Keypoints
- Spike in activity exploiting ScreenConnect vulnerabilities associated with LockBit-related actors.
- The leaked LockBit 3.0 (Black) builder has enabled impersonators and opportunistic groups to quickly deploy ransomware.
- High-profile incidents include a December 24, 2023 attack on KHO (initially attributed to LockBit) and an AN-Security compromise with ~5TB exfiltrated.
- New ransomware families (Wing, DragonForce, Werewolves, Dragonforce samples) were observed using or modifying LockBit Black code; a DragonForce sample (SHA256 provided) was seen in Sept 2023.
- LockBit partially restored infrastructure after Operation Cronos, tightened affiliate access (BTC deposits or earnings requirements) and decentralized the affiliate panel across multiple servers.
- Impersonation and reuse of leaked source code complicate attribution and increase proliferation of RaaS variants.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used to gain initial access by exploiting exposed ScreenConnect vulnerabilities (‘vulnerabilities in ScreenConnect’).
- [T1036.005] Masquerading: Match Legitimate Name or Location – Threat actors impersonated LockBit or mimicked its leak sites to mislead victims and investigators (‘impersonate LockBit ransomware’).
- [T1486] Data Encrypted for Impact – Ransomware binaries derived from LockBit Black were used to encrypt victim networks and demand ransom (‘encrypt organizations’ networks and demand ransom’).
- [T1041] Exfiltration Over C2 Channel – Stolen data was moved out of victim environments prior to extortion (example: ‘exfiltrated around 5TB of data’).
- [T1566.001] Phishing: Spearphishing Attachment – Phishing is documented as a plausible initial vector for delivering malicious files (‘The use of phishing emails to distribute malware could be an initial tactic’).
- [T1204.002] User Execution: Malicious File – Victims may be tricked into running ransomware binaries delivered via attachments or other deceptive methods (‘This occurs when users are tricked into running ransomware files’).
- [T1027] Obfuscated Files or Information – Actors modify or reuse leaked binaries and may obfuscate payloads to evade detection (‘Encrypting payloads or using obfuscated files to avoid detection’).
Indicators of Compromise
- [File Hash] DragonForce sample – 527f71e2ac55ee18f4376f213a242a20aa63f7ab501a23888b7d41ea8661802b (sample identified as built from LockBit 3.0, first seen Sept 2023).
- [Domain] Imposter leak site – lockbitblog[.]info (screenshot-captured imposter name-and-shame site mimicking LockBit’s blog).
- [Organization] Targeted victims – Katholische Hospitalvereinigung Ostwestfalen (KHO) (German hospitals, Dec 24, 2023), AN-Security (Russian security firm, ~5TB exfiltrated and 100 BTC demand).
- [Ransom-note artifact] Binary-encoded identifier in ransom note – “01000100 01110010 01100001 01100111 01101111 01101110 01000110 01101111 01110010 01100011 01100101” (interprets to “DragonForce” in the DragonForce ransom note).
Technical summary: Multiple actors have exploited ScreenConnect vulnerabilities to gain initial access and then deployed ransomware derived from the leaked LockBit 3.0 (Black) builder. Adversaries have either used the builder unchanged (changing only the ransom note/contact) or modified its source to create new strains; examples include DragonForce samples (SHA256 above) and the Wing demo analyzed on underground forums which was identified as LockBit-based.
Observed procedures: After foothold via exposed services or delivered malicious files, actors archived and exfiltrated data (AN-Security ≈5TB), prepared ransom notes (including embedded identifiers), and executed LockBit-derived encryption routines to render data unusable. Impersonation played a dual role: some actors mimicked LockBit leak sites or branding to pressure victims, while others reused the leaked codebase to stand up separate RaaS operations (Werewolves, DragonForce, Wing).
Operational changes: Following deconfliction actions (Operation Cronos), LockBit partially restored infrastructure and implemented access controls—restricting affiliate panel access, requiring BTC deposits or earning thresholds, and decentralizing affiliate panel components across multiple servers to reduce single-point compromise. These changes affect affiliate onboarding, trust models, and the tactical distribution of encryptors/decryptors.