ACH Analysis of Lockbit Attacks in Turkey
Today, we're analyzing competing hypotheses about the spread of false news about Lockbit operations in Türkiye since 6 March 2024.
Recently, it was widely claimed on social media platforms that the LockBit Ransomware group has been intensively targeting Turkish companies, urging all firms to immediately investigate these new targeting claims. Given that the LockBit ransomware group has caused billion-dollar damages to companies and gained significant attention in the threat landscape, we'll examine why these claims have remained limited to Türkiye despite their global relevance.
Following Operation Cronos [RefLink1] (19.02.2024), conducted with support from law enforcement and private firms, it's claimed that the team has made a comeback, starting their initial targeting through Türkiye. A comparative look at these concepts will yield more accurate conclusions regarding the veracity of these claims.
Claim: Lockbit Started to Attack Against Türkiye
Date: 03.06.2024
Hypotheses 1: Following the Lockbit operation, numerous ransomware attacks were observed in Türkiye.
Evidence 1: Managed Detection and Response (MDR) services detected unauthorized access and intrusions. Malware was found to be present in the system, gaining persistence for ten days.
Evidence 2: Following the malware's incubation period, Lockbit ransomware was successfully executed on the system using Mimikatz and Impacket's atexec and secretsdump tools. This achievement demonstrates the Lockbit attacker's high level of expertise and proficiency in deploying advanced hacking techniques.
Conclusion: It can be seen that Command and Control IP addresses in the shared Indicator of Compromise (IoC) data are down, and many addresses are being used as RMSRat C2 servers. The shared hashes are part of the attack arsenals currently employed by Rhysida ransomware and Impacket's secretsdump, which has also been observed in attacks by Memento ransomware and Budworm APT. It's crucial to avoid directly attributing this attack to the LockBit ransomware group, despite various companies having done so. While all files were encrypted with LockBit at the final stage of the attack, it's important to note that the builders of LockBit 3.0 were leaked in September 2022 [RefLink2] and are now being used by multiple actors. Let's exercise caution and avoid jumping to conclusions! Additionally, no company has identified any Stealbit vectors used by the LockBit team to collect system information.
Hypotheses 2: Tonight (06.03.2024), Lockbit successfully targeted numerous Turkish companies by exploiting critical vulnerabilities in Citrix and ScreenConnect.
Evidence 1: Lockbit started to exploit companies' storage and backup servers with ConnectWise's ScreenConnect
vulnerabilities (CVE-2024-1709 and CVE-2024-1708) and Citrix Bleed (CVE-2023-4966) vulnerability.
Evidence 2: After exploiting the vulnerabilities successfully, the operators behind Lockbit waited two weeks before initiating the encryption process with Lockbit 3.0.
Conclusion: After the successful OpCronos operation by law enforcement, the LockBit affiliates ceased using their LockBit panels. LockBit ransomware is often used as the final stage of an attack by various ransomware affiliates and threat groups due to its ransomware as a Service (RaaS) nature. It is important to note that exploiting the ScreenConnect and Citrix Bleed vulnerabilities to gain connections is not exclusive to the LockBit ransomware team. The use of similar vulnerabilities by various ransomware teams, such as Black Basta and Bl00dy ransomware (which uses the LockBit 3.0 builder), suggests that attacks from these teams may also be sold or distributed by initial access brokers (IABs). Different threat actors can also exploit similar attacks and even carry out false flag operations using LockBit. Following OpCronos, no activity has been observed in the scanner services of any LockBit affiliate.
Looking For A False Flag Chaos
The fact that some IT companies in Türkiye had just realized that their systems had been accessed for more than two weeks and detected LockBit 3.0 ransomware as the final stage of the attack led them to believe that LockBit was back and targeting all companies in Türkiye. After OpCronos, no incidents by any LockBit ransomware affiliate in Türkiye have been recognized, just like the activity worldwide.
Analyst Note
In cybersecurity, a false flag operation is an attack or malicious activity intentionally designed to appear as if it was executed by a different entity than the actual perpetrator. This tactic misleads investigators, attributes blame to innocent parties, or creates confusion regarding the source of the cyberattack. False flag operations take advantage of trust and verification challenges in the digital realm, making it difficult to identify and respond to cybersecurity threats accurately.
Since the builder the Lockbit ransomware group used was leaked, other ransomware groups and individual actors have been using it for false flag operations. However, it is essential to note that conclusions based solely on TTP analysis are insufficient to verify the threat and can lead to disinformation and information pollution. Sharing articles without skipping the 'verification' stage, which is crucial for standardizing and ensuring the accuracy of threat data, indicates that threat actors have achieved their goal.
References:
RefLink1: https://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-disrupt-worlds-biggest-ransomware-operation
RefLink2: https://twitter.com/3xp0rtblog/status/1572510793861836802
Author: Berk Albayrak