Even Cybercriminals Have To Patch Their Code
It has now been revealed that the lack of patching on the Lockbit 3.0 Website could have led to the site being compromised by law enforcement agents.
The Lockbit business model has been to set up an affiliate network for ransomware, where files leaked from organisations are placed on a Web site with an encryption lock. If the organisation pays the ransom, the encryption key is deleted, and no data is leaked. If not, the files are exposed to the world. The top targets were health care, education and government services (as they tend to have weaker levels of security). There are several ways that this, including compromising an ISS server, and then running a PowerScript, and installing a backdoor:
The data is then advertised to be exposed within a given time range:
But, last week the Lockbit ransomware service went off-line, due to a compromise from the NCA:
And where the Website contained the message of:
But, now, it has been revealed by the admin of the site what actually happened with the compromise:
We can see that the site is created in PHP, and the version of the site that had been on the site was 8.1.2, and which had a known vulnerability. The message says that the NCA possibly managed to gain access through a CVE [here]:
The letter goes on to pinpoint that the hack was due to the possible leak of documents from fultoncountyga.com:
It goes on to describe that the FBI obtained the Bitlocker’s data and locker stubs, and that there were only 1,000 decryptors, but where there are nearly 20,000 decryptors on the server, and which were not accessed by the FBI. The letter then becomes quite personal:
and makes a note that “FBI” means a whole range of agencies:
For this, the only honourable mention is to the person who implemented the CVE, and who is possibly from Prodaft:
One thing that is likely is that this could just be a glitch in ransomware operations, and it will continue to disrupt our digital world.
