“We are teaching machines how to think.” That’s a quote from the recent video posted by Joe Toscano, a former Google consultant. In a recent video posted on Fox Business, Toscano talked about how Google went “too big too soon” with AI, and this is a sentiment that we all share.
Now, Google is dealing with a bit of a mess with its AI products, and it’s been that way ever since the launch of Bard. While Gemini and other Google AI products are useful and functional, there is a deeper issue.
A former Google consultant says that the company went “too big too soon” with AI
In the two-and-a-half-minute-long video, Toscano stated that a lot of historical inaccuracies produced by chatbots are a product of Google and other companies just feeding the models information without really explaining what’s correct and what’s not correct. So, this is one reason why they are liable to give you inaccurate details. It’s “likely that [Google] fed it a bunch of data and, in the modern machine learning environment we’re in, they expect that the machine will learn on their own and that the outcome will be, more or less, bulletproof.”
Toscana also explained why Google is struggling with Gemini. He explained the major issue of the company playing corporate catch-up. Google Bard was not launched as a product, it was launched as a response. When ChatGPT launched, it threatened Google immensely. So, the company had to rush to get something to the market in order to keep the investors happy.
Google, like other companies, is trying to build a be-all-end-all artificially intelligent system that is as smart as a human being. However, the circumstances just aren’t conducive for that in Google’s case. Google is a major profit-driven corporate company that needs to justify every cent it’s spending on AI development. So, aside from developing AI, the company also has to worry about profits and investors. So, it has to keep up with the times and keep launching new AI products to compete with companies such as OpenAI, xAI, Anthropic, Etc.
Corporate catch-up
Because of this, Google has had to rush products onto the market without proper testing. The most recent example is the Gemini image generating people with historically and accurate skin tones, ethnicities, and genders. Another example is how half-assed Gemini is as an assistant.
It seems that all of Google’s AI products are just being thrown onto the market, and this creates a bad track record. In the video, Toscano states that this is what happens when companies play corporate catch-up. Companies don’t properly test their products because their profits and stock prices are at stake. They put it on the market and hope that it sticks.
If ChatGPT did not launch when it did, and Google had the time to properly flesh out its AI products, then things would be different. However, it has to compete with ever-evolving competition. For example, OpenAI is testing Sora. Well, we can bet that Google is also testing its own video creator. However, since it’s already behind the times, we can bet that it won’t be as polished.
This is why Apple’s AI might be better
News and rumors are already ramping up about Apple’s upcoming AI product. While Apple is new to the game in terms of AI, we can comfortably assume that, when Apple does release it, it’ll be much more refined and better integrated than Google’s ecosystem of AI products.
The thing about Apple is that the company doesn’t typically launch products until they pretty much work perfectly. Apple may be able to integrate its AI flawlessly with iOS, iPadOS, and macOS. We can trust that it’s going to take the proper time to refine its experience because it’s not at risk of losing ad revenue like Google is, and the vast majority of its income comes from hardware. So, it’s not much reason to rush this product to the market.
Cybersecurity researchers at Fortinet’s FortiGuard Labs have discovered a new threat called Vcurms malware targeting popular browsers and apps for login and data theft. They urge security updates and caution with emails.
Fortinet’s FortiGuard Labs recently uncovered a new cybersecurity threat: a malware known dubbed “Vcurms.” The attackers behind Vcurms malware have employed sophisticated tactics, using email as their command and control center and leveraging public services such as AWS and GitHub to store the malicious software. Additionally, they have employed a commercial protector to evade detection, indicating a concerted effort to maximize the malware’s impact.
Targeting Java Platforms
This campaign primarily targets platforms with Java installed, posing a risk to any organization utilizing such systems. The severity of the threat cannot be understated, as successful infiltration grants attackers full control over compromised systems.
Tactics and Techniques: Spreading Vcurms
The modus operandi of the attackers involves luring users to download a malicious Java downloader, which serves as a vector for spreading Vcurms and STRRAT, a trojan previously found to be posing as fake ransomware infection to steal data. These malicious emails typically masquerade as legitimate requests, urging recipients to verify payment information and download harmful files hosted on AWS.
