Fraud Management & Cybercrime
,
Ransomware
Ransomware Group Apparently Uses Leaked LockBit Builder Code to Mount Attacks
A ransomware group that uses locker malware based on the leaked LockBit 3.0 ransomware builder compromised New Zealand’s leading fitness equipment retailer.
See Also: The Cost of Underpreparedness to Your Business
The DragonForce ransomware group, first observed in November 2023, on Tuesday said on its leak site that it stole 5.31 gigabytes of data Elite Fitness.
The Dunedin-based retailer acknowledged the ransomware attack and the subsequent data leak. “Elite Fitness detected unusual activity from an unauthorized third party on one of its systems on the night of Wednesday, 26th June,” a company spokesperson told Cyberdaily.au. “The information leaked unfortunately affects a small list of customers and some staff.”
The fitness equipment retailer did not respond to Information Security Media Group’s request for comment.
The hacking incident occurred not long after the ransomware group victimized Yakult Australia and allegedly stole 95GB of data from the company’s Australian and New Zealand IT systems. The group also claimed it stole more than 400GB of data from Coca-Cola Singapore.
DragonForce’s largest reported heist was a successful attack on Ohio Lottery in December 2023 when it stole more than 1.5 million employee and customer records amounting to 90GB of data. Ohio Lottery said the attack impacted approximately 538,000 individuals.
According to cybersecurity company Cyble, DragonForce uses in its attacks a ransomware binary based on the LockBit Black ransomware, also tracked as LockBit 3.0. A LockBit affiliate in September 2022 leaked the LockBit Black builder code following a fallout with the group’s owners and several cybercrime groups have since used the builder code to customize their ransomware tooling and mount attacks (see: Free Ransomware: LockBit Knockoffs and Imposters Proliferate).
Cyble said in April that DragonForce’s locker malware shares “striking similarities” in code structures and functions with the leaked LockBit ransomware builder.
After infecting a system, the group uses random strings to rename stored files and adds the .AoVOpni2N
extension to encrypted files. It also drops a ransom note named AoVOpni2N.README.txt
in each directory it accesses.
DragonForce shares its name with a Malaysian hacktivist group that calls itself DragonForce Malaysia. The pro-Palentine group has frequently targeted Israeli organizations to voice its opposition to Israel’s war on Hamas and targeted several Indian organizations in 2022 after a ruling party spokesperson made anti-Muslim remarks (see: India-Based Grab Denies Cyberattack Claim by Malaysia’s DragonForce).
DragonForce Malaysia in 2023 announced plans to create a ransomware operation, but cybersecurity researchers say there is little evidence to attribute the ransomware attacks to the Malaysian group.
“The similar names should not, of course, be considered proof of a connection – and it’s always possible that the name of DragonForce has been chosen intentionally by the ransomware gang to lead investigators off the scent, or as a piece of mischief-making,” said cybersecurity company Tripwire.