Cyber criminal gangs hack and blackmail companies and authorities by the meter and some are not afraid to paralyze hospital IT systems with encryption Trojan horses (ransomware).
The number one in the online extortion business is the Russian-language ransomware group Lockbit. Nobody hacks companies and organizations anymore. As of November 2022, Lockbit’s eponymous encryption Trojan had been used against more than 1,000 victims, according to the US Department of Justice.
But now a Lockbit member apologizes, writing on the blackmailer’s Darknet page, “I’m very ashamed.”
So what happened?
A week ago, the details of a daycare center in the US were published on the Lockbit leak page, which can be found on Darknet. Typically, hacked companies or authorities are featured on the site – otherwise known as the “wall of shame”. The online pillory aims to persuade victims to transfer the demanded ransom in cryptocurrency.
When the blackmail hackers noticed that a nonprofit daycare’s details had been published on their site, a member of the group apologized and wrote that the “partner” responsible had been blocked from accessing the encryption software.
Like other ransomware gangs, Lockbit is a service provider that provides the encryption software, while partners (“affiliates”) perform the hacks at the companies, copy data and encrypt IT systems. The service provider (Lockbit) then typically receives 20 percent of the ransom and the partners pocket 80 percent. The latter are specialized people who are good at, for example, looking for IT vulnerabilities or negotiating a ransom with the victims.
Lockbit generally tolerates partner attacks against non-profit organizations. However, in this case, the partner was apparently barred from further use of the encryption software because children were expressly affected by the data theft.
However, the response of the cyber gangsters is not magnanimous: the criminals almost never get a substantial income by backing out and providing the decryption software for free. The ransomware gang is probably more concerned about not getting further into the crosshairs of detectives.
Lockbit has been high on the FBI’s wanted list, at least since a partner partially crippled a children’s hospital in Canada with the Lockbit 3.0 encryption trojan in December 2022. This put the ransomware group, which otherwise prefers to stay under the radar, in the international spotlight.
Lockbit then also apologized, but did not make the decryption program available until about two weeks after the hack. This could have had fatal consequences.
Like businesses, the professional ransomware gang has terms of use that govern the use of their ransomware. According to these, pharmaceutical companies, dentists and plastic surgeons are legitimate targets, while the encryption of critical hospital IT systems that can lead to the death of people is prohibited.
However, Lockbit has repeatedly attacked medical facilities in the past. For example, an attack at a hospital in France meant that “surgery had to be postponed or carried out in other medical facilities,” the German tech portal golem.de reported early this year. In Switzerland, successful cyber attacks on the private hospital chain Hirslanden or the Pallas Clinic Group have become known in recent years.
Several extortion gangs have announced in recent years that facilities such as children’s hospitals should be taboo. Ethical considerations are probably of secondary importance. Rather, it’s about your own reputation, or PR. The leading ransomware gangs compete for talent like companies. Anyone who shows a heart for children makes themselves likeable.
The alleged action against partners who violate the code of conduct indicates to the outside world that you have your partners under control. It is also a sign to the victims that you work professionally as a normal business partner.
Ransomware gangs with their own software development department, tech support, and ransomware brokers present themselves as reputable, so they are perceived as trustworthy when negotiating ransom. A victim is more willing to pay if the perpetrators have a reputation for reliably recovering the data.
Last but not least, the code of conduct can be seen as a measure to remove one’s own criminal network from the line of fire. For law enforcement agencies, deadly ransomware gangs are the most pressing problem.
The hacked nursery is an example of how ransomware gangs and their partners generally do not target large organizations, but simply hack anything that can be easily hacked. This is regardless of whether the goal seems lucrative. The criminals cast the net and what is poorly secured is caught.
Lockbit has been active since the end of 2019. The most well-known victims include the consultancy firm Accenture, the car supplier Continental and the Royal Mail, Britain’s largest mail carrier. Hackers have also repeatedly struck in Switzerland. Even religious institutions such as the deaconess community in Riehen BS are among the victims.
The ransomware gang has so far concentrated on the Windows and Linux systems that are dominant in the business field. In April 2023, the first Lockbit trial version for macOS appeared. “The cyber gangsters’ official mouthpiece also confirmed that Lockbit for macOS is currently under active development,” German technology portal heise.de reported.
Like other leading ransomware manufacturers, Lockbit works with partners who can rent the encryption software and use it for their own attacks. So they do not have to develop the associated malware themselves. In technical jargon, this is called ransomware-as-a-service, or RaaS for short, as Lockbit provides the entire infrastructure: encryption and decryption program, website, chat system for ransom negotiations, technical support, etc.
So a modern ransomware gang works in a similar way to an internet company that makes its cloud services available to other companies or individuals on a subscription basis. The Lockbit software is considered to be very user-friendly, hence its great popularity among criminals.
Should victims nevertheless consider paying a ransom, the NCSC strongly recommends discussing these steps with the cantonal police.
The website https://www.nomoreransom.org/ provides tips on identifying the malware and the ability to download known keys. Nomoreransom.org is a joint project of the Dutch police and Europol, in which the Swiss Confederation is also involved.
Source: Watson
I’m Ella Sammie, author specializing in the Technology sector. I have been writing for 24 Instatnt News since 2020, and am passionate about staying up to date with the latest developments in this ever-changing industry.
On the same day of the terrorist attack on the Krokus City Hall in Moscow,…
class="sc-cffd1e67-0 iQNQmc">1/4Residents of Tenerife have had enough of noisy and dirty tourists.It's too loud, the…
class="sc-cffd1e67-0 iQNQmc">1/7Packing his things in Munich in the summer: Thomas Tuchel.After just over a year,…
At least seven people have been killed and 57 injured in severe earthquakes in the…
The American space agency NASA would establish a uniform lunar time on behalf of the…
class="sc-cffd1e67-0 iQNQmc">1/8Bode Obwegeser was surprised by the earthquake while he was sleeping. “It was a…