Phishing Traits
Once downloaded, the malware exhibits classic phishing traits, employing spoofed names and obfuscated strings to disguise its nefarious nature. Notably, it utilizes a class named “DownloadAndExecuteJarFiles.class” to facilitate the downloading and execution of additional JAR files, further expanding the attacker’s foothold.
The Remote Access Trojan (RAT) component of Vcurms communicates with its command and control center via email, demonstrating a concerning level of sophistication. It establishes persistence by replicating itself into the Startup folder and employs various techniques to identify and monitor victims, including keylogging and password recovery functionalities.
Targeting Popular Browsers and Apps
Furthermore, the malware employs advanced obfuscation techniques, such as the Branchlock obfuscator, to evade detection and analysis. Despite these challenges, cybersecurity researchers continue to develop methods for deobfuscating and understanding the inner workings of Vcurms.
Vcurms also exhibits notable similarities with the Rude Stealer malware but distinguishes itself through its unique transmission methods and targeted data acquisition. It prioritizes stealing sensitive information from popular browsers like Chrome, Brave, Edge, Vialdi, Opera, OperaGX, Firefox, etc. and applications, including Discord and Steam.
In response to this threat, FortiGuard Labs in their blog post, recommend proactive measures, including the deployment of updated security solutions and network segmentation. Additionally, maintaining vital password practices and exercising caution when handling email attachments are crucial steps in mitigating the risk of Vcurms infection.
Commenting on this, Jason Soroko, Senior Vice President of Product at Sectigo, emphasizes the importance of authentication methods in combating malware attacks.
“Malware writers are benefiting from the cloud and that shouldn’t surprise anyone. RAT malware typically harvests whatever it can, and the new VCURMS and STRRAT remote access trojans seem to have one or more keyloggers,“ Jason warned. “This technique has been around for quite some time and is yet another example of why stronger authentication methods than simply a username and password are necessary.“
Apple today introduced the Web Distribution of iOS apps, set to become available with a software update later this spring. It will enable authorized developers to distribute their iOS apps directly to EU users from their own websites. This move is significant as it allows developers to bypass the traditional route of distributing apps through the App Store or other third-party stores. An advantage of this is the possibility of avoiding the fees that some third-party app stores require. However, it comes with tight restrictions and requirements set by Apple. The company says these are implemented to ensure user safety and privacy.
Apple will still have significant control over the app distribution
“Apple will provide access to APIs that facilitate the distribution of developers’ apps from the web, integrate with system functionality, back up and restore users’ apps, and more,” notes the company. Additionally, developers must ensure that apps offered through Web Distribution meet Notarization requirements to protect platform integrity. Apple will only allow developers to use an Apple Store Connect registered domain to host their app.
Users will also need to approve the developer to install apps in their iPhone settings before installing an app. Then a system sheet will display information provided by developers to Apple for review, such as app name, developer name, description, screenshots, and age rating.
To be eligible for Web Distribution, developers must be enrolled in the Apple Developer Program as an organization incorporated, domiciled, or registered in the EU. Additionally, developers must be members of “good standing” in the Apple Developer Program for two continuous years or more and have an app with more than one million first annual installs on iOS in the EU in the prior calendar year. Developers must agree to various commitments, including being responsive to communications from Apple, publishing transparent data collection policies, and following applicable laws.
Web Distribution of apps will also include Apple’s “Core Technology Fee”
There are also financial considerations for developers using Web Distribution. Apple will charge a Core Technology Fee (CTF) for apps distributed through Web Distribution, the same as the third-party marketplaces in EU. Membership in the Apple Developer Program includes one million first annual installs per year for free, and developers will pay a CTF of €0.50 for each first annual install over one million in the past 12 months. Additionally, developers are responsible for collecting, reporting, and remitting any required taxes for transactions that occur using Web Distribution.
