top of page
6 days ago5 min read

Cyber Crime: A Focus on Financial Gain (Human-Operated Ransomware, LockBit 2.0, and Crypto Mining Malware)

In recent years, the landscape of cybercrime has drastically changed, evolving from random attacks to highly organized, human-operated campaigns. Unlike traditional ransomware attacks, which were often opportunistic, human-operated ransomware is carefully orchestrated by groups that target specific organizations, often with a high level of planning and precision.



1. Human-Operated Ransomware: A New Level of Targeted Attack

In the early days of ransomware, attackers often used “scattershot” approaches like phishing emails, aiming to infect as many victims as possible. However, some ransomware groups now conduct targeted attacks, sometimes called “human-operated ransomware.” Instead of random infections, attackers thoroughly research and choose victims, gaining access to networks and strategically deploying ransomware when it’s likely to cause the most damage.

Key Steps in a Human-Operated Ransomware Attack:

  1. Initial Compromise: Attackers typically gain entry through straightforward means: phishing emails with malicious attachments, weak or reused credentials, or exploiting systems with internet-facing vulnerabilities (like exposed RDP).

  2. Establishing Persistence: Once inside, attackers often use tools like Cobalt Strike (a penetration testing tool frequently used by attackers) to maintain access, or they may install “web shells” (programs that allow remote access) to give them backdoor entry whenever they need it.

  3. Privilege Escalation: Attackers then work to gain more control over the network. They may look for saved passwords or use tools like Mimikatz to steal login credentials. Tools like Bloodhound and Pingcastle are often used to map out and find ways to escalate privileges within Active Directory environments.

  4. Reconnaissance and Data Collection: Before encrypting data, attackers often steal sensitive information. This tactic, called “double extortion,” is a strategy where attackers can threaten to release stolen data if the ransom is not paid. Cobalt Strike scripts, nslookup, and other network tools are used to locate and gather valuable data.

  5. Lateral Movement: Attackers spread across the network to infect more devices using tools like Cobalt Strike, Metasploit, and sometimes even old exploits like EternalBlue (which was part of the WannaCry attack). They may also tunnel RDP connections using ngrok or other services.

  6. Execution of Objectives: After gaining full control over the domain, attackers reach their final objectives:

    • Data Exfiltration: Using FTP, WinSCP, or cloud file hosting services, they steal sensitive data.

    • Ransomware Deployment: Ransomware is deployed across the network via tools like WMIC, PSExec, and sometimes manually. This strategic deployment often occurs at a time that maximizes impact, such as during off-hours or holidays.

---------------------------------------------------------------------------------------------------------

I have create a complete series on Ransomware from Evolution to impact. Might possible you know more than me But Who knows you might learn something new. Kindly do check under course tab

--------------------------------------------------------------------------------------------------------

2. LockBit 2.0: Ransomware-as-a-Service with a Double-Extortion Twist

LockBit, first seen in 2019, resurfaced in 2021 as LockBit 2.0, introducing new strategies and enhancements to ransomware deployment. LockBit 2.0 operates as a Ransomware-as-a-Service (RaaS) model, where the developers offer the ransomware to affiliates, who carry out the actual attacks. When a ransom is paid, both the developer and the affiliate profit, making ransomware more accessible to less technically skilled criminals.


Key Tactics of LockBit 2.0:

  • Double Extortion: Similar to Maze, LockBit 2.0 leverages double extortion, where attackers first encrypt a victim’s files and then threaten to leak the stolen data if the ransom isn’t paid.

  • Affiliate Program: LockBit 2.0 actively recruits insiders within target companies to provide login credentials, like RDP access. This insider help streamlines initial entry into networks and often bypasses basic security controls.

  • Network-Wide Distribution via GPOs: Once the attackers gain access to the domain controller, they use Group Policy Objects (GPOs) to distribute the ransomware across the entire network. This allows them to disable security tools and push LockBit 2.0 ransomware to every connected device efficiently.

