[MART] - Daily Diary #383 - Lockean, a Multi-RaaS Affiliate Group

CTAS-MAT ctas-mat at appgate.com
Thu Nov 4 20:53:03 UTC 2021 

Hello,

I hope everyone is doing well!

Below is the entry for today.

11/04/2021 - Diary entry #383:


A new group operating in the ransomware-as-a-service (RaaS) business has recently emerged, compromising networks of at least eight French companies. Named Lockean, this group has been conducting its attacks by deploying ransomware from multiple gangs over the past year.


Lockean was first spotted in 2020, deploying the DoppelPaymer ransomware into a French company network from the manufacturing sector. Then, Lockean compromised more than seven companies from June 2020 to March 2021, using several well-known ransomware strains, such as Egregor, Maze, ProLock, REvil (a.k.a Sodinokibi), and there is further evidence showing relation with Conti ransomware.


During the attacks, Lockean spread threats such as Qakbot and IceID via spear-phishing, using different distribution services like Emotet botnet. Those threats were used to gain initial access and deploy next-stage payloads used to move laterally (using Cobalt Strike, BITSadmin), to exfiltrate data (using Rclone tool), and finally, to deploy the final payload containing some ransomware strain.


As we covered in some of our Daily Diaries, groups such as Egregor, REvil, Maze, and TrickBot (responsible for Emotet botnet) had their operations shut down. However, their affiliates and remaining members are constantly rebranding. Services such as RaaS and MaaS allow groups like Lockean to hit as many organizations as possible, using well-established tools at their disposal.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20211104/e001f960/attachment.htm>

More information about the MART mailing list