Details about the tactics, techniques, and procedures (TTPs) used by a ransomware affiliate group known as Lockean have been released by the French Computer Emergency Response Team (CERT). According to the French CERT, the group is responsible for at least eight attacks in the past year and a half that have targeted French companies, stealing data and deploying malware from ransomware-as-a-service (RaaS) operations. The group was seen deploying various ransomware families including Maze, Egregor, ProLock, and REvil. According to researchers, the group gained initial access in most attacks using the Qbot/QakBot banking trojan. Qbot was spread through emails from the Emotet Botnet, which has since been taken down, along with other malware distribution platforms.
It is not uncommon for some groups to use multiple RaaS platforms to infect companies. In most cases, groups that use RaaS keep a portion of the profit for themselves and give the rest to the RaaS operator. In other cases, threat actors can buy access to use the ransomware. Generally, threat actors that use RaaS are not as technically advanced as the group that develops the malware, but with the use of open-source tools, they can be just as dangerous. Companies should use monitoring to help protect themselves from ransomware attacks. Binary Defense’s Managed Detection and Response is a great asset to better protect organizations from ransomware attacks. Companies should also use email filtering as a first step in stopping malicious emails from entering their organization.