GlobalSign Blog

Was LockBit Ever Really Gone? – May NewsScam

Was LockBit Ever Really Gone? – May NewsScam

There is a lot to cover to discuss in our latest News Scam.

The recent takedown of cybersecurity menace LockBit sadly did not seem to make much of a dent in the group’s activities. Within a month the lawless losers were already back at it. Their most recent victim is Canadian pharmacy chain London Drugs. 

The FBI was able to take down the BreachForums site this month. Hopefully, unlike LockBit, this one will stick.

World renowned art auctioneer Christie's has been in the news regarding a recent cyber-attack. It was initially announced earlier in the month, but it wasn't until May 27th that the alleged attackers emerged from the shadows. 

On the heels of the disastrous attack at Change Healthcare, another US healthcare network is the victim of a ransomware attack, and patients of a French radiological imaging company can’t get appointments due to an ongoing incident. 

Kudos to the United Kingdom for being the first country in the world to enact an IoT security law. Known as The Product Security and Telecommunications Infrastructure (PSTI), the new law is meant to protect consumers from cyber threats. 

The US government says that the Black Basta crime gang has been on a huge tear – and costing its victims tens of millions. 

At least there is some sweet justice. A member of another internet security menace, REvil, is going to spend nearly 14 years in a US prison.

Please read on for all the most impactful stories that took place this month!

Christie's Caught in Cyber Attacker's Web 

Hackers behind an incident at Christie's auction house on Monday revealed themselves to be RansomHub. The cyber crime gang has listed on its darknet extortion site what it claims are samples of data stolen from the company, the world's largest auction house by revenue. The privately-owned company took in more than $6 billion last year through sales of artworks and luxury goods. Christie's clients include some of the world’s wealthiest art collectors. Earlier in May, Christie's chief executive, Guillaume Cerutti, announced a “technology security incident” which forced the company to take its website offline. Since then, the company has confirmed a data breach and are now likely mulling a demand for ransom. I imagine the details are forthcoming.

Canadian Pharmacy Chain Gets Looped by LockBit 

Just when we thought it was safe to use the interwebs, and despite a global police takedown of LockBit not three months ago, LockBit is fully back in business. The evidence of which lies in the ransomware groups latest attack, this time being Canadian pharmacy chain London Drugs. The original attack took place in late April, though the details of the incident at the time were murky. Three weeks later, British Columbia-based London Drugs announced on May 25th that LockBit was indeed responsible, and that sensitive data has been stolen. Oh, and LockBit wants $25 million. In a statement published by The Register, London Drugs did admit it was attacked, but also said it refuses to pay the ransom demand.

Healthcare Systems and Providers Keep Getting Hacked 

Major U.S. healthcare network Ascension announced on May 8th it was likely the victim of a ransomware attack. The incident initially forced some ambulances to be diverted from several hospitals and also resulted in physicians and their patients being unable to view medical records. Three weeks later the healthcare network was still experiencing issues where patients still could not access records, including cases involving serious medical issues such as cancer. 

In France, an attempted cyber-attack impacted a company providing medical radiological imaging. After an attack on May 7th, the Coradix-Magnescan medical imaging group began warning patients that their appointments could be impacted by complications resulting from a cyber-attack. The company, based in Perpignan, France, believes there is no evidence of data theft.

Given all the cyber-attack activity in healthcare, the US government unveiled a new program aimed at creating new cybersecurity tools to protect hospitals from damaging attacks. The Advanced Research Projects Agency for Health (ARPA-H), part of the Department of Health and Human Services, announced the Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) program on May 20. The program aims to enable hospitals to automate vulnerability management across all systems and devices used in their environments, ensuring patches are quickly deployed with minimum disruption to critical healthcare services. 

