France’s Computer Emergency Response Team (CERT) has recently released a report regarding the details of a ransomware affiliate group’s – now tracked as Lockean – tools and tactics. From the past year, the ransomware threat actors have been actively compromising networks of about eight companies inside France, where they stole confidential information and deployed malware from many ransomware-as-a-service (RaaS) operations.
The initial activities found for Lockean was in 2020 when the ransomware group had attacked a French manufacturing company and executed the DoppelPaymer ransomware on its network. From June 2020 to March 2021, there had been records of the Lockean threat group attacking about seven more French companies using different ransomware strains, including REvil, Egregor, Maze, and ProLock.
The recorded victimised French companies include the Ouest-France newspaper, transport company Gefco, and the medical companies Fareva and Pierre Fabre.
According to reports sent to France’s national cybersecurity agency ANSSI, four more French companies were also identified as victims of the Lockean threat group that the CERT-FR did not mention the names of. Furthermore, Intrinsec and the DFIR Report also described two additional ransomware incidents.
The report described how the threat actors utilised Qbot/QakBot and a banking trojan that shifted their role to spread other malware strains, such as Egregor, ProLock, and DoppelPaymer, to obtain initial access to the victim’s network.
Threat actors have spread the Qbot malware via emails from a now non-existent Emotet botnet, including an unpopular malware distribution operation called the TA551 or the Gold Cabin, Shathak, and UNC2420.
One instance was recorded when the Lockean threat group used the IcedID malware distribution service in accessing an organisation’s network. Meanwhile, they also used the Cobalt Strike pentesting framework, BloodHound, and Adfind in their operations.
According to the notes given by the CERT-FR, Lockean ransomware average cut from the French victims’ ransom payments was 70%, while the remaining will go to the RaaS maintainers.
Lockean also has a tactic in increasing their profits, and it included adopting a double-extortion model and stealing victim data using the Rclone tool before they encrypt devices. Victims are observed to likely pay ransom demands in fear that their private data will be leaked.
Moreover, the threat group may likely be more active than the eight confirmed incidents of ransomware activities against the eight French companies.