Nonetheless, for developers willing to host their apps directly and comply with Apple’s requirements, Web Distribution provides an alternative pathway to reach iPhone users in the EU starting this spring.
Meta sunglasses made by Ray-Ban have now integrated AI-powered vision to allow identification and information on surrounding landmarks. The option was unveiled recently as a highlighting feature in the latest beta version. The update went official by Meta CTO Andrew Bosworth on a Threads post, suggesting its potential use cases as a tour guide for travelers.
Meta Ray-Bans get smart and now ID Landmarks in front of your eyes
The new feature can recognize landmarks through AI systems from various places. Bosworth demonstrated this by using sample images that AI accurately guessed to be the Golden Gate Bridge and painted Ladies of San Francisco. Descriptions displayed as text below the pictures, help users understand more about the landmarks.
He also showcased these features in other videos taken in Montana, where glasses explain via audio what different landmarks look like, such as Big Sky Mountain or Roosevelt Arch. Not only does it give you the latest weather updates, but it also explains weather phenomena like snow formation, with an easy-to-understand guide.
At the Connect event last year, Meta previewed this feature as part of its “multimodal” portfolio, allowing users to interact with their environment through real-time information. Engadget affirms the new landmark ID is an extension of the previous feature that now allows Meta´s smart glasses to access real-time info.
Environment awareness on Meta Ray-Bans is mostly similar to Google Lens
Meta’s landmark identification is an additional functionality on top of its present Google Lens-esque tool that allows users to search and ask questions about what they see in their environment. PhoneArena suggests that the Lens-like capability is free for users during the beta phase, but it’s only exclusive to members in the early access program.
Meta sunglasses have undergone yet another transformation with the addition of a landmark identification feature making them even better tools for experiencing augmented reality through glasses. Enhanced capabilities for travel and exploration make it a versatile tool.
February was a particularly busy month for search-based malvertising with the number of incidents we documented almost doubling. We saw similar payloads being dropped but also a few new ones that were particularly good at evading detection.
One malware family we have been tracking on this blog is FakeBat. It is very unique in that the threat actor uses MSI installers packaged with heavily obfuscated PowerShell code. For weeks, the malvertiser helping to distribute this malware was abusing the same URL shortener services which may have made the attack somewhat predictable. We saw them experimenting with new redirectors and in particular leveraging legitimate websites to bypass security checks.
Another interesting aspect is the diversity of the latest campaigns. For a while, we saw the same software brands (Parsec, Freecad) being impersonated over and over again. With this latest wave of FakeBat malvertising, we are seeing many different brands being targeted.
All the incidents described in this blog have been reported to Google.
New redirection chain
During the past several weeks, FakeBat malvertising campaigns used two kinds of ad URLs. As observed in other malvertising campaigns, they were abusing URL/analytics shorteners which are ideal for cloaking. That practice enables a threat actor to use a ‘good’ or ‘bad’ destination URL based on their own defined parameters (time of day, IP address, user-agent, etc.).
The other type of redirect was using subdomains from expired and sitting .com domains reassigned for malicious purposes. This is a common trick to give the illusion of credibility. However, in the most recent malvertising campaigns we see the threat actor abusing legitimate websites that appear to have been compromised.
It’s worth noting that the few examples we found were all Argentinian-based (.ar TLD):
Victims click on the ad which sends a request to those hacked sites. Because the request contains the Google referer, the threat actor is able to serve a conditional redirect to their own malicious site:
The full infection chain can be summarized in the web traffic image seen below:
Several active brand impersonations
There are currently several campaigns running including OneNote, Epic Games, Ginger and even the Braavos smart wallet application.
Each downloaded file is an MSIX installer signed with a valid digital certificate (Consoneai Ltd).
Once extracted, each installer contains more or less the same files with a particular PowerShell script:
When the installer is ran, this PowerShell script will execute and connect to the attacker’s command and control server. Victims of interest will be cataloged for further use.
Conclusion
FakeBat continues to be a threat to businesses via malicious ads for popular software downloads. The malware distributors are able to bypass Google’s security checks and redirect victims to deceiving websites.
