Coalition has discovered that a ransomware variant associated with the notorious LockBit gang was used in multiple instances to exploit critical vulnerabilities in ConnectWise ScreenConnect. The FBI has called LockBit one of the “most active ransomware groups in the world,” amassing over 2,000 victims and receiving over $120 million in ransom payments.

ScreenConnect is a popular remote desktop tool that provides self-hosted and cloud solutions. One of the vulnerabilities (CVE-2024-1709) enables authentication bypass, while the other (CVE-2024-1708) allows threat actors to execute malicious code remotely.

Coalition Incident Response (CIR), an affiliate of Coalition, Inc., handled eight ransomware cases in February where attackers exploited the ScreenConnect vulnerabilities. After analyzing the indicators of compromise (IOCs) in these cases, CIR determined five were associated with a version of LockBit 3.0, the ransomware binary associated with LockBit, and three were pre-encryption.

CIR’s discovery followed soon after the Federal Bureau of Investigation (FBI) announced on February 20 that it had disrupted LockBit. 

Unfortunately, these ScreenConnect exploitations and the fact that LockBit resumed operations and was officially back online less than a week later (February 26) demonstrate that while government takedowns are helpful in disrupting threat actor activity, they are often only a temporary solution. 

CIR determined five of the eight ransomware cases in February involving ScreenConnect were associated with a version of LockBit 3.0.

Connecting the dots between LockBit and ScreenConnect

The IOCs observed in the pre-encryption cases appear to match the activity in the encryption cases. However, without the presence of an encryptor, CIR cannot confirm all are from the same attackers. Notably, all impacted businesses in the pre-encryption cases had endpoint detection and response (EDR) deployed, which may have helped prevent a more severe attack.

Although CIR cannot determine if these circumstances indicate a rebrand of the LockBit gang, an affiliate organization, or something else, the eight ransomware attacks were likely perpetrated by the same threat actors. 

The fact that LockBit was able to recover and resume operations within days shows that the government interruption and compromise of their infrastructure, while insightful to law enforcement and beneficial to some victims, was not as comprehensive as hoped.

Because ransomware-as-a-service (RaaS) is so lucrative, the marketplace is very diverse. If most of the threat actors are not actually physically arrested, many of them will likely join other groups or affiliates and continue carrying out attacks because the financial incentive remains strong. 

That’s part of what makes attribution so difficult; there’s no way to confirm with 100% certainty that groups reform with the same members or the same infrastructure. As long as the leaders of these ransomware groups remain outside the jurisdiction of the law enforcement agencies pursuing them, this will remain a game of Whack-a-Mole.

The fact that LockBit was able to recover and resume operations within days shows that the government interruption and compromise of their infrastructure was not as comprehensive as hoped.

Continued monitoring of the ConnectWise vulnerabilities

Following this uptick in ransomware activity among policyholders, Coalition is actively following the ScreenConnect vulnerabilities and tracking other related LockBit activity. Coalition will continue monitoring LockBit’s leak site for information on the impacted companies, which would further confirm the connection between LockBit and the ransomware cases leveraging the ScreenConnect vulnerabilities.

In the meantime, ConnectWise has confirmed in its public disclosure that cloud users of ScreenConnect are remediated against both vulnerabilities. However, on-premises users must update their servers to protect against the vulnerability.

While ConnectWise provided patched versions for releases 22.4 through 23.9.7, Coalition strongly recommends upgrading directly to version 23.9.8 for the most comprehensive protection. To download the patch, visit screenconnect.connectwise.com.

As mentioned above, businesses in the pre-encryption cases had EDR deployed. Implementing a detection and response technology could enhance organizations’ security postures and help prevent vulnerability exploitation and ransomware attacks. Coalition offers Managed Detection and Response (MDR) provided by CIR that helps businesses with continuous monitoring without the cost associated with setting up a 24/7 security operations center (SOC). Learn more about Coalition MDR.

This blog post is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over nor assumes responsibility or liability for the content, privacy policy or practices of any such third-party websites.