Ransomware associated with LockBit still spreading 2 days after server takedown

by
Dan Goodin
from Ars Technica - All content on (#6JTX1)
malware-800x600.jpg

Enlarge (credit: Getty Images)

Two days after an international team of authorities struck a major blow to LockBit, one of the Internet's most prolific ransomware syndicates, researchers have detected a new round of attacks that are installing malware associated with the group.

The attacks, detected in the past 24 hours, are exploiting two critical vulnerabilities in ScreenConnect, a remote desktop application sold by Connectwise. According to researchers at two security firms-SophosXOps and Huntress-attackers who successfully exploit the vulnerabilities go on to install LockBit ransomware and other post-exploit malware. It wasn't immediately clear if the ransomware was the official LockBit version.

We can't publicly name the customers at this time but can confirm the malware being deployed is associated with LockBit, which is particularly interesting against the backdrop of the recent LockBit takedown," John Hammond, principal security researcher at Huntress, wrote in an email. While we can't attribute this directly to the larger LockBit group, it is clear that LockBit has a large reach that spans tooling, various affiliate groups, and offshoots that have not been completely erased even with the major takedown by law enforcement."

Read 9 remaining paragraphs | Comments

External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments