LockBit 3.0 leveraged in novel DarkGaboon attacks against Russia

Multiple Russian companies across different industries have been compromised with LockBit 3.0 ransomware by newly identified hacking operation DarkGaboon during an attack campaign this spring, reports The Record, a news site by cybersecurity firm Recorded Future.

Malicious Russian-language emails with financial document-spoofing attachments have been leveraged by DarkGaboon to lure targets, most of whom are financial department employees, into downloading decoy files that facilitate network compromise and enable the subsequent distribution of LockBit 3.0 ransomware for file encryption, according to an analysis from Positive Technologies. Additional evidence of data theft was not determined but the group's ransom notes had email addresses tied to LockBit-based attacks against Russia over two years ago, said Positive Technologies researchers, who also disclosed DarkGaboon's exploitation of XWorm, RevengeRAT, and other open-source tools to conceal malicious activity. Such findings come months after a major southern Siberian dairy processing plant was reported to have been targeted in an attack involving a LockBit ransomware variant.