Sophos X-Ops has uncovered a new ransomware threat group called “BlackDogs 2023” attempting to exploit the leaked source code from LockBit 3.0 for ransomware attacks. These copycat attackers targeted outdated and unsupported Adobe ColdFusion servers. This discovery underscores the importance of organizations prioritizing software patching and upgrading from unsupported versions.
23 October 2023 – Sophos X-Ops, a prominent cybersecurity research team, has been monitoring the activities of multiple threat groups seeking to exploit the leaked source code from LockBit 3.0 for launching ransomware attacks. During an investigation into a thwarted ransomware attack against a client, Sophos X-Ops uncovered a ransomware note from an unfamiliar group that goes by the name “BlackDogs 2023.”
The attackers aimed to exploit an outdated and unsupported version of Adobe’s ColdFusion server to gain access to the company’s Windows servers, subsequently deploying the ransomware. While the attack was effectively blocked by Sophos’ endpoint behavioral detections, Sophos X-Ops managed to intercept the ransom note, which demanded a ransom of 205 Monero, approximately equivalent to $30,000, in exchange for the recovery of the purportedly “stolen and encrypted” data.
This incident marks the second instance in recent weeks where Sophos X-Ops has identified a group attempting to replicate the tactics used by the LockBit ransomware operators, capitalizing on the leaked source code. In a prior instance, attackers leveraged a vulnerability in Progress Software’s WS_FTP Server software. Now, copycat threat actors are targeting outdated and unsupported Adobe ColdFusion servers. These findings raise concerns about the potential emergence of additional copycat groups in the future, underlining the critical importance for organizations to prioritize patching and upgrading their software from unsupported versions.
Sean Gallagher, Principal Threat Researcher at Sophos, commented on the situation, stating, “This is the second, recent incident of threat actors attempting to take advantage of leaked LockBit source code to spin new variants of ransomware that we’ve uncovered in recent weeks. The first instance involved attackers taking advantage of a vulnerability in Progress Software’s WS_FTP Server software. Now, there are copycats looking to take advantage of outdated and unsupported Adobe ColdFusion servers. It’s entirely possible that other copycats will emerge, which is why it’s essential for organizations to prioritize patching and upgrading from unsupported software whenever possible. However, it’s important to note that patching only closes the hole. With things like unprotected ColdFusion servers and WS_FTP, companies need to also check to make sure none of their servers are already compromised, otherwise, they’re still at risk of these attacks.”