Fake LockBit Real Damage Ransomware Samples Abuse AWS S3 to Steal Data
Oct. 17, 2024, 10:20 a.m.
Description
This report discusses malicious Golang ransomware samples that exploit Amazon S3's Transfer Acceleration feature to exfiltrate victims' data and upload it to attacker-controlled S3 buckets. The samples contained hard-coded AWS credentials linked to compromised accounts, allowing the researchers to track and report malicious activity. The ransomware attempted to disguise itself as LockBit ransomware, likely to leverage its notoriety and pressurize victims, though no connection to LockBit's operators was found.
Tags
Date
- Created: Oct. 17, 2024, 9:43 a.m.
- Published: Oct. 17, 2024, 9:43 a.m.
- Modified: Oct. 17, 2024, 10:20 a.m.
Indicators
- f0ab7baa3e734451716ab374109453c1c159533023966d9db384f91da7c16f7f
- f09f05fdd4dbe9a7b321f0aa4d56ae662e41a63385fd1a1e7f446d4af19a10d4
- e4c59a0b4d209e898572e4fdd6153e6510e92fc16384b71a11f2b68210dd8174
- e02b3309c0b6a774a4d940369633e395b4c374dc3e6aaa64410cc33b0dcd67ac
- dbcfa51d8924096c9df053f9f8e8bfcb9f512d6067e8310e8a4743c55f016593
- d7b9db3f4ed6992d352248122cbc286a32a3555648b33115f6fe8672aa7bc8fe
- cded5f02f06bc64e3aa909f021a35b00740832f5eaf9ffec8ca7be73e74c1152
- cdb2a7767779e0d0efaecfdc1fce41bf51d3677194205d486e8c5a0c4815ee65
- c55fe2e800701ca55a3ec1bac9a42931e30dc3a01bbb431508e7ba21e672e64e
- bc73cc463ea4f6c0e8d65e28c5a72c474e73176a2dabb18776cb471eb209457e
- b32f634f34465b056090fe136ddad42365748e84eed4dd37ce5d145f0377794e
- aca17ec46730f5677d0d0a995b65504e97dce65da699fac1765db1933c97c7ec
- a28af0684456c26da769a2e0d29c5a726e86388901370ddf15bd3b355597d564
- 9fd4ffc73d7de7fa881fd4de477f74c49b73e2aa117e7f3fb800ef5bf6cf73b8
- 9e792606d9060f0988c9615aa785685f8474b50e00ce58c559821066b842b515
- 967375af79a5745a9bc97e0d6513d30b797fe834b0f700f48512e3c89cf35328
- 90c429ebe6c41470f921debcb1b8c3a536b213f7c56d4adccb19a01e471fba04
- 8e404487edabbc46d92f8c63b90ac9f661698a5a96691e255ff576e246bca86c
- 88237de0db05a0bc5b9de9eb77a4e43595de6b8652affc51b9d20ad22012c136
- 7dbb35453d362309618159b5a796e86a95299dd259be033671705663f378691d
- 7bfa19a76ae96c1eb630f56c2d4e38f9df62c04cae29755aebf08f71832b7b84
- 7a018c849aa2cadf29c498771b9dfcf478029b61a11b6241cda0ebafff6d8f30
- 744aaf3751291085848beb170cafacc45dfab7daa725037917307b54cc1337cd
- 573400d5f8a9d85d7205c1f6cf68f395bbb780aa81cd680dcec7b1904025f4d5
- 3c45b5be997e9250d44ea3d3cfa85a2e341f9b5017eac694ee1d569134fdd4da
- 39d144c97b53eb4ea0b6b76af9e2b5062730c8d134f38e017bd474e5e7af0ab1
- 390edcbca4679129932fdeabc71b3181e1ae545d655abc06460ee838d9a11ac9
- 371b772a5c3ac6407d77e6fc3fabb6dbb72ebddfb2ceae77147dfeee63168390
- 35299f1f6bb224e9260a10f72087ba2193316e73eea7b0361ea9ae9b946a5fac
- 2e62c9850f331799f1e4893698295d0b069ab04529a6db1bfc4f193fe6aded2c
- 1a56110c5a9b11380fe8cf145ec051ac5728eb0776b0448ff8b5e6ba8d44a4e1
- 1827bc29f0d1d1a9de9978a7852fd05a415e83d120feda6856bfd987ed2e6622
- 17b7e5ac105cfafca07691b97689c97a9c4e2b0e11e22cb1c70d85d0cd37678c
- 1350b1dce81952d9cca595eab8c77ea29ba46f7aa4df28f066110b14895a630c
- 0ce98929d8a49d43476263be704aaff40b02968ca423bc4f0da89e738e9da9da
- 06fbf383637bd94226b8257dfbd88576a1a9dca1dac8b900a20d96f39cd1475f
- 023aff64a9ecdc012621966e1c1e5bd5957c0afcd8394bc9b2be4d77adc934db
- 14fe0071e76b23673569115042a961136ef057848ad44cf35d9f2ca86bd90d31
- 0c54e79e8317e73714f6e88df01bda2c569ec84893a7a33bb6e8e4cf96980430
Attack Patterns
- T1565
- T1490
- T1608
- T1185
- T1583
- T1136
- T1491
- T1489
- T1486
- T1055
- T1098
- T1499
- T1204
- T1132
- T1053
- T1090