Le ransomware LockBit dispose d'un module de chiffrement spécifique pour cibler les machines sous macOS. Même si c'est en phase de tests, les utilisateurs de Mac doivent se méfier : LockBit est redoutable et cette campagne pourrait faire de nombreuses victimes.
Les chercheurs en sécurité de l'équipe Malware Hunter ont fait la découverte de cet échantillon destiné à macOS sur le site VirusTotal. Jusqu'à présent, le ransomware LockBit, dans ses différentes versions, ciblait plusieurs plateformes, dont les machines sous Windows, Linux et les hyperviseurs VMware ESXi. Désormais, les utilisateurs de macOS ne sont plus épargnés par cette menace.
Le ransomware LockBit serait capable de chiffrer les machines Apple avec une puce Apple Silicon (et probablement les modèles sous Intel). En effet, les chercheurs ont repéré un module de chiffrement nommé "locker_Apple_M1_64" (voir ici) qui cible les puces Apple.
Même si cette information est évoquée aujourd'hui, ce module de chiffrement ne semble pas nouveau. D'après le chercheur en cybersécurité Florian Roth, un module de chiffrement LockBit compatible Apple M1 a été téléchargé sur VirusTotal en décembre 2022 !
Toutefois, d'après le site BleepingComputer, dont les auteurs ont pris le temps d'analyser ce module de chiffrement pour Apple M1, il s'agit d'une phase de tests. Par exemple, il y a des exclusions sur les extensions ".exe" ou ".dll" qui sont propres au fonctionnement de Windows, et non à macOS.
Information confirmée par LockBitSupp, un porte-parole de LockBit, qui a clairement indiqué que le module de chiffrement pour Mac était "en cours de développement". Bien sûr, ces informations sont à prendre avec des pincettes, mais il est clair que la menace LockBit se rapproche de macOS.
Dans les semaines et mois à venir, il y a de fortes chances pour que LockBit fasse des ravages sur macOS si les développeurs du gang LockBit parviennent à développer un module pleinement opérationnel. Ce qui n’est surement qu'une question de temps...!
Il va être indispensable de protéger votre macOS, au même titre qu'il faut protéger une machine sous Windows.
LockBit shows mercy in a strange show of compassion to the SickKids hospital in Toronto. Source: Unsplash
After LockBit encrypted information in an attack on the Hospital for Sick Children (SickKids) in Toronto on Dec.18, it has tendered an apology and a free decryptor to the hospital. LockBit has come out against the attack, calling it a violation of its terms of service by an affiliate, and said it doesn’t target institutions where a compromise “could lead to death.” By Jan. 1, SickKids had restored 60% of its operations.
The hospital was forced to declare “System Failure” under its code “Grey”. Despite disrupting hospital phone lines and web pages, the breach didn’t affect patient care. Attempting to ease privacy concerns from such attacks, the hospital claimed the cybercriminals didn’t steal any sensitive patient information — a rarity in such cases.
The decryptor, which includes Linux/VMware ESXi, suggests that the attack could only encrypt virtual machines on the hospital’s network, and no Windows machines were compromised.
LockBit’s Ransomware-as-a-Service Model
A rare apology from LockBit isn’t proof of it mending its ways. Source: Bleeping Computer
LockBit operates a ransomware-as-a-Service (Raas) model. This enables it to lend the software to affiliates whose job is to use the software to penetrate networks and perform operations. At the same time, LockBit itself only has to maintain the encryptors, decryptors, and websites. These affiliates pocket 20-25% of the profits on each extortion.
Once the cybercriminals encrypt a server, they hold it for ransom, refusing to decrypt it unless the victims make the payment. Mostly, a payment results in server and file decryption. Cybercrime groups run on commercial principles, so they have to keep up their end of the bargain.
