Despite the U.S. Department of Justice's disruption of LockBit's operations on February 20, 2024, the group's acts of extortion experienced only a temporary decline before rapidly recovering. The result was a 1.74% increase in LockBit's acts of extortion by the end of Q1 2024 compared to Q4 2023.
This news comes via the Q1 2024 Cyber Threat Report from Nuspire, an MSSP specializing in managed detection and response (MDR) and managed endpoint detection and response (EDR) solutions.
The report spotlights a 3.69% rise in ransomware activities from Q4 2023, punctuating the persistent threat ransomware groups pose.
Additionally, Nuspire reports that dark web market activity saw a “staggering” 58.16% increase in listings, indicating significant growth in the trade of stolen data and illicit goods.
Here are other key findings from Nuspire’s report:
- The manufacturing sector, crucial to supply chains and rich in intellectual property, faced a jump in ransomware attacks from LockBit and CL0P. The growth in attacks highlights the vulnerabilities this industry often faces resulting from complex IT/OT systems, underinvestment in cybersecurity and the sector's historical prioritization of operational continuity over security measures.
- Listings on dark web marketplaces featuring Lumma Stealer saw a significant increase, more than doubling from Q4 2023. Lumma Stealer emerged in 2023 and quickly became a leader in infostealing malware.
Dark Web Drives Exploits
Nuspire asserts that its latest report underscores a critical evolution in the cyber threat landscape. This is marked by a notable increase in ransomware attacks and a surge in dark web marketplace activities.
“The obscurity and easy access of the dark web facilitate the exchange of exploit kits and confidential information, reducing the hurdles for would-be cybercriminals and complicating the task for cyber defense mechanisms," said Nuspire Chief Security Officer J.R. Cunningham. "Considering the secretive environment of the dark web and the difficulties in overseeing its operations, it is crucial for companies to emphasize intelligence gathering, ongoing surveillance and staff training to adeptly navigate these advancing threats."
LockBit Takedown Short Lived
On February 20, the U.S. Justice Department announced that the U.K. National Crime Agency’s (NCA) Cyber Division, working in cooperation with the Federal Bureau of Investigation (FBI) and other international law enforcement partners, seized numerous public-facing websites and servers used by LockBit administrators. MSSP Alert reported that effort dealt a major blow to LockBit threat actors’ ability to attack and encrypt networks and extort victims by threatening to publish stolen data.
On February 26, reports circulated that LockBit had restored its disrupted servers and claimed it was back in business. Case in point, LockBit is widely believed responsible for exploits against ConnectWise ScreenConnect software.
ScreenConnect is part of ConnectWise's larger suite of software for MSPs, including professional services automation (PSA) and remote monitoring and management (RMM) software. Managed security services providers (MSSPs) that operate MSP business units and use this type of software could be impacted as well.
However, Trellix, an extended detection and response (XDR) specialist, told MSSP Alert that LockBit itself was not behind the disruptive exploit of the ConnectWise vulnerability. Rather, an unknown imitator exploited the Russia-backed threat actor’s ransomware-as-a-service (RaaS) offering for its own gain.
