“Velociraptor performed a major function on this marketing campaign, making certain the actors maintained stealthy persistent entry whereas deploying LockBit and Babuk ransomware,” Talos researchers added. “The addition of this software within the ransomware playbook is in keeping with findings from Talos’ ‘2024 12 months in Assessment,’ which highlights that menace actors are using an growing number of business and open-source merchandise.”
Attribution and the ransomware cocktail
Talos hyperlinks the marketing campaign to Storm-2603, a suspected China-based menace actor, citing matching TTPs like using ‘cmd.exe’, disabling Defender protections, creating scheduled duties, and manipulating Group Coverage Objects. Using a number of ransomware strains in a single operation – Warlock, LockBit, and Babuk – additionally bolstered confidence on this attribution.
“Talos noticed ransomware executables on Home windows machines that have been recognized by EDR options as LockBit, and encrypted recordsdata with the Warlock extension ‘xlockxlock’,” the researchers added. “There was additionally a Linux binary on ESXi servers flagged because the Babuk encryptor, which achieved solely partial encryption and appended recordsdata with ‘.babyk’.”
