Fake LockBit Real Damage Ransomware Samples Abuse AWS S3 to Steal Data

Oct. 17, 2024, 10:20 a.m.

Description

This report discusses malicious Golang ransomware samples that exploit Amazon S3's Transfer Acceleration feature to exfiltrate victims' data and upload it to attacker-controlled S3 buckets. The samples contained hard-coded AWS credentials linked to compromised accounts, allowing the researchers to track and report malicious activity. The ransomware attempted to disguise itself as LockBit ransomware, likely to leverage its notoriety and pressurize victims, though no connection to LockBit's operators was found.

Date

  • Created: Oct. 17, 2024, 9:43 a.m.
  • Published: Oct. 17, 2024, 9:43 a.m.
  • Modified: Oct. 17, 2024, 10:20 a.m.

Indicators

  • f0ab7baa3e734451716ab374109453c1c159533023966d9db384f91da7c16f7f
  • f09f05fdd4dbe9a7b321f0aa4d56ae662e41a63385fd1a1e7f446d4af19a10d4
  • e4c59a0b4d209e898572e4fdd6153e6510e92fc16384b71a11f2b68210dd8174
  • e02b3309c0b6a774a4d940369633e395b4c374dc3e6aaa64410cc33b0dcd67ac
  • dbcfa51d8924096c9df053f9f8e8bfcb9f512d6067e8310e8a4743c55f016593
  • d7b9db3f4ed6992d352248122cbc286a32a3555648b33115f6fe8672aa7bc8fe
  • cded5f02f06bc64e3aa909f021a35b00740832f5eaf9ffec8ca7be73e74c1152
  • cdb2a7767779e0d0efaecfdc1fce41bf51d3677194205d486e8c5a0c4815ee65
  • c55fe2e800701ca55a3ec1bac9a42931e30dc3a01bbb431508e7ba21e672e64e
  • bc73cc463ea4f6c0e8d65e28c5a72c474e73176a2dabb18776cb471eb209457e
  • b32f634f34465b056090fe136ddad42365748e84eed4dd37ce5d145f0377794e
  • aca17ec46730f5677d0d0a995b65504e97dce65da699fac1765db1933c97c7ec
  • a28af0684456c26da769a2e0d29c5a726e86388901370ddf15bd3b355597d564
  • 9fd4ffc73d7de7fa881fd4de477f74c49b73e2aa117e7f3fb800ef5bf6cf73b8
  • 9e792606d9060f0988c9615aa785685f8474b50e00ce58c559821066b842b515
  • 967375af79a5745a9bc97e0d6513d30b797fe834b0f700f48512e3c89cf35328
  • 90c429ebe6c41470f921debcb1b8c3a536b213f7c56d4adccb19a01e471fba04
  • 8e404487edabbc46d92f8c63b90ac9f661698a5a96691e255ff576e246bca86c
  • 88237de0db05a0bc5b9de9eb77a4e43595de6b8652affc51b9d20ad22012c136
  • 7dbb35453d362309618159b5a796e86a95299dd259be033671705663f378691d
  • 7bfa19a76ae96c1eb630f56c2d4e38f9df62c04cae29755aebf08f71832b7b84
  • 7a018c849aa2cadf29c498771b9dfcf478029b61a11b6241cda0ebafff6d8f30
  • 744aaf3751291085848beb170cafacc45dfab7daa725037917307b54cc1337cd
  • 573400d5f8a9d85d7205c1f6cf68f395bbb780aa81cd680dcec7b1904025f4d5
  • 3c45b5be997e9250d44ea3d3cfa85a2e341f9b5017eac694ee1d569134fdd4da
  • 39d144c97b53eb4ea0b6b76af9e2b5062730c8d134f38e017bd474e5e7af0ab1
  • 390edcbca4679129932fdeabc71b3181e1ae545d655abc06460ee838d9a11ac9
  • 371b772a5c3ac6407d77e6fc3fabb6dbb72ebddfb2ceae77147dfeee63168390
  • 35299f1f6bb224e9260a10f72087ba2193316e73eea7b0361ea9ae9b946a5fac
  • 2e62c9850f331799f1e4893698295d0b069ab04529a6db1bfc4f193fe6aded2c
  • 1a56110c5a9b11380fe8cf145ec051ac5728eb0776b0448ff8b5e6ba8d44a4e1
  • 1827bc29f0d1d1a9de9978a7852fd05a415e83d120feda6856bfd987ed2e6622
  • 17b7e5ac105cfafca07691b97689c97a9c4e2b0e11e22cb1c70d85d0cd37678c
  • 1350b1dce81952d9cca595eab8c77ea29ba46f7aa4df28f066110b14895a630c
  • 0ce98929d8a49d43476263be704aaff40b02968ca423bc4f0da89e738e9da9da
  • 06fbf383637bd94226b8257dfbd88576a1a9dca1dac8b900a20d96f39cd1475f
  • 023aff64a9ecdc012621966e1c1e5bd5957c0afcd8394bc9b2be4d77adc934db
  • 14fe0071e76b23673569115042a961136ef057848ad44cf35d9f2ca86bd90d31
  • 0c54e79e8317e73714f6e88df01bda2c569ec84893a7a33bb6e8e4cf96980430

Attack Patterns

  • T1565
  • T1490
  • T1608
  • T1185
  • T1583
  • T1136
  • T1491
  • T1489
  • T1486
  • T1055
  • T1098
  • T1499
  • T1204
  • T1132
  • T1053
  • T1090