The United Kingdom is the First Country in the World to Enact an IoT Cybersecurity Law 

A new IoT cybersecurity law went in the UK went into effect this month. Known as The Product Security and Telecommunications Infrastructure (PSTI), the new law is meant to protect consumers from cyber threats. PSTI requires manufacturers of IoT products meant for consumers in the UK to stop using “easily guessable” default passwords (such as “12345”) and also have a vulnerability disclosure policy. The new law applies to all organizations manufacturing, importing or selling products for the UK market, so the applications are extremely broad: From TVs, streaming devices, speakers, game consoles, smartphones and tablets to home automation and alarm systems, wearable devices, children’s toys and more. 

REvil Gang Member Goes Directly to Jail

There was vindication this month for the many organizations impacted by REvil ransomware gang. Not only was it responsible for attack on the Colonial Pipeline attack three years ago, the group was also behind the attack on global meat processing giant JBS in June 2021, as well as the massive attack a month later on IT management software maker Kaseya, which had a knock-on effect at more than 1,500 organizations. Then, in the winter of 2022, in a massive operation, Russian authorities essentially put REvil to bed. Despite this, many of the group’s affiliates are likely still active today. Fast forward to this month, 24 year-old Ukrainian national Yaroslav Vasinskyi -  also known as Rabotni, who was extradited to this U.S. in March 2022 - was sentenced to jail by for nearly 14 years by a judge in Texas. Vasinskyi was also ordered to pay over $16 million in restitution for his role in conducting over 2,500 ransomware attacks and demanding over $700 million in ransom payments. One wonders how this guy will ever pay back the victims. 

Notorious Cybercrime Site BreachForums Seized by US Authorities 

The infamous cybercrime site used to sell and publish stolen data, BreachForums, was seized by US authorities on May 15th. The FBI and the U.S. Department of Justice took down the site and replaced BreachForums homepage with a seizure notice crediting international partners including the Cyber Police of Ukraine, Kantonspolizei Zürich, the Australian Federal Police, New Zealand Police, Icelandic Police and U.K. National Crime Agency. This is the second time BreachForums has been seized by authorities. The first time was last June, three months after the arrest of original BreachForums founder Conor Brian Fitzpatrick. Almost immediately after the takedown, a bad actor using the pseudonym “Baphomet” took over the platform and pledged to create a new version of it. The Telegram channel Baphomet was said to be operating was also taken down by the FBI.

Black Basta Ransomware Victim List Surpasses 500 

According to a new alert issued on May 10th from the FBI, CISA, the Department of Health and Human Services, and the Multi-State Information Sharing and Analysis Center (MS-ISAC), the Black Basta ransomware group has targeted more than 500 organizations globally. In addition, the warning says that affiliates of Black Basta are responsible for attacks against 12 out of 16 critical infrastructure sectors, including healthcare organizations. In a November 2023 report, blockchain analytics firm Elliptic estimated that Black Basta affiliates had received over $100 million in ransom payments from at least 90 victim organizations. The group’s approach to securing ransom from its victims differs from other cybercrime groups, which usually attach notes to the attack with the actual demand and payment instructions. In Black Basta’s case, the group shares unique codes and instructions to the victims, including that they should be contacted via an .onion URL. 

But wait, there’s more

Rockwell to customers: Remove public-facing ICS devices from internet – SC Magazine
EPA warns of increasing cyberattack risk of US water systems – Today 
National Records of Scotland Data Breached in NHS Cyber-Attack - Infosecurity
Boeing confirms attempted $200 million ransomware extortion attempt - Cyberscoop
Tornado Cash Developer Found Guilty of Laundering $1.2 Billion of Crypto - Wired 
Adobe Patches Critical Flaws in Reader, Acrobat - SecurityWeek
University System of Georgia Says 800,000 Impacted by MOVEit Hack - SecurityWeek 
Zscaler shuts down exposed system after rumors of a cyberattack - CSO Online 
US Post Office phishing sites get as much traffic as the real one – Bleeping Computer  
Millions of Malicious Containers Found on Docker Hub - Infosecurity Hibernating cluster wakes up to map the entire Internet - but what could it be planning? 

Share this Post

Recent Blogs