[MART] - Daily Diary #319 - LokiBit Ransomware Recruiting Employees to Breach Networks

CTAS-MAT ctas-mat at appgate.com
Wed Aug 4 23:18:30 UTC 2021

I hope everyone is doing well!

Below is the entry for today.

08/04/2021 - Diary entry #319

In our Daily Diary #315 we covered LokiBit's new version, advertised in their new deep-web site. LokiBit's new version implemented lots of additional features that made it an even more dangerous threat.

Lokibit's new version also added a new strategy to acquire "affiliates". After encrypting a device, Lockbit sets the wallpaper to a ransom note, claiming responsibility for the attack and pointing to the more detailed ransom note .txt file. Now the set wallpaper also contains a recruitment ad, promising millions of dollars to employees that provides them access to the company systems so they can launch a ransomware attack. According to the ad, the access can be a valid credential or even executing a threat attached in an e-mail.

This strategy may seem unusual at first, but it's somewhat common for companies to get breached by employees. In our Daily Diary #105 we covered how employees can be used as an infection vector, and how a Russian citizen living in USA was arrested after offering $1 million to a Tesla employee to deploy ransomware in Tesla's internal network.

By adopting a ZeroTrust methodology, a company can limit the damage an insider can cause. By assuming all access can be compromised, and that you always need to validate it, it's easier to detect malicious activity and isolate the affected perimeters in case of a breach. ZeroTrust can also help in enabling access to only what an employee needs, limiting the systems an insider can damage.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Security Researcher

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210804/04a00e65/attachment.htm>

More information about the MART mailing list