Sophos X-Ops discovered that multiple malicious players have been taking advantage of a leaked source code from LockBit 3.0 to launch ransomware attacks. The group uncovered a ransomware note from a group that dubbed themselves “BlackDogs 2023”.
After Sophos X-Ops investigated an unsuccessful cyber attack against a customer, they discovered that the malicious players tried exploiting an old, unsupported server. This will allow the attackers to deploy the ransomware after gaining access to the company’s Windows servers. Sophos blocked the attack while Sophos X-Ops intercepted a ransom note requesting around USD 30,000 to recover data.
Second incident
Sean Gallagher, principal threat researcher, at Sophos, said that this is the second, recent incident of threat actors attempting to use the leaked LockBit source code to create new variants of ransomware.
“The first instance involved attackers taking advantage of a vulnerability in Progress Software’s WS_FTP Server software. Now, copycats are looking to take advantage of outdated and unsupported Adobe ColdFusion servers. It’s entirely possible that other copycats will emerge, which is why it’s essential for organisations to prioritize patching and upgrading from unsupported software whenever possible. However, it’s important to note that patching only closes the hole. With things like unprotected ColdFusion servers and WS_FTP, companies need to also check to make sure none of their servers are already compromised, otherwise, they’re still at risk of these attacks,” Gallagher added.