  • StealBit for Data Exfiltration: LockBit 2.0 includes a built-in tool called StealBit, designed to locate and exfiltrate sensitive corporate data. This feature automates data theft, ensuring maximum leverage over the victim.

  • Rapid Encryption Techniques: LockBit 2.0 uses advanced encryption tactics like multithreading and partial file encryption. These methods allow it to encrypt large amounts of data very quickly, making recovery more difficult for victims.


----------------------------------------------------------------------------------------------------------

Kindly Note The LockBit ransomware group has been significantly impacted by recent law enforcement actions under "Operation Cronos," involving international agencies like Europol, the FBI, and the UK's National Crime Agency (NCA). As of February 2024, several key LockBit infrastructure components have been taken down, including their Tor sites, and a series of high-profile arrests have occurred. These operations have disrupted LockBit's network, leading to a major loss of affiliates and a tarnished reputation, as the group has been forced to duplicate victim claims to maintain credibility.


Authorities have arrested multiple LockBit affiliates, including those behind large-scale ransomware attacks. Charges were filed against prominent figures associated with LockBit and affiliated groups like Evil Corp, and several LockBit members have faced sanctions in the U.S., UK, and Australia. Notably, Dimitry Yuryevich Khoroshev, allegedly the main operator of LockBit, was identified, and a reward was offered for information leading to his capture.


Despite these efforts, LockBit has continued some operations, though their activity level and visibility have diminished, with some attacks attributed to the group potentially being exaggerated to mask the true impact of the takedown

----------------------------------------------------------------------------------------------------------


3. Crypto Mining Malware: Silent Profiteers

Unlike ransomware, which is loud and disruptive, crypto mining malware works quietly in the background. This type of malware hijacks system resources to mine cryptocurrency, potentially running for extended periods without detection. While crypto mining may seem less harmful, it can still cause major issues, draining resources, slowing down systems, and increasing power costs.


Types of Crypto Mining Malware:

  1. Browser-Based Crypto Mining:

    • Typically, this type is implemented through JavaScript on a website, mining cryptocurrency while the user is on the site.

    • Many sites using browser-based miners are streaming sites or content portals where users stay for extended periods, maximizing the mining time.

  2. Host-Based Crypto Mining:

    • This type of malware behaves more like traditional malware, arriving through phishing emails or malicious downloads.

    • Once installed, it often uses PowerShell scripts or other methods to persist on the system, ensuring it can continue mining even after the system restarts.


Though crypto mining may not seem as destructive as ransomware, some crypto mining malware includes additional features like worm-like spreading capabilities, password stealing, and other data theft functions. This added functionality can allow attackers to sell compromised data or escalate attacks later, making crypto mining malware a threat that goes beyond resource theft.


----------------------------------------------------------------------------------------------------------

Key Takeaways: Staying Ahead of Modern Cyber Threats

The rapid evolution of cybercrime demonstrates that organizations must adapt their security measures to meet these advanced threats. Here’s a summary of key strategies for defense:

  • Enhance Network Security: Segment your network to limit attackers’ lateral movement. Protect internet-facing systems with strong credentials and multi-factor authentication.

  • Monitor and Detect Early: Deploy endpoint detection and response (EDR) solutions to spot unusual activities like lateral movement, credential dumping, or unknown tools.

  • Educate Employees: Phishing is still a major entry point for attackers. Regular training can help employees recognize and avoid phishing attempts.

  • Limit Privilege Escalation Opportunities: Use tools like Bloodhound to identify and mitigate vulnerabilities in privilege management, and limit the number of users with administrative access.

  • Patch Regularly: Many ransomware attacks exploit known vulnerabilities. Keeping systems updated is one of the simplest and most effective defenses.

  • Back Up Data: Regular, secure backups are essential. They allow you to recover quickly without paying ransoms in case of a successful ransomware attack

----------------------------------------------------------------------------------------------------------


Akash Patel

15 views0 comments

Comments

bottom of page