It is as important to defend against the supporting infrastructure as the malware payloads. However, that is not always easy since legitimate websites may be used to defeat domain blocklists. As always, blocking ads at the source via system policies such as ThreatDown DNS Filter, remains one the most effective ways to stop malvertising attacks in their tracks.
Over the years, companies have been working on bridging the gap between mobile gaming and PC gaming. For instance, Microsoft announced integration with the Amazon Android App Store in Windows 11. However, that is going away. Well, during Google’s annual Google for Games Developer Summit, the company announced native PC games.
Right now, we are going to hear about more interesting changes coming to Android and other Google services because the company is hosting its annual Developer Summit. During this event, Google announced its plans for the future of Android gaming.
Google announced native PC games
This seems like a bit of an odd announcement, seeing as you can already access Android games via Google Play Games on Windows. Back in 2022, Google started testing this. So, if you download the launcher, you will be able to play certain Android games natively on your Windows computer. However, it appears Google wants to push this even further.
The company announced during the Google for Games Developer Summit that it will be launching several native PC games. So, rather than depending on a launcher, these games will be downloaded directly to your computer. As for the games that will be available for this change, Google mentioned Llineage2M, Genshin Impact, Odin: Rising, and Dragonair: Silent Gods.
It appears that the company is testing the waters with a limited number of games rather than launching the entire initiative. So, we are just going to have to see how the player base responds to this. In any case, if you are curious about trying Google Play for PC, you can go to the official website.
You will have to make sure that you are signed in to your Google account on the computer you want to install the games on. This acts as a launcher, so you will need the application to run the games. It is free to download and free to use. Also, these games have mouse and keyboard support along with controller support, so it will feel just as though you’re playing games meant for PC.
Right now, OpenAI is currently tangled in a lawsuit from billionaire Elon Musk. While Musk has made some statements against the company regarding how it operates, OpenAI released its own statements. Now, in a new response, OpenAI claims that Musk’s statements are convoluted and “often incoherent.”
In case you have been following, Elon Musk issued a lawsuit against OpenAI, claiming that the company does not live up to its promise of providing AI technology for everyone. Rather, it has become a de facto subsidiary of Microsoft, one of the biggest companies in the world. So, Elon Musk feels that OpenAI has basically become a closed-off for-profit company rather than an open and nonprofit company dedicated to AI research.
Soon after Musk filed the lawsuit, OpenAI reacted by releasing emails sent from Elon Musk to the company back in the early days. The emails basically point to Elon Musk originally wanting OpenAI to do exactly what he’s suing it for. According to the emails, he wanted OpenAI to be a subsidiary of Tesla, another major corporation. Also, he agreed that OpenAI should not be open source.
OpenAI says that Elon Musk’s claims are “incoherent”
According to a new report, OpenAI just responded again to Elon Musk’s lawsuit, claiming that his claims are based on “convoluted – often incoherent – factual premises.” In all honesty, this lawsuit came out of left field. It’s obvious that ChatGPT is much more seasoned and a much larger chatbot than Grok. It seems odd that Elon Musk would attack the company out of nowhere. There are other companies with their models’ source code behind closed doors as well. So it’s strange that Elon Musk has chosen OpenAI to target.
In a statement, OpenAI said that “Musk purports to bring this suit for humanity, when the truth — evident even from the face of Musk’s contradictory pleading — is that he brings it to advance his own commercial interests.” With regards to the emails, the company also said that Elon Musk wants to “…lay unearned claim to the fruits of an enterprise he initially supported, then abandoned, then watched succeed without him.”
At this point, this case is still heating up, so we’re not quite sure what the outcome will be. One thing we do know is that, if Elon Musk does win, OpenAI need to detach itself from Microsoft and make ChatGPT’s source code open source.
Samsung‘s Galaxy S23 phones are receiving the March 2024 update globally. The rollout began in the US a few days back and has now reached international markets. The latest security patch is also available for a budget handset, the Galaxy A52 (4G).
