Fallout 3 Dlc Unlocker

[Kristin Klodzinski]

TheRaaS group LockBit that has been in operation since early 2020, grew to become one of the largest RaaS groups in the ransomware ecosphere and was responsible for 25% to 33% of all ransomware attacks in 2023. The group has claimed thousands of victims and was, by far, the biggest financial threat actor group in 2023.

The LockBit group operated using an affiliate model, whereby the group claimed 20% of ransom payments with the remainder going to affiliates responsible for the ransomware attacks. This report outlines how LockBit operated, and most importantly, the subsequent activity we observed following the disruption of its operations.

Another key element that sets Operation Cronos apart from traditional site seizures was the announcement that decryption keys would be made available. This offer of support also highlights that ransom payments are not the best course of action. This is further demonstrated by the fact that, contrary to what LockBit claimed in negotiations, victim data was not deleted upon ransom payment.

The stats page shows the number of viewers and which victims visited the site and/or decrypted a test file. This was probably used to forecast the likelihood of a victim paying based on their type of engagement with the leak site. It might have also been used to assess if a victim was attracting significant interest, as this is something that could be leveraged in negotiations.

The builder tab confirmed that the group used the colours black, red, and green for the generational builds, as well as a Linux or an ESXi build. The lack of a differently named build suggests the sample we analysed was definitely not yet in active use.

The admin page contains a list of affiliates along with a window showing the information gathered when registering a user. Although affiliate names were believed to be randomly generated, the presence of the username field suggests that usernames can be manually generated in some cases.

Another interesting item that can be noted in the admin page is the level. LockBit was at Level 4, while its affiliates were at Level 1. The user Kelton was listed at Level 3 even though they had far fewer active chats than some of the other affiliates. This suggests that a member at Level 3 meant that they were either a LockBit operator working directly for LockBitSupp or a very prominent threat actor who was trusted by LockBitSupp.

Another notable observation is the large number of affiliates who joined in December 2023. There were 20 affiliates registered in December, which is a significant amount when looking at the other 173 affiliates that joined over the previous 18 months. It is probably a little coincidental that this spike in registrations coincided with the ALPHV (aka AlphaV or BlackCat) outage as a result of law enforcement action. LockBitSupp actively advertised that ALPHV affiliates would be welcome to join.

The announcement of indictments against Ivan Kondratyev (Bassterlord) and Artur Sungatov further demonstrated the extent to which law enforcement had gathered information on the LockBit group. In our previous blog entry, we described how we suspected Bassterlord to be the leader of the National Hazard Agency, which is believed to be a major subgroup of LockBit. This indictment targets one of the key members affiliated with LockBit and a prominent member of the cybercrime community.

As with any major disruption to a service, there was an immediate reaction from both affiliates and other underground threat actors who were casual observers in the hours immediately following the operation.

An interesting observation when looking at the fallout from the disruption is that it sparked some self-reflection amongst other active RaaS groups. Notably, competitor RaaS groups expressed much interest in learning about how LockBit was infiltrated. A Snatch RaaS operator also pointed out on their Telegram channel that they were all at risk. This is a subtle bonus stemming from the disruption operation: the spread of paranoia in the cybercriminal ecosystem. Other groups are now taking a closer look at what they need to do to reduce the risk of infiltration. Anything that makes operating more difficult is a good thing in the fight against ransomware actors.

There was also speculation that other groups could now become the market leader, with ALPHV being touted to rise to the top. We now know following the events surrounding ALPHV that this would not be the case.

As the dust settled following the first few days, there were still a few actors who were focused on how the disruption came about and what its implications were. Some members of the criminal underground undertook their own investigation and began trawling through old posts and dissecting what was said in the past. This further demonstrates the state of paranoia that the disruption instilled.

When the countdown reached zero, a lengthy statement was released by LockBitSupp. Instead of sensitive FBI data, the new leak site showed a lengthy statement outlining the events and a declaration that it would continue to operate.

