Ransomware associated with LockBit still spreading 2 days after server takedown
Enlarge (credit: Getty Images)
Two days after an international team of authorities struck a major blow to LockBit, one of the Internet's most prolific ransomware syndicates, researchers have detected a new round of attacks that are installing malware associated with the group.
The attacks, detected in the past 24 hours, are exploiting two critical vulnerabilities in ScreenConnect, a remote desktop application sold by Connectwise. According to researchers at two security firms-SophosXOps and Huntress-attackers who successfully exploit the vulnerabilities go on to install LockBit ransomware and other post-exploit malware. It wasn't immediately clear if the ransomware was the official LockBit version.
We can't publicly name the customers at this time but can confirm the malware being deployed is associated with LockBit, which is particularly interesting against the backdrop of the recent LockBit takedown," John Hammond, principal security researcher at Huntress, wrote in an email. While we can't attribute this directly to the larger LockBit group, it is clear that LockBit has a large reach that spans tooling, various affiliate groups, and offshoots that have not been completely erased even with the major takedown by law enforcement."