Regional US Government agency under Lockbit Ransomware Attack  
Reading Time: 2 minutes

Operators of Lockbit Ransomware, after lurking around for at least five months, finally compromise the network of a regional U.S. government agency.

According to Andrew Brandt, a principal security researcher with Sophos, there may be two threat groups operating that carried out the attack and deployed the payload.  The attack vector suggests the attack was carried out by novice attackers and later a more mature group of attackers took over the operation to deploy ransomware, stealing data and encrypting files.

He further explained it was a messy attack that took place four months after the initial breach. In the later stage, the activities changed, in some cases it was drastic, suggesting attackers with different skill sets collaborated in the operation. 

Researchers from Sophos explained that during the first attack that occurred in September, the bad actors exploited the remote desktop protocol(RDP) port on a firewall, which was configured to provide public access to a server.

The researchers said, “Fortunately for the target, on at least a few machines, the attackers didn’t complete their mission, as we found files that had been renamed with a ransomware-related file suffix, but that had not been encrypted. Cleanup in those cases just involved renaming the files to restore their previous file suffixes.”

Organizations have been advised to implement security measures, such as multi-factor authentication or set firewall rules to block remote access to RDP ports. Stay well informed about the various tools that may have been installed for malicious purposes.

Finally, Brandt said, “If a member of the IT team hasn’t downloaded them for a specific purpose, the presence of such tools on machines on your network is a red flag for an ongoing or imminent attack. Unexpected or unusual network activity, such as a machine scanning the network, is another such indicator.”

Related Articles:

Why Mobile Devices Are at the Center of Future-Proof Security
Modern Pirates Hack Superyacht’s Cybersecurity
FFDroider and Lightning Information Stealing Malwares Target Users in the Wild