March update globally rolling out for the Galaxy S23 series
Last week, Samsung started updating the Galaxy S23 series to the March 2024 security patch. The devices first received the update in the US, albeit in limited capacity. A full-fledged rollout began recently. Almost coinciding with that, the company has released the new SMR (Security Maintenance Release) for the 2023 flagships globally. It is available in Europe, Asia, Australia, and Africa.
The March update for the international versions of the Galaxy S23, Galaxy S23+, and Galaxy S23 Ultra bears the firmware build number S91*BXXS3BXBD. It is the same build (BXBD) that Samsung pushed in the US. The update only brings this month’s security fixes and nothing more. This isn’t surprising as the phones are expected to soon receive One UI 6.1 with new features from the Galaxy S24 series.
As far as security fixes are concerned, Samsung’s March 2024 SMR for Android-powered Galaxy smartphones and tablets contains patches for 46 vulnerabilities. This is a combined total of vulnerabilities found across the Galaxy family. 37 of these are Android OS issues, detected and patched by Google. The rest (9) vulnerabilities are exclusive to Galaxy devices and patched by Samsung.
These security fixes are also available for Samsung’s Galaxy A14 5G in some regions. X user @Urban_el_soul_2 confirmed the rollout in India where the device is getting the March update with the build number A146BXXS3CXC2. The OTA (over-the-air) package weighs about 210MB. Like the Galaxy S23 series, this budget device also isn’t picking up anything more than the latest security fixes.
More devices will get this update in the coming days
Samsung makes the highest number of smartphones every year and offers the best update support in the Android space. It often beats all other Android OEMs in releasing the latest security patches. The company released the March 2024 SMR on the first day of the month. The Galaxy S24 series picked up the update. Since then, it has expanded the rollout to many other models, including recent foldables.
The Korean firm will continue to push this month’s security patch to eligible devices in the coming days. The likes of the Galaxy S22, Galaxy Z Fold 5, Galaxy Z Flip 5, Galaxy Z Fold 4, and Galaxy Z Flip 4 have only received the update in the US. A global rollout should follow soon. As always, we at Android Headlines will keep you on top of all these updates, so stay tuned.
Are you a Windows 10 user? If so, you may have heard that Windows 10 Enterprise, (version 21H2) will reach the end of updates on June 11, 2024. This means that after this date, Microsoft will no longer provide any security updates, bug fixes, or other updates for this particular version of Windows 10.
Moreover, this news may bring up some questions and concerns for users who rely on this operating system. In this article, we will discuss what this means for users and what steps you can take to ensure the security and smooth functioning of your system.
What does “end of updates” mean?
When a software version reaches the end of updates, it signifies that the developers will no longer be releasing any new updates or patches for that particular version. This is typically done to encourage users to upgrade to a newer version of the software, which will have the latest features, security updates, and bug fixes. In the case of Windows 10, version 21H2, users will no longer receive any updates from June 11, 2024, onwards.
What are the risks of using an outdated version of Windows 10?
Using an outdated version of Windows 10 can pose various risks to your system. Since security updates and bug fixes will no longer be provided, your system will be vulnerable to cyberattacks, malware, and other security threats. This can result in data breaches, system crashes, and other serious issues that can compromise the security and stability of your system. Therefore, it is crucial to take action before the end of updates to ensure the safety of your device.
Understanding the end of updates
First and foremost, let’s break down what the end of updates for Windows 10, version 21H2 means. When Microsoft ends updates for a specific version of Windows, it signifies the end of support and security updates for that version. This means that users will no longer receive new features, bug fixes, or security patches for their operating system.
What to expect after June 11, 2024
After the end of updates for Windows 10, version 21H2, your operating system will continue to function as normal. However, without regular updates and security patches, your system may become more vulnerable to cyber threats and malware. It is essential to be aware of this risk and take necessary precautions to protect your data and personal information.
Things to consider before the end of updates
As the end of updates approaches, there are several steps you can take to ensure a smooth transition. Here are some tips to help you prepare.
