[TheRecord] CERT-France: Lockean ransomware group behind attacks on French companies

French cybersecurity officials have identified today for the first time a ransomware “affiliate group” that is responsible for a long list of attacks against French companies over the past two years.

Identified as Lockean, the group’s activities and modus operandi were detailed today in a comprehensive report published by France’s Computer Emergency Response Team (CERT-FR), a division of ANSSI, the country’s national cybersecurity agency.

According to French officials, the group has been active since June 2020 and “has a propensity to target French entities,” having been linked to attacks on at least seven French companies, such as transportation logistics firm Gefco, pharmaceutical groups Fareva and Pierre Fabre, and local newspaper Ouest-France.

Lockean operators used different ransomware strains

CERT-FR officials said the group would typically rent access to corporate networks that had been previously infected via Emotet phishing emails, where they would deploy the QakBot malware and later the CobaltStrike post-exploitation framework.

Lockean operators would then use tools like AdFindBITSAdmin, and BloodHound to move laterally inside a network in order to expand their access and control over a company’s systems.

The group would then use the RClone utility to copy sensitive files from the victim network and then deploy a file-encrypting ransomware strain.

Image: CERT-FR
Image: CERT-FR

According to CERT-FR officials, who investigated several of these intrusions, the Lockean group used different ransomware strains across the years, such as DoppelPaymer, Maze, Egregor, REvil (Sodinokibi), and ProLock.

Image: CERT-FR
Image: CERT-FR

Second ransomware affiliate group identified

Because Lockean used different ransomware strains, officials believe the group is what security researchers call a “ransomware affiliate,” a term that refers to criminal groups who sign up on Ransomware-as-a-Service (RaaS) platforms.

Through these platforms, affiliates gain access to ready-to-deploy ransomware strains, which they deploy on hacked networks, splitting successful ransom payments with the ransomware’s creators.

If victims refused to pay, data from these companies would be published on so-called “leak sites” operated by the RaaS platforms, where victims would often be listed in order to ramp up public pressure on the hacked companies.

Lockean is now the second ransomware affiliate group that has been publicly identified by law enforcement agencies after the FBI exposed the OnePercent group in August.

The post CERT-France: Lockean ransomware group behind attacks on French companies appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[SecurityWeek] Endpoint Management Startup Aiden Technologies Closes $2.9 Million Seed Round

All posts, Security Week

Automated endpoint management startup Aiden Technologies on Tuesday announced that it closed a $2.9 million seed funding round led by Right Side Capital Management. Congress Avenue Ventures, the Gaingels, and SAJE Investments also participated in the round, along with various advisors and strategic individual investors. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[ZDNet] GitHub: Here’s how we’re changing our rules around malware and software vulnerability research

All posts, ZDNet

Microsoft’s GitHub updates policies to better support researchers working on tools that can be used both to help and harm networks. Source: Read More (Latest topics for ZDNet in Security)

Read More

[HackerNews] Researcher Uncover Yet Another Unpatched Windows Printer Spooler Vulnerability

All posts, HackerNews

Merely days after Microsoft sounded the alarm on an unpatched security vulnerability in the Windows Print Spooler service, possibly yet another zero-day flaw in the same component has come to light, making it the fourth printer-related shortcoming to be discovered in recent weeks. “Microsoft Windows allows for non-admin users to be able to install printer […]

Read More