LockBit derivative active against targets in Spain.
By Tim Nodar, CyberWire senior staff writer
Aug 29, 2023

LockBit continues to spawn variants in the wild.

LockBit derivative active against targets in Spain.

The National Police of Spain have warned of a LockBit Locker ransomware campaign that’s targeting Spanish architecture companies, BleepingComputer reports. The attackers are sending phishing emails posing as a photography company that’s seeking a cost estimate for a facility renovation. After a brief email conversation with the architecture firm, the threat actors schedule a meeting to discuss the project, and send over an archive with documents outlining the proposed renovations. This archive contains a file that will install the ransomware.

Dror Liwer, co-founder of cybersecurity company Coro, wrote about the burgeoning LockBit infestations to draw a lesson for defender. “This is exactly why signature-based protection simply can’t be effective in today’s quickly evolving threat landscape. What’s worse, is that it creates a false sense of security that results in longer dwell time, and bigger damages.”

Criminals need opsec, too (and suffer from laspses therein).

Kaspersky last week published an analysis of the leaked Lockbit builder that’s been used to create numerous spinoffs of the Lockbit ransomware. Colin Little, Security Engineer with threat intelligence provider Centripetal, observed that the leak can be viewed as an opsec breach in gangland. “The established actors in the threat landscape know full well the need for Operational Security (OpSec), and what we're seeing represents the fallout from an OpSec breach. Suddenly not only is the barrier to entry for the LockBit group removed, but a good deal of their weaponized techniques, tactics and procedures (TTPs) have been exposed," Little wrote, and suggested that the authorities should be able to turn the leak to good use. "Law enforcement now has a lot of comparative data which will be used to close in around the LockBit group. This will also help cyber defenders prevent infiltration around the LockBit and affiliate TTPs."

Little added some thoughts for defenders: “Ultimately, this latest threat serves as a stark reminder that cybersecurity is an ongoing and evolving battle. Relying solely on reactive measures is insufficient in the face of dynamic and innovative cyber threats. Instead, organizations must leverage proactive intelligence-powered strategies to not only defend against current threats but also to anticipate and mitigate those on the horizon.”

Roger Grimes, data-driven defense evangelist at KnowBe4, pointed out that criminals tend to be lazy and opportunistic, and that it's no surprise to see them take advantage of underworld leaks. “It's very common for other hackers to take advantage of ransomware and other malware programs once the toolkit or source has leaked. Most hackers are lazy and they will take the quickest, shortest route to ill-gotten gains, even if it means, as it did in this instance, sub-optimal gains. By hard-fixing the price, the ransomware gang doesn't have the opportunity to increase the ransom amount if they come across a bigger victim.” So in the criminal cost-benefit calculus, costs trump benefits.