Upgrade to a newer version: Consider upgrading to a newer version of Windows, such as Windows 11, to continue receiving updates and support from Microsoft.
Back up your data: Before making any changes to your operating system, make sure to back up all your important files and data to prevent any loss during the transition.
Update Your Software: Make sure all your software and applications are up to date to reduce the risk of compatibility issues with newer versions of Windows.
Consider Security Software: Invest in reputable security software to enhance the protection of your system against potential cyber threats.
In conclusion, the end of updates for Windows 10, version 21H2 is approaching, and it is essential to be prepared for this change. By understanding what this means for you as a user and taking the necessary steps to protect your system, you can ensure a seamless transition to a newer version of Windows. Stay informed, back up your data, update your software, and consider security measures to safeguard your system after June 11, 2024. Windows 10 users should be proactive in addressing this update.
Remember, your cybersecurity is in your hands – take the necessary precautions to protect your system and data. Whether you choose to upgrade to Windows 11 or explore other options, being proactive is key to maintaining a secure and efficient operating system. Prepare yourself for the end of updates for Windows 10, version 21H2, and keep your system safe and secure in the ever-evolving digital landscape.
This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.
In February, there were 376 ransomware victims, marking an unusually active month for the historically subdued time period. But February didn’t just bring unprecedented numbers, but unprecedented developments as well: law enforcement shut down LockBit, the largest ransomware gang, while ALPHV, the second-largest, appeared to fake its demise and abscond with its own affiliates’ funds.
Before we dive into the two biggest stories of the month, however, let’s start with a quick overview of other significant ransomware developments, including a new Coveware report revealing a record low of 29% of victims paying ransoms in the last quarter of 2023.
A few years ago, paying ransomware attackers was almost a given—85% of hit organizations in early 2019 felt they had no choice. But fast forward to 2024, and Coveware data suggests that that trend has completely reversed—not only have the number of victims paying dropped but so have the dollar amounts of actual ransom payments. In other words, we’re seeing fewer and smaller ransomware payouts than ever before.
At first glance, the trend appears counterintuitive: with global ransomware attacks hitting record highs annually, one might expect a proportional increase in the number of victims choosing to pay a ransom. But as it turns out, all the attention on ransomware is effectively shooting attackers in the foot: the more these attacks make headlines, the more businesses understand ransomware as a prime threat, leading to improved security measures that can allow victims to recover from an attack without paying a ransom. Also discouraging payments are increasing doubts about cybercriminals’ reliability and stricter anti-ransom laws.
But all of this begs the question: with fewer payments, will ransomware gangs adapt their strategies to remain a threat, or will the decrease in successful ransoms lead to a decline in attacks as they seek more lucrative avenues? Will ransomware attacks always remain profitable, albeit less so over time? The report raises just about as many questions as it answers.
Our prediction? Ransomware gangs aren’t backing down any time soon; in fact, they’ll likely continue getting more inventive in pressuring companies to pay up. Our coverage on “big game ransomware” showed ransomware gangs aren’t just hiking up demands when companies resist paying, they’re also turning to more aggressive tactics. “Threats to leak data, sell it online, break other parts of the business, attack related firms, or even harass employees are all tactics gangs can make use of” to force reluctant businesses to pay, writes former Malwarebytes Labs author Christopher Boyd.
In other words, despite fewer companies paying up, we foresee ransomware attackers compensating with higher ransom demands and more sophisticated, aggressive negotiation tactics.
Known ransomware attacks by gang, February 2024Known ransomware attacks by country, February 2024Known ransomware attacks by industry sector, February 2024
The report indicated that since mid-December 2023, out of nearly 70 leaked victims, the healthcare sector has been ALPHV’s most frequent target. This seems to be a response to the ALPHV Blackcat administrator’s encouragement for its affiliates to target hospitals following actions against the group and its infrastructure in early December 2023.
