💰💣

Secureworks Security Incident

February 19, 2024 581 days ago Resolved

Incident Overview

Situation Description

The GOLD MYSTIC threat group operated the LockBit ransomware-as-a-service scheme, leading to disruptive action by international law enforcement against its infrastructure.

Event Types

Ransomware Malware / Destructive Attack

Industry Sector

Other

Geographic Scope

Global

Response Actions

Isolated Compromised Systems Took Systems or Services Offline Shared Threat Intelligence Managed Public Narrative & Crisis Communications

Impact Analysis

Event Types (2 identified)

Ransomware Malware / Destructive Attack

Financial Impact

$0 USD

Records Affected

Data Types Compromised

PII (Personally Identifiable Information) Financial Data (Credit Cards, Bank Accounts) Intellectual Property Credentials Government Data Source Code Operational / System Data

Primary Impacts

Operational Disruption Financial Loss Reputational Damage Data Exposure

Key Decisions Made

Law enforcement took disruptive action against the infrastructure used by the LockBit RaaS operation.; Law enforcement placed a seizure notice on the leak site and its mirrors.; Law enforcement replaced the seizure notice with tiles explaining the activity.

Technical Analysis

Attack Method

Unknown

Threat Actor Attribution

GOLD MYSTIC LockBit

Vulnerability / Tool

Advanced Port Scanner Impacket LaZagne FileZilla

Additional Information

Skip to Main Content Skip to Footer Sophos completes Secureworks acquisition Threat Analysis Unpicking LockBit 22 Cases of Affiliate Tradecraft Since beginning ransomware operations in 2019, the GOLD MYSTIC threat group has grown LockBit into the most prolific ransomware-as-a service (RaaS) scheme. Counter Threat Unit Research Team February 20, 2024 Summary The GOLD MYSTIC threat group has operated the LockBit name-and-shame ransomware-as-a-service (RaaS) scheme since mid-2019, exploiting unauthorized access to thousands of organizations to deploy ransomware and steal data to facilitate the extortion of victims. At approximately 4:00 pm EST on February 19, 2024, the UK's National Crime Agency ( NCA ) and U.S. Federal Bureau of Investigation ( FBI ), in conjunction with international law enforcement partners, took disruptive action against the infrastructure used by the LockBit RaaS operation. Secureworks incident responders investigated 22 compromises featuring LockBit ransomware from July 2020 through January 2024. These investigations revealed the tactics, techniques, and procedures (TTPs) that LockBit affiliates have used in their intrusions. The complexity of operations varies from manual encryption of individual hosts to automated ransomware deployments from domain controllers. In some incidents, ransomware is not deployed at all. Instead, affiliates rely on data theft alone to extort victims. LockBit's evolution includes targeting VMware ESXi hosts to encrypt virtual machines, which can have a devastating impact on organizations that rely heavily on virtualized infrastructure. As the LockBit brand has grown in stature, copycat cybercriminals have sought to exploit the name for their own ransomware operations or other extortion threats. Law enforcement action During the disruptive action, law enforcement placed a seizure notice on the leak site and its mirrors, and informed affiliates via the LockBit panel that the NCA was aware of their activities. As of...

... (truncated for display)

Quick Facts

Company:: Secureworks
Date:: February 19, 2024
Status:: Resolved
Decision Maker:: nan
Position:: nan
Published:: 20/02/2024

Source Information

Original Query

FBI takedown of ALPHV/BlackCat infrastructure impact on victim recovery

View Original Source

Timeline

Information Published

20/02/2024

Incident Occurred

February 19, 2024 (581 days ago)

Status: Resolved

Estimated resolution based on age

Actions

View Company Profile

Navigation

Quick Stats