Affiliates Unlocked: Gangs Switch Between Different Ransomware Families

The shutdown of the Leafroller ransomware gang (aka Sodinokibi/REvil) has resulted in a surge in LockBit activity, as some ex-Sodinokibi affiliates move to that ransomware. Meanwhile, there is also more evidence that some attackers are affiliated to more than one ransomware group and are switching between ransomware families mid-attack if the initial ransomware they attempt to deploy fails to execute.

These are just the latest developments Symantec, part of Broadcom Software, has seen as ransomware actors continue to evolve their tactics to make their attacks more dangerous and effective.

Sodinokibi shutdown leads to LockBit surge

Attacks involving the LockBit ransomware have increased markedly over the past month, with some indications that the group behind it is attempting to fill the gap left by the Sodinokibi ransomware.

Sodinokibi’s infrastructure and websites disappeared on July 12, 2021, shortly after the group had carried out a major ransomware attack in which it encrypted approximately 60 managed service providers (MSPs) and more than 1,500 individual businesses using a zero-day vulnerability in the Kaseya VSA remote management software. It’s unclear why exactly the gang’s operations shut down, but it has been speculated that the gang shuttered their activity following either pressure or action by law enforcement.

Symantec researchers have seen evidence that at least one former Sodinokibi affiliate is now using LockBit. Symantec has observed an attacker using consistent tactics, tools, and procedures (TTPs) attempting to deliver Sodinokibi to victims until July of 2021, when the payload switched to LockBit.

LockBit (aka Syrphid) was first seen in September 2019, and launched its ransomware-as-a-service (RaaS) offering in January 2020, however, there was a marked increase in its activity in the last month as it seemingly attempted to recruit former Sodinokibi affiliates.

This recent attack began with a file named mimi.exe, which is an installer that drops a number of password-dumping tools. Immediately prior to the ransomware being launched, a large number of commands were executed to disable various services, block access to remote desktop protocol (RDP), and delete shadow copies. This is activity we typically see before ransomware is deployed on a system. The actor behind this attack consistently named their ransomware payload as svhost.exe and this practice was maintained following their transition to LockBit.

The actors behind recent LockBit campaigns were seen using a variety of different TTPs before deploying the ransomware payload, including:

• DefenderControl.exe – disables Windows Defender
• NetworkShare – scans infected network
• Nsudo-dropper – file dropper
• Credential Stealing – collecting credentials from infected machines
• Mimikatz – credential dumper, used for lateral movement across networks
• Defoff.bat 
• DelSvc.bat 
• Netscan – retrieves information about services running on infected machines
• PasswordRevealer – shows obfuscated passwords

The numerous password-dumping tools used by these attackers indicates that harvesting credentials is a key part of their attack chain.

Splitting allegiances

In another ransomware attack that occurred in June 2021, it appears that attackers who usually encrypt networks using the Conti ransomware switched payloads and used the Sodinokibi ransomware instead.

Initial activity in this attack followed the attackers’ usual playbook, deploying Cobalt Strike, an off-the-shelf remote access tool commonly seen used in ransomware attacks. This would usually be followed by them delivering Conti. Conti first appeared in December 2019 and has been seen used in some high-profile recent ransomware attacks, many targeting healthcare providers, including a May 2021 ransomware attack that crippled Ireland’s public health service provider, the HSE.

However, in this recent attack, instead of deploying Conti, the attackers switched payloads and deployed Sodinokibi to encrypt several hundred machines on the network. Before Sodinokibi was deployed we saw the attackers use BitsAdmin when moving across the victim network, while they also carried out some other preliminary activity before deploying the ransomware, including disabling Microsoft Defender, disabling RealTime Monitoring, and deleting shadow copies.

The attackers maintained a presence on the victim network for approximately three weeks before the Sodinokibi ransomware was deployed.

While not common up to now, this isn’t the first time we have seen evidence of affiliates appearing to have access to more than one ransomware family at the same time. In the attack we talked about in our blog Ransomware: Growing Number of Attackers Using Virtual Machines, there was evidence the attacker had access to both the Mount Locker and Conti ransomware, and may have attempted to run one payload on a virtual machine and, when that didn’t work, ran Mount Locker on the host computer instead.

Impact

Affiliates switching between different ransomware families like this is yet another attempt by ransomware actors to increase the chances of their attacks succeeding, and it will be interesting to see whether or not this is a tactic we start to increasingly observe during ransomware attacks.

Having access to multiple ransomware families increases the likelihood of affiliates being able to encrypt machines, increasing the dangers posed by these already dangerous attacks. This is just the latest development we have seen from ransomware actors, who are constantly refining their tactics in order to maximise their profits. The use of virtual machines was another example of attackers tweaking their approach in order to carry out a ransomware attack, while the emergence of double-extortion ransomware attacks last year, where attackers steal data and threaten to release it while also encrypting machines in ransomware attacks, led to one of the biggest shifts we saw in the ransomware landscape in recent times.

The surge in LockBit activity that we have seen also shows that while some big ransomware names have shut down their operations in recent times, there are many other ransomware operators waiting to fill the space that has been left.

Ransomware actors continue to change and refine their tactics in an effort to evade the security steps taken by organizations to stop these types of attacks, which is why ransomware remains one of the biggest threats on the cyber crime landscape in 2021.   

Protection/Mitigation

For the latest protection updates, please visit the Symantec Protection Bulletin.

Indicators of Compromise (IoCs)