LockBitSupp also posted a shoutbox message on the ramp_v2 forum seeking out anyone selling access to.gov,.edu, and.org top-level domains (TLDs), which seemed to have signalled its intent to attack government organisations as a reprisal.

The revival of the leak site appeared to have brought more scrutiny on the LockBit operation. LockBitSupp claimed that its infrastructure had been compromised by law enforcement via a PHP vulnerability, an assertion that many threat actors discussed and echoed in forums. However, this also led to these actors pointing out that the alleged PHP vulnerability was over six months old, calling into question the ability of LockBit operators to secure their environment. This also prompted a closer inspection of the new leak site, after which some were quick to point out that it was still using PHP.

Similar to the law enforcement leak, there was a lot of interest surrounding the public statement by LockBitSupp on its new leak site. While some saw it as a sign that LockBit operators were back in action, others were a bit more sceptical, with some chat messages discussing how the new leak site is a continuation of the law enforcement operation due to the lack of anything substantial from the FBI leak.

While the disruption operation was ongoing, we continued to monitor our internal telemetry to gauge the impact it had on LockBit infections. Based on our data, there was a clear drop in the number of actual LockBit infections. We excluded threat emulation data and any infections that were a result of the leaked LockBit build. We also used the new Onion sites to track any newly posted attacks and only one small cluster was observed in the three weeks that followed the disruption.

One of the victim conversations from the LockBit chat page shows that the ransom demand was only US$2,800 which is significantly lower than what we would expect for a LockBit negotiation. This could be a minor affiliate desperate to keep some cash flow. If it is LockBitSupp operating alone in an effort to maintain a facade that everything is operating normally, the ransom amount would expectedly be higher, especially since LockBitSupp could post victim information to the leak site.

Following the disruption operation, there was much discussion about whether or not LockBit would be able to weather the storm and continue to operate. On the surface, it would appear that LockBit is operating like it had before the disruption, but an examination of the leak site victims and its results paint a very different picture. As of this writing, 95 victims were posted to the leak site after Operation Cronos.

Another interesting observation is the distribution of countries after the disruption compared to normal LockBit operations. Following the operation, LockBitSupp appears to be attempting to inflate the apparent victim count while also focusing on posting victims from countries whose law enforcement agencies participated in the disruption. This is possibly an attempt to reinforce the narrative that it would come back stronger and target those responsible for its disruption.

Further bolstering the hypothesis that the leak site is being manipulated to give an appearance of normalcy is the addition of victims in batches, which indicates one person is maintaining it. This is far from how normal affiliates would typically behave.

With Operation Cronos, we saw a new approach to combatting ransomware. Disrupting and undermining the business model seem to have had a far more cumulative effect than executing a technical takedown. And while LockBitSupp was not part of the cohort of people arrested, affiliates will likely consider all the publicly available information and opt to work for other groups; or better yet, they might reconsider if ransomware is too high-risk of a venture.

While it is true that in its inception, LockBit led the way and proved innovative compared to its peers, Operation Cronos succeeded in striking against one element of its business that was most important: its brand.

The playing field is a lot more level now, and with the stagnation of the LockBit brand last year, followed by further reputational damage caused by this operation, affiliates must be seriously asking themselves if it would be worth the risk to return to a previously compromised operation.

87% of executives now acknowledge the need to overhaul manufacturing and supply networks to increase future resilience2. In another survey by Gartner3, more than half expect to be highly resilient within two to three years. As risk competitiveness and business continuity take priority, leaders in the field are increasingly seeing that advanced digital technologies are indispensable.

Manufacturers face challenges that are varied and complex. The fallout from the pandemic has made it clear that supply chains are too long and complex, often depending on a single source of supply. Manufacturers now seek to reduce complexity and to enhance the agility of their supply chains. They need to be able to move supply, production, and distribution activities around more flexibly to adapt to changing circumstances.

3a8082e126