The Roman historian Tacitus once said, “Crime, once exposed, has no refuge but in audacity.” Well, the exposure of ALPHV’s crimes has seemingly emboldened them further, pushing them to undertake even more brazen acts of revenge against the very institutions aiming to curb their criminal activities. At the end of the day, ALPHV’s actions are unsurprisingly petty, pointless, and endanger human lives, but they at the very least they hint at the group’s last desperate gasps for relevance.
On the vulnerability front, ransomware gangs like Black Basta, Bl00dy, and LockBit were seen exploiting vulnerabilities in ConnectWise ScreenConnect last month that exposed servers to control by attackers. It appears that almost every other month, our ransomware reviews uncover a new vulnerability being exploited with great success—whether it was MOVEit in the summer of 2023 or Citrix Bleed at the end of 2023. The vulnerabilities in ScreenConnect are once again part of this broader trend we’ve noticed of ransomware gangs finding ever-new points of entry—perhaps even more quickly and extensively than in previous years.
LockBit down, ALPHV out
February 2024 is likely to be remembered for years as the month when two of the most dangerous ransomware gangs in the world suffered some serious turbulence.
LockBit has been the preeminent ransomware menace since the demise of Conti in spring 2022, but for the first time there are serious reasons to doubt its status and longevity. On February 19, the ransomware gang’s dark web site announced “This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’.”
What followed was something quite unique in the annals of ransomware takedowns. Alongside the usual dry press releases, the law enforcement agencies responsible used the site it had acquired to showcase the details of what it had done.
The LockBit dark web site was subverted by law enforcement
It was an act of exquisite trolling that looked designed to damage the LockBit brand by humiliating it in the eyes of its peers and affiliates.
There was substance to the disruption too—some arrests, “a vast amount of intelligence” gathered, infrastructure seized, cryptocurrency accounts frozen, decryption keys captured, and the revelation that LockBit administrator LockBitSupp “has engaged with law enforcement.”
LockBit quickly established a new site and insisted everything was fine in exactly the way that people do when things aren’t fine, by releasing a stream of concious 3,000-word essay that explained precisely how fine things were, thanks. It remains to be seen if LockBit’s rebound will last. When ransomware gangs start to feel the hot breath of law enforcement on their neck a rebrand normally follows.
LockBit’s main rival, ALPHV, used February to demonstrate an alternative ending. It decided to leave the ransomware world behind by ripping off its own customers (which are really just affiliates in crime) in a sloppily executed exit scam. ALPHV had suffered its own brush with law enforcement in December and, like LockBit, appeared to have recovered.
Perhaps it was spooked by its brush with the feds, or perhaps the $22 million ransom an affiliate extracted from its devastating attack on Change Healthcare was just too hard to resist. Whatever the reason, ALPHV cut and ran, taking the cash and leaving its criminal affiliates high and dry. A half-hearted attempt to pin the blame for its disappearance on the FBI fooled no one.
The ALPHV gang faked a law enforcement seizure of its website
Preventing Ransomware
Fighting off ransomware gangs like the ones we report on each month requires a layered security strategy. Technology that preemptively keeps gangs out of your systems is great—but it’s not enough.
Ransomware attackers target the easiest entry points: an example chain might be that they first try phishing emails, then open RDP ports, and if those are secured, they’ll exploit unpatched vulnerabilities. Multi-layered security is about making infiltration progressively harder and detecting those who do get through.
Technologies like Endpoint Protection (EP) and Vulnerability and Patch Management (VPM) are vital first defenses, reducing breach likelihood.
The key point, though, is to assume that motivated gangs will eventually breach defenses. Endpoint Detection and Response (EDR) is crucial for finding and removing threats before damage occurs. And if a breach does happen—ransomware rollback tools can undo changes.
How ThreatDown Addresses Ransomware
ThreatDown bundles take a comprehensive approach to these challenges. Our integrated solutions combine EP, VPM, and EDR technologies, tailored to your organization’s specific needs. ThreatDown’s select bundles offer:
For resource-constrained organizations, select ThreatDown bundles offer Managed Detection and Response (MDR) services, providing expert monitoring and swift threat response to ransomware threats—without the need for large in-house cybersecurity teams.
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
