The Good | Police Unmask 200 LockBit Affiliates

Following the takedown of their operations earlier in the year, the inner workings of LockBit’s affiliate infrastructure have become clearer this week as investigations continue. The UK’s National Crime Agency, with assistance from the FBI, have reportedly matched a list of pseudonyms used by the ransomware gang to suspected cybercriminals.

So far, investigators have been able to link some 200 affiliates of LockBit who were using nondescript usernames to real world identities. The NCA’s senior officer on the case further confirmed that authorities have been able to connect specific affiliates back to particular cyberattacks. As the investigations carry on, all details collected are helping law enforcement to pursue more of the gang’s influential members, as well as any associated money launderers and malware developers.

Over the past three years, LockBit’s Ransomware-as-a-Service (RaaS) operations have left a long line of victims in its wake, with their ransom demands totalling at least $120 million.

Despite a dramatic takedown in February and having a senior administrator sentenced in March, LockBit lingers on through a new blog and data leak site, though lacking its prior momentum. Still, the gang’s ringleaders remain at large and cyber defenders continue to monitor for signs of rebranding – a strategy used by Hive and predecessors of BlackCat/ALPHV. Law enforcement’s efforts in matching up outstanding LockBit usernames to known criminals is a major step in disrupting LockBit’s new and future operations.

The Bad | New Phishing Campaign Drops Multi-Stage Malware via SVG Files

Security researchers this week reported on a complex cyberattack leveraging phishing emails to spread a wide range of malware, including Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and a crypto wallet stealer.