This blog is the latest in a series that delves into the deep research conducted daily by the Trustwave SpiderLabs team on major threat actor groups currently operating globally.
Retailer databases are chock-full of information that makes them highly attractive targets for ransomware gangs, as highlighted by Trustwave SpiderLabs in its recent 2024 Trustwave Risk Radar Report: Retail Sector.
Trustwave SpiderLabs’ research revealed that LockBit and Play ransomware were the top two ransomware groups targeting this sector. However, LockBit, which has been the leading variant in this category, is losing ground to Play and other ransomware types and gangs. The report noted that in 2023, LockBit was responsible for 34% of all attacks, while Play was responsible for 9%. In 2024, the duo accounts for 30% of all attacks, with 15% each.
LockBit and its variants have been top-tier ransomware threats since 2020, while Play is a relative newcomer, actively in use since 2022.
With the holidays approaching and retailers concerned about all manners of theft, let’s take a look how Trustwave SpiderLabs and CISA break down Play and LockBit, including how each operates, and the defensive steps that can be taken.
According to CISA and the FBI, Play (aka Playcrypt) has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe. As of October 2023, the FBI was aware of approximately 300 affected entities allegedly exploited by the ransomware actors.
The Play ransomware group is believed to operate as a closed entity, ensuring the confidentiality of its operations, as stated on its data leak website. They use a double-extortion tactic, encrypting systems after stealing data. Instead of specifying a ransom amount or payment instructions in their notes, they direct victims to reach out via email.
The FBI and CISA recommend organizations apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Play ransomware. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST).
Some recommendations include:
LockBit is a formidable ransomware-as-a-service provider and among the most active in the world, measured by the number of victims claimed on its Dark Web site. The FBI has recorded about 1,700 attacks, netting around $91 million from its victims.
Trustwave SpiderLabs research noted the ransomware is continuously upgraded, version 3.0 is now in use, and it is an opportunistic attacker, that leverages double extortion techniques as part of the attack to pressure victims into paying the ransom. However, it does have a language parameter it follows and will not attack sites using Russian, Belarusian, Tajik, Armenian, among other former Soviet Republics.
LockBit has continuously updated its malware, with LockBit 3.0, aka LockBit Black, being the current version in mainstream use. This version is more modular and evasive than its previous versions and shares similarities with Blackmatter and Blackcat ransomware, according to CISA.
Some of the methods LockBit uses to successfully attract affiliates include, but are not limited to:
Based on secondary sources, CISA noted that affiliates exploit older vulnerabilities like CVE-2021-22986, F5 iControl REST unauthenticated Remote Code Execution Vulnerability, as well as newer vulnerabilities such as:
LockBit affiliates have been documented exploiting numerous CVEs, including:
When LockBit affiliates attack an organization that manages other companies' networks, CERT NZ (which partnered with CISA on its LockBit report) observed them attempt secondary ransomware extortion after deploying the LockBit variant on the primary target. Following the initial attack, LockBit affiliates proceed to extort the primary organization’s customers by deploying secondary ransomware to disrupt the services these customers rely on. Additionally, these affiliates may further pressure the primary target’s customers by threatening to release sensitive customer data.
CISA noted in its advisory that implementing multiple mitigations with a defense-in-depth approach can help protect against ransomware.
To stop LockBit from gaining initial access, security teams should consider implementing sandboxed browsers to protect systems from malware originating from web browsing, implementing strong password protection guidelines, using an email security solution to filter malicious emails, and installing a web application firewall.
If access is gained, CISA noted organizations can still limit execution by developing and regularly updating comprehensive network diagrams, controlling and restricting network connections, enabling enhanced PowerShell logging, and configuring the Windows Registry to require UAC approval for any PsExec operations.
Privilege escalation can be limited or eliminated by disabling command-line and scripting activities and permissions, enabling Credential Guard, and implementing a local administrator password solution where possible.
Exfiltration of data can be interrupted by blocking connections to known malicious systems using a Transport Layer Security (TLS) Proxy. Malware often uses TLS to communicate with threat actors' infrastructure. By using feeds for known malicious systems, the establishment of a connection to a C2 server can be prevented. Additionally, CISA recommends using web filtering or a Cloud Access Security Broker (CASB) to restrict or monitor access to public file-sharing services that may be used to exfiltrate data from a network.
The final point made by CISA is to exercise, test, and validate your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework. The authoring organizations recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in its advisory.