LockBit, under its terms, forbids encrypting medical data. Nonetheless, it delayed the release of the decryptor in this case. Yet, the same terms and conditions haven’t stopped its affiliates from breaching hospitals in the past. In August, LockBit affiliates compromised the Center Hospitalier Sud Francilien (CHSF) in France and demanded $10 million in ransom. The group leaked staff and patient data online when the hospital failed to meet its demands.
It seems as if these terms and conditions allow LockBit to keep its distance from affiliates in case its vigilante reputation is at stake. It could plead deniability and sever relations with the affiliate if the attack doesn’t go down well. By lending its ransomware, it can just stay back and lurk in the shadows.
The ransomware it has developed is automated and easy to use. Once it infects a single host on a network, the virus spreads to other hosts on autopilot. It also automatically completes post-exploitation procedures, such as the escalation of privileges.
LockBit Protection — Staying Safe in the World of Ransomware
LockBit is the most active ransomware strain in the world, according to Blackberry. Source: Unsplash
According to Blackberry, LockBit is one of the most active ransomware strains worldwide. With its ransom demands averaging at about $85,000 per victim, it’s safe to assume that the group mainly targets small to medium-sized enterprises. However, it has also compromised large federal and commercial organizations, demanding ransoms in the millions of dollars.
Blackberry research explained how LockBit works: “LockBit seeks initial access to target networks primarily through purchased access, unpatched vulnerabilities, insider access, and zero-day exploits. Second-stage LockBit establishes control of a victim’s system, collects network information, and achieves primary goals such as stealing and encrypting data.”
Knowing these patterns, network administrators can devise their defense mechanisms. Above all, a well-rounded cybersecurity strategy that offers robust protection can thwart any cybercrime group, including LockBit. Networks need high-quality antivirus protection as well as sensitive malware detection systems. Bear in mind that not every security product is made equal — some are far better than others at detecting and preventing infections.
Better still, network administrators should encourage the use of multifactor authentication across as many services as possible. These vastly reduce the risks of network penetration. For employees, administrators should lay down clear guidelines for changing passwords. Further, they should use automatic patch management that can routinely identify and patch vulnerabilities as they arise. Lastly, reduce user privileges on the network to a functional bare minimum.
The Continual Critical Infrastructure Threat
The Port of Lisbon remains operational, but they have until Jan.18 to comply with LockBit’s demands. Source: The Bleeping Computer
As highlighted earlier, hospitals continue to be soft targets for cybercriminals. On Christmas, cyberattacks hit the administrative registrars of six counties in North Carolina. As a result of the attack, processing and access to wills, birth certificates, death certificates, marriage licenses, and other governmental procedures have slowed down or halted completely. Local governments have been reduced to using pen and paper, causing operational efficiency to nosedive.
LockBit was also busy on Christmas launching an attack on the Port of Lisbon Administration (APL). The Port of Lisbon is a key European port, serving a variety of ships from various countries arriving at its harbors. Currently, the APL website (http://portodelisboa.pt) is offline. LockBit added the APL to its ransomware website on Dec. 29. While the port is operational, the cybercrime gang claims to have accessed financial reports, audits, budgets, contracts, cargo information, ship logs, crew details, customer PII (personally identifiable information), port documentation, email correspondence, and more.
Hospitals Are an Ongoing Target for Ransomware Operations
Despite the odd compassionate turn in tendering an apology and offering decryption, LockBit and other cybercrime groups like it continue to target hospitals. Recently, a Hive ransomware attack exposed 270,000 patient records at Lake Charles Memorial Hospital.
In another incident, an attack on CommonSpirit Health — a chain of over 150 hospitals — exposed over 600,000 patients’ data. Hospitals are easy targets and contain vast repositories of patient information. From 24 healthcare exploits in 2022, cybercriminals obtained Protected Health Information (PHI) in over 71% of the cases. Poor data protection procedures coupled with sensitive data and many avenues for exploitation make healthcare systems extremely vulnerable and sensitive targets.
Connexion
