Ransomware continues to be one of, if not the primary, threat faced by organizations, particularly large corporations. On October 21, UK car dealer Pendragon released a statement to the press saying,
“We have identified suspicious activity on part of our IT systems and have confirmed we experienced an IT security incident. This has not affected our ability to operate, and we continue to service our customers and communities as normal.
Upon discovery, we took immediate steps to contain the incident. Our security specialists launched an extensive investigation to assess fully what has happened and we’ll be keeping our customers and partners updated. To add, the Pinewood Dealer Management System was and remains completely unaffected. We have reported this to The National Cyber Security Centre, the Information Commissioner’s Office, The FCA, and the police.”
The typically terse and uninformative press release was later to be supplemented by more details suggesting ransomware affiliates dropping LockBit were responsible for the attack.
Pendragon Group own owns CarStore, Evans Halshaw, and Stratstone a luxury car retailer, and is currently in the middle of a 400 million GBP takeover by Swedish motor company Hedin Group.
Any bad news at this time can potentially sink such a deal, however, any assumption as to the outcome of the deal is pure speculation.
More details relating to the attack were provided by the company’s chief marketing officer, Kim Costello, speaking to The Times. Costello noted that the company has been in contact with the hackers and received stolen files as proof of the breach but did not engage in negotiations.
The hackers asked for "tens of millions of dollars before a deadline" under the threat of publishing stolen data. According to The Times, the ransom amount is 60 million USD, and confirmed that the company has no intention of negotiating with LockBit affiliates.
According to a Bleeping Computer article the ransomware operators only made up 5% of the database, which they are using to try to extort the company into paying the ransom to decrypt encrypted files.
Unfortunately, the lack of details means it's difficult, if not impossible, to draw any conclusions. Like whether Lockbit 2.0 or the newer variant LockBit 3.0. The earlier version could have been responsible for creating 850 victims in 2022 alone.
Over the course of LockBit’s infamous history, the ransomware’s operators claim they damaged at least 12,125 companies during LockBit 2.0’s lifespan.
LockBit 3.0 boasts a general improvement in terms of features over the previous version. According to Infosec Institute, the improvements include:
- Anti-detection mechanisms to evade AV and EDR systems
- LockBit 3.0 relies on an “access token” to be supplied as a parameter upon execution
- A command line option with possible parameters was also introduced
- The new version is more evasive and faster than the older versions, according to malware experts
- A fresh anti-debug feature added
- A mechanism for disabling the Windows Defender and tempering the Windows Event Logs is also present.
At the time of writing it is not clear if LockBit 3.0 has completely replaced 2.0 operations but with the added feature set many operators would be looking to switch provided it is stable.
Ukrainian Government Agencies Targeted by Ransomware Operators
In other ransomware news, the Computer Emergency Response Team of Ukraine (CERT-UA) issued an alert stating that Cuba ransomware operators are looking to target critical government networks in the country.
On October 21, officials for CERT-UA discovered an email phishing campaign with emails that impersonated the Press Service of the General Staff of the Armed Forces of Ukraine.
The email urged recipients to click on an embedded link which to a third-party web page to supposedly download a document named "Наказ_309.pdf,"
Like with so many phishing attacks seen in the past the link is used to download an executable that masquerades as an Adobe Reader installer.
The fake installer downloads the ransomware gang's signature malware RomCom Rat. The malware allows the threat actors to perform file operations on the host, steal data, spawn spoofed processes, start reverse shells, and drop other malware payloads including the ransomware module. CERT-UA stated,
“Considering the use of the RomCom backdoor, as well as other features of the related files, we believe it is possible to associate the detected activity with the activity of the group Tropical Scorpius (Unit42) aka UNC2596 (Mandiant), which is responsible for the distribution of Cuba Ransomware,”
Given the current war in Ukraine, it is easy to spin a political narrative to the attack. However, as Bleeping Computer notes, those operating or affiliated with Cuba ransomware haven’t declared any political statement in favor of either Ukraine and Russia, and appear to be purely financially motivated.