LOCKBIT claimed to have compromised IL&FS in February 2023 and began a triple-extortion leak wave, threatening data deletion if demands weren’t met. The report covers the LOCKBIT Green variant, leaked data samples, and practical cybersecurity recommendations.
Read more: https://blog.cyble.com/2023/03/01/ransomware-attack-on-ilfs/
Read more: https://blog.cyble.com/2023/03/01/ransomware-attack-on-ilfs/
Keypoints
- LOCKBIT claimed to have compromised Infrastructure Leasing & Financial Services Limited (IL&FS) on February 28, 2023.
- The group posted 12 screenshots of leaked data, including contracts, personal data, passports, and financial documents.
- The leak site indicated a March 10, 2023 deadline and threatened data deletion as part of triple-extortion.
-
- CRIL analyzed 12 leaked samples and identified sensitive documents such as MoUs, passport images, and tax/audit records.
- Beyond IL&FS, LOCKBIT claimed to hit other Indian conglomerates (SRF Limited, Mangala Marine Exim India) in February 2023.
MITRE Techniques
- [T1041] Exfiltration – The group posted 12 screenshots of the leaked data, and the ticker on the leak site states the deadline of March 10, 2023. After that, the LOCKBIT group threatened to delete IL&FS data from their compromised servers and subsequently leak it as part of their triple-extortion technique to extort their victims. – ‘The group posted 12 screenshots of the leaked data, and the ticker on the leak site states the deadline of March 10, 2023. After that, the LOCKBIT group threatened to delete ILFS data from their compromised servers and subsequently leak it as part of their triple-extortion technique to extort their victims.’
- [T1486] Data Encrypted for Impact – The LOCKBIT ransomware operation has recently progressed to a new version, referred to as “LOCKBIT Green”, the fourth iteration of their ransomware. It uses an encryptor that has been derived from the leaked source code of the Conti ransomware. – ‘The LOCKBIT ransomware operation has recently progressed to a new version, referred to as “LOCKBIT Green”, the fourth iteration of their ransomware. It uses an encryptor that has been derived from the leaked source code of the Conti ransomware.’
- [T1485] Data Destruction – After that, the LOCKBIT group threatened to delete ILFS data from their compromised servers and subsequently leak it as part of their triple-extortion technique to extort their victims. – ‘After that, the LOCKBIT group threatened to delete ILFS data from their compromised servers and subsequently leak it as part of their triple-extortion technique to extort their victims.’
Indicators of Compromise
- [MD5] LOCKBIT Green Binary – 730f72a73ff216d15473d2789818f00c, aacef4e2151c264dc30963823bd3bb17, and 2 more hashes
- [SHA-1] LOCKBIT Green Binary – ca94159bdb17051a6cce8a5deeee89942c9154b9, 9492c378a14e9606157145d49e35a9841383121d, and 2 more hashes
- [SHA-256] LOCKBIT Green Binary – 27b8ee04d9d59da8e07203c0ab1fc671215fb14edb35cb2e3122c1c0df83bff8, 45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315, and 2 more hashes
Read more: https://blog.cyble.com/2023/03/01/ransomware-attack-on-ilfs/