Security News > 2022 > April > LockBit ransomware gang lurked in a U.S. gov network for months
A regional U.S. government agency compromised with LockBit ransomware had the threat actor in its network for at least five months before the payload was deployed, security researchers found.
According to researchers at cybersecurity company Sophos, the actor accessed the network through open remote desktop ports on a misconfigured firewall and then used Chrome to download the tools needed in the attack.
In the second phase of the attack, initiated five months after the initial compromise, a more sophisticated actor appears to have taken over, leading Sophos to assume that a higher-level actor was now in charge of the operation.
"The nature of the activity recovered from logs and browser history files on the compromised server gave us the impression that the threat actors who first broke in to the network weren't experts, but novices, and that they may later have transferred control of their remote access to one or more different, more sophisticated groups who, eventually, delivered the ransomware payload" - Sophos.
The attackers made their presence more evident by wiping logs and performing system reboots via remote commands, alerting the system admins who took 60 servers offline and segmented the network.
Sophos joined the response effort and shut down the servers that provided remote access to the adversaries, but part of the network had already been encrypted with LockBit.
News URL
Related news
- LockBit ransomware admin identified, sanctioned in US, UK, Australia (source)
- Russian Hacker Dmitry Khoroshev Unmasked as LockBit Ransomware Administrator (source)
- City of Wichita breach claimed by LockBit ransomware gang (source)
- The Week in Ransomware - May 10th 2024 - Chipping away at LockBit (source)
- Botnet sent millions of emails in LockBit Black ransomware campaign (source)