LockBit ransomware now poaching BlackCat, NoEscape affiliates

Trending 2 months ago

LockBit ransomware

The LockBit ransomware cognition is now recruiting affiliates and developers from nan BlackCat/ALPHV and NoEscape aft caller disruptions and exit scams.

Last week, nan NoEscape and nan BlackCat/ALPHV ransomware operation's Tor websites abruptly became inaccessible without warning.

Affiliates associated pinch NoEscape claimed that nan ransomware operators pulled an exit scam, stealing millions of dollars successful ransom payments and shutting disconnected nan operation's web panels and information leak sites.

Azal tweet

NoEscape is believed to beryllium a rebrand of nan Avaddon ransomware operation, which shut down successful June 201 and released their decryption keys to BleepingComputer. We dream that NoEscape will erstwhile again merchandise nan decryption keys for their victims now that they person unopen down their operation.

The BlackCat/ALPHV ransomware cognition also suffered a 5-day disruption past week, pinch each their infrastructure going offline, including their information leak and speech sites.

On Monday, nan ALPHV information leak tract returned, but pinch each information removed. While immoderate speech URLs are working, galore are not, efficaciously halting negotiations for those victims.

Empty BlackCat information leak siteEmpty BlackCat information leak site
Source: BleepingComputer

The ALPHV admin claimed that their outage was caused by hardware failure. However, BleepingComputer heard from aggregate sources that a rule enforcement cognition was related to nan outage.

The FBI declined to remark erstwhile we contacted them astir nan disruptions.

Are you an ALPHV aliases NoEscape connection aliases personification pinch accusation astir nan outages? If you want to stock nan information, you tin interaction america securely connected Signal astatine +1 (646) 961-3731, via email astatine tips@bleepingcomputer.com, aliases by utilizing our tips form.

LockBit recruits affiliates from distressed gangs

As first reported by LeMagIT, LockBitSupp, nan LockBit operation's manager, has begun to enlistee affiliates from nan BlackCat and NoEscape ransomware operations.

In posts to a Russian-speaking hacking forum, LockBitSupp told affiliates that if they person backups of nan stolen data, they could usage his information leak tract and speech sheet to proceed to extort victims. 

In summation to affiliates, LockBitSupp is trying to enlistee nan coder for nan ALPHV encryptor.

While it is unclear if immoderate of nan BlackCat/NoEscape affiliates person moved complete to LockBit, 1 BlackCat’s unfortunate has already been spotted connected LockBit’s information leak site.

"LockBit ransomware group has added German Energy Agency dena (http://dena.de) to their unfortunate list, which was antecedently a unfortunate of ALPHV ransomware group," sounds a tweet from FalconFeeds.

BlackCat/ALPHV is simply a rebrand of nan DarkSide and BlackMatter ransomware operations. After BlackMatter’s shutdown in November 2021, its affiliates transitioned to LockBit.

BlackMatter connection transferring a unfortunate to LockBit siteBlackMatter connection transferring a unfortunate to LockBit site
Source: BleepingComputer

With LockBit being nan largest ransomware cognition astatine this time, LockBitSupp told BleepingComputer that he viewed nan BlackCat outages arsenic a "Christmas Gift."

It is excessively soon to show whether affiliates and penetration testers person mislaid spot successful BlackCat aliases NoEscape and are moving to different operations. However, it would not beryllium astonishing if we soon spot different rebrand.