The LockBit ransomware group was blamed last February for one of the exploits of the ConnectWise ScreenConnect vulnerability, but XDR specialist Trellix says that the actual perpetrator may have been another entity entirely.
MSPs and MSSPs were alerted in February to a severe vulnerability in ConnectWise ScreenConnect, remote access software that is part of the ConnectWise remote monitoring and management (RMM) suite of tools. Reports of exploits in the wild followed, including one attributed to the LockBit ransomware group.
Trellix, an extended detection and response (XDR) specialist, now says that LockBit itself was not behind the disruptive exploit of the ConnectWise vulnerability. Rather, an unknown imitator exploited the Russia-backed threat actor’s ransomware-as-a-service (RaaS) offering for its own gain.
Just days after the ConnectWise vulnerability was reported, U.S. law enforcement announced LockBit’s takedown, and the next we heard, LockBit resurfaced, saying it was back in business.
Trellix's Advanced Research Center concluded that exploit against the ConnectWise vulnerability was "the work of imposters, rather than the genuine article.”
Trellix offers the following evidence:
- The ransom amounts were significantly lower than what LockBit previously demanded.
- No data exfiltration occurred; data exfiltration is imperative according to the rules of LockBit’s affiliate program.
- The threat actor's tone in chat communications appeared less professional than before.
How Trellix’s Findings Impact MSSPs, MSPs
MSSP Alert connected with Trellix security researcher Jambul Tologonov, who recently co-authored a report about LockBit’s attempts to stay relevant. Here's our Q&A with Trellix's expert.
MSSP Alert: How can MSSPs and MSPs help guard against similar exploits? Where do the business opportunities lie?
Tologonov: LockBit and other ransomware gangs were targeting MSPs. With ransomware, it’s all about the money, and organizations responsible for keeping their customers secure and operational have a lot to lose.
MSPs and MSSPs can’t let this cloud their ability to mitigate an attack quickly and strategically. Having a cyber incident response plan in place and reporting to law enforcement should be table stakes.
Every organization contracting another business for services needs to ensure those they grant privileges to are transparent in their practices. MSPs and MSSPs can be great partners to their customers by ensuring this is built into their operations and engagements with customers from the beginning.
MSSP Alert: What prompted Trellix to research the supposed LockBit exploit of the ConnectWise vulnerability? Why do you feel it is important for your research team to investigate?
Tologonov: We observed LockBit ransomware activity around exploitation of ConnectWise vulnerabilities after the law enforcement actions on LockBit's infrastructure ("Operation Cronos"), which signaled that LockBit RaaS was potentially still active and/or someone else was using leaked LockBit 3.0 in ConnectWise attack campaigns. This prompted us to further investigate LockBit's activity after "Operation Cronos," as well as the emergence of their imposters/new ransomware groups leveraging LockBit's brand and their leaked source code.
MSSP Alert: Are impostors becoming more commonplace, or is this something relatively new? Why would someone want to impersonate a known group that may be on the radar of law enforcement?
Tologonov: It is not new and various threat actors may impersonate well-known RaaS groups for different reasons. In the case of LockBit, we have observed numerous threat actors attempting to capitalize on [their notoriety] by impersonating LockBit ransomware and leveraging their well-known brand for their financial gain.
Previously, we saw similar behavior with the infamous REvil gang where REvil imposters tried to leverage their name by revamping the REvil leak site and modifying an existing REvil binary. Joining the LockBit affiliate program is typically challenging, requiring individuals to prove themselves and establish a reputation before gaining access. However, the leaked LockBit 3.0 provided an opportunity for threat actors to quickly enter the scene, encrypt smaller enterprises and reap profits without meeting these stringent requirements.
On the other hand, LockBit Black also enabled LockBit's competitors to undermine their reputation by acting on LockBit's behalf and violating the LockBit RaaS rules. By leveraging LockBit's name and operating outside the established affiliate program rules, these actors sought to discredit LockBit RaaS and gain an advantage in the ransomware market. LockBit did care when someone tried to impersonate them in order to tarnish their reputation.
MSSP Alert: Do you see LockBit becoming more active or continuing to lie dormant?
Tologonov: We see that LockBit is trying to stay afloat and relevant. However, after law enforcement's takedown actions, LockBit suffered a significant reputational as well as infrastructural damage.
It remains to be seen how much information law enforcement has obtained on LockBit’s operation and affiliates. We do expect some of the LockBit affiliates to exit the RaaS program and/or disperse into other RaaS due to lack of trust/fear of law enforcement’s follow-up actions ultimately slowing down LockBit's RaaS business.
