses.