Lockbit 2.0 and Conti have taken the ransomware space by storm, claiming responsibility for 59% of the total attacks reported in March 2022.
We’ve taken a closer look at how these two powerful threat groups have made a name for themselves through their latest ransomware campaigns, targeting critical refugee organisations, to Costa Rican government bodies.
What, and who, will be next?
Conti are a Ransomware-as-a-service (RaaS) operation believed to be of Russian origin and have been observed since 2020 for their notorious cyber-attacks paired with leaked documents, firing up unruly ransom payments to organisations worldwide.
As of late, Conti have fallen victim to a data leak, including chat logs back in late February and Conti ransomware source code on March 1st. This likely occurred as a direct result of the Conti group announcing its support for Russia, threatening to attack the critical infrastructure of “enemies.”
The data leak has likely had a huge impact on Conti’s ransomware activity moving forward – it wouldn’t be surprising if the reason their victim count is increasing is at least partially some form of retaliation, if the leaks were of Ukrainian origin, or even a power move to prove the extent of their capabilities and capacity to recover after a hit to their infrastructure.
However, with recent news of Conti’s infrastructure taken offline, it seems this prolific ransomware gang may have shut down. The brand is no more, but there’s nothing stopping the cyber criminals involved continuing, just without the Conti name.
On 8th May, Costa Rican President Rodrigo Chaves declared a national emergency after the disruption of Conti’s ransomware attack, which caused a leak of 97% of the 672GB of data allegedly stolen from Costa Rican government agencies.
“The attack that Costa Rica is suffering from cybercriminals is declared a national emergency,” said the President, “and we are signing this decree, precisely, to declare a state of national emergency in the entire public sector of the Costa Rican State and allow our society to respond to these attacks as criminal acts.”
Conti originally demanded a $10 million ransom from the Ministry which was declined, but they have now raised the demand to $20 million, threatening to “overthrow” the government. Whilst the Ministry of Finance suffered irrefutable damage, there is no evidence yet concerning how this affects taxpayers’ information and payment. Will the government pay up this time to prevent further harm?
In light of this ransomware attack, as well as the hit on Wind Turbine firm Nordex (amongst others), the US have now issued a $10 million reward for anyone who can share valuable information about the Conti members – an understandably huge price tag for a detrimental threat group that the government has pressure to shut down.
LockBit have been in operation since September 2019, actively targeting large organisations for ransoms worth millions of dollars/pounds. However, with the development of a new version of their Ransomware-as-a-Service platform, called Lockbit 2.0, they are continuing to cause havoc at a greater capacity, supposedly hitting the 40,000 mark for ransomware incidents occurring since July 2021.
Recently, LockBit 2.0 has been involved in a fair few major ransomware campaigns – one of these was targeting the Canadian company Top Aces that are the exclusive adversary air provider to the Canadian and German armed forces. Displayed on the leak site for all to see, Top Aces were given a deadline of May 15th before LockBit would leak 44GB of data it allegedly stole.
Security analysts have noted that attacks on companies in the defence sector are concerning because “there is no way of knowing where stolen data may end up… even if the individuals behind the attack are simply for-profit cybercriminals, they may sell the data or make it otherwise available to third parties which could potentially include hostile governments.”
Not only have LockBit 2.0 rendered critical organisations into vulnerable positions, but they’ve taken advantage of the current Russia conflict with Ukraine to post threatening notes on the dark web. Believed to be sided with Russia, LockBit has reportedly taken files from the Bulgarian government agency responsible for refugee management, in particular for hosting thousands of fleeing Ukrainians.
Their trademark bright red countdown clock goes unnoticed in this devastating attack, in the same way it holds feat in the cyberattack against one of the largest manufacturers of tires in the world – Bridgestone Americas.
Conti and LockBit are playing the ransomware game. LockBit’s attacks aren’t slowing anytime soon, and the shut down of Conti will only lead cyber criminals to execute cyber campaigns individually or elsewhere.
Security researchers have noted that “ransomware attacks are continuing to spike as the year progresses, showing just how critical it is for organisations to have the appropriate security measures in place to protect themselves… Those working within industrials should be especially vigilant, given how trends show this sector continues to be the most frequently targeted.”
Learn more about the 4 huge yet overlooked costs to ransomware in our recent blog post.
To share your experiences with ransomware, as either a victim or onlooker, join our LinkedIn group. Hear from others, share your opinion, and promote an open environment where organisations can help one another, as part of our #RansomAware campaign.
Call us directly and we’ll put you in touch with the most relevant cyber expert.
Not currently free to call? Give us a brief description of what you’re looking for by filling out our form and we’ll email you as soon as we can.
Thought-provoking cyber security discussion at Michelin-star restaurants across the UK.
