lockbit (14)

12428093060?profile=RESIZE_400xDespite the LockBit Ransomware-as-a-Service (RaaS) gang claiming to be back after a high-profile takedown in mid-February 2024, an analysis reveals significant, ongoing disruption to the group's activities, along with ripple effects throughout the cybercrime underground, with implications for business risk.  LockBit was responsible for 25% to 33% of all ransomware attacks in 2023, according to investigators, easily making it the biggest financial threat actor group of the last year. Since it eme

12386303859?profile=RESIZE_400xAn international law enforcement operation has led to the seizure of multiple darknet domains operated by LockBit, one of the most prolific ransomware groups, marking the latest in a long list of digital takedowns.  While the full extent of the effort, codenamed Operation Cronos, is presently unknown, visiting the group's ‘.onion’ website displays a seizure banner containing the message "The site is now under the control of law enforcement." Authorities from 11 countries, Australia, Canada, Finl

12345056663?profile=RESIZE_180x180The banking malware known as Carbanak has been observed to be used in ransomware attacks with updated tactics.  The malware has adapted to incorporate attack vendors and techniques to diversify its effectiveness.  Carbanak returned in November 2023 through new distribution chains and has been distributed through compromised websites to impersonate various business-related software.

See:  https://redskyalliance.org/Finance/never-take-malware-from-strangers

Some impersonated tools include popular

11750899660?profile=RESIZE_400xNote: this Recorded Future Ransomware Tracker is updated on the second Sunday of each month to stay current.  The number of victims posted on ransomware extortion sites increased in May, with ransomware gangs publicly claiming more than 400 attacks in a month for the second time this year. 

The uptick was fueled in large part by the Russia-linked LockBit ransomware group, which posted 74 victims to its extortion site in May.  The group has become far and away the most active ransomware gang, wit

11518839891?profile=RESIZE_400xMany people have wondered what the YKK labeled zipper on their jeans and jackets really meant.  Well, hackers sure knew what YKK stood for: lots of ransom money. Japanese zipper giant YKK confirmed that its US operations were targeted by hackers in recent weeks but said it was able to contain the threat before damage was caused.

The Tokyo-based corporation would not say if it was hit with ransomware, but a spokesperson reported that once YKK discovered that its US-based networks were targeted, t

11035554682?profile=RESIZE_400xA new strain of malware developed by threat actors likely affiliated with the FIN7 cybercrime group has been put to nefarious use by the now-defunct Conti ransomware gang members, indicating collaboration between the two crews.  The malware, named Domino, is primarily designed to facilitate follow-on exploitation of compromised systems, including delivering a lesser-known information stealer that has been advertised for sale on the dark web since December 2021.

Former TrickBot/Conti syndicate me

10957305483?profile=RESIZE_400xA ransomware attack that hit ION Trading UK could take days to fix, leaving scores of brokers unable to process derivatives trades.  ION Group, the financial data firm's parent company, said in a statement on its website that the attack began last week.  "The incident is contained to a specific environment, all the affected servers are disconnected, and remediation of services is ongoing," ION Group said.  Ransomware is a form of malicious software deployed by criminal gangs which works by encry

10926186286?profile=RESIZE_400xActivity Summary - Week Ending on 6 January 2023:

  • Red Sky Alliance identified 32,773 connections from new IP’s checking in with our Sinkholes
  • Amazon in Singapore hit 32x
  • Analysts identified 492 new IP addresses participating in various Botnets
  • Red Sky Dark Web Collection for 2022
  • LockBit seen twice in Top 5 Malware
  • Indian Job Seeker data stolen (IR-23-005-001)
  • The Meta Eire Fine
  • Five Guys Burgers


Red Sky Alliance Compromised (C2) IP’s 





10911305654?profile=RESIZE_400xActivity Summary - Week Ending on 16 December 2022:

  • Red Sky Alliance identified 31,927 connections from new IP’s checking in with our Sinkholes
  • Frantech[.]ca In Las Vegas hit 14x
  • Analysts identified 730 new IP addresses participating in various Botnets
  • Cuba Ransomware
  • ZeroBot
  • Heliconia Exploit
  • Sam’s Busted
  • Metropolitan Opera
  • CA Finance LockBit
  • India Fighting on many Fronts
  • e-Car Buyers

Link to full report: IR-22-350-001_weekly350.pdf

10792926686?profile=RESIZE_400xActivity Summary - Week Ending on 26 August 2022:

  • Red Sky Alliance identified 30,967 connections from new IP’s checking in with our Sinkholes
  • Microsoft hit
  • Analysts identified 2,019 new IP addresses participating in various Botnets
  • DarkyLock, Gwisin, vvyu, Kriptor
  • Cuba Ransomware
  • DiDi Chinese Ride Share
  • India hit Hard
  • Psychology and Cyber Security
  • LockBit in France
  • Center Hospital Sud Francilien & La Poste Mobile Hit

Link to full report: IR-22-238-001_weekly238.pdf

10160746052?profile=RESIZE_400xA member of the Conti ransomware group, believed to be Ukrainian of origin, has leaked the gang’s internal chats after the group’s leaders posted an aggressive pro-Russian message on their official site, on February 25th, in the aftermath of Russia’s invasion of Ukraine.  The message appears to have rubbed Conti’s Ukrainian members the wrong way, and one of them has hacked the gang’s internal Jabber/XMPP server. Internal logs were leaked earlier today via an email sent to multiple journalists an

9422771294?profile=RESIZE_400xWhat happens when your expert consultant team that has been advising your organization about what you need to do to protect your firm from cyber threats becomes “front page news?” The consultancy Accenture, which offers cybersecurity services, confirmed Wednesday it had been hit by a cyber incident. The ransomware gang LockBit took credit for the attack.  Dublin, Ireland-based Accenture declined to give details on when the incident occurred, its duration or the attack type.

See for more informat

8196171482?profile=RESIZE_400xRemember the Dark Side comics?  Well, the DarkSide criminal hacking group is no laughing matter.  The DarkSide Ransomware gang claims they are creating a distributed storage system in Iran to store and leak data stolen from victims.  DarkSide is operated as a Ransomware-as-a-Service (RaaS) where developers control programming the ransomware software and payment site, and affiliates are recruited to hack businesses and encrypt their devices.

DarkSide is the latest ransomware criminal gang to anno

5887188088?profile=RESIZE_400xLike any profitable business model, ransomware gangs continue to innovate and increase their business.  Recently, reports have emerged of a collaboration between the Maze and Lockbit gangs, as well as the REvil, aka Sodinokibi, operators not leaking stolen data for free when victims do not pay, but instead auctioning it off to the highest bidder.

Here are some of the latest ransomware trends noted by cyber analysts: IR-20-164-002_Ransomware Trends.pdf