Thai Meteorological Department Cyber Attack, LockBit Sets Deadline


The Thai Meteorological Department (TMD) cyber attack was claimed by the LockBit ransomware group in a recent post on its website.

While the Thai Meteorological Department cyber attack has not been confirmed by the government agency yet, LockBit has set a deadline of June 26 for releasing all the exfiltrated files from the target’s system.

Details of the alleged Thai Meteorological Department cyber attack

The LockBit ransomware group posted samples of stolen data allegedly from the targeted portal after the TMD cyber attack. The Thai portal handles weather forecasts and is a part of the Digital Economy and Society.

Screenshot of the Thai Meteorological Department Portal

The website was accessible at the time of writing this report. The Cyber Express is yet to get a response from the company confirming the TMD cyber attack.

Thai Meteorological Department cyber attack
Screenshot of LockBit’s dark web portal (Photo: Fusion Intelligence Center/ Twitter)

Fusion Intelligence Center, a Threat Intelligence firm tweeted about the TMD cyber attack. “LockBit ransomware gang has announced Thai Meteorological Department (TMD) on the victim list,” read the post.

Through LockBit’s website post, it could be determined that the alleged Thai Meteorological Department cyber attack was conducted before June 6.

According to the image shared above, seven pages of sample data from the TMD cyber attack was posted on the dark web as proof.

However, it is not clear how much data has been exfiltrated or if any ransom has been demanded by the LockBit ransomware group.

Hackers usually post the name of a targeted website and the deadline for ransom negotiation and payment after they leave a ransom note on their systems. Most cyber attacks have proven that hackers breach a system through a vulnerability or a phishing email weeks before posting it on their dark web portal.

They move laterally after gaining unauthorized access to a system, maintain persistence, steal all the system data and credentials they need to access other systems, and then log out.

They also stop their unauthorized access to systems, when companies detect suspicious activities and take affected systems offline.

Details about the LockBit ransomware group

Thai Meteorological Department cyber attack
Ransom note of LockBit group (Photo: Cyble Blog)

LockBit claims to be the fastest ransomware since 2019, according to its ransom note. The present LockBit ransomware version 3.0 was released in 2022. The group highlighted the revised ransomware in a post as shown below:

Thai Meteorological Department cyber attack
LockBit ransomware 3.0 capabilities. Image: CRIL

The version has the capability of automatically decrypting files without needing a key. The version was is capable of evading detection by stopping Windows Defender. It can work in Safe Mode to evade detection by antivirus software.

The version LockBit 3.0 which has been used in several cyber attacks this year, is also called LockBit Black, a Cyble blog read.

Thai Meteorological Department cyber attack
Image: CRIL

The ransomware group has targeted the banking, financial services, and insurance (BFSI) the most in 2022 which amounted to 33.3%.

The group also carries bug bounty programs that likely pay black hat hackers who help the group members with zero-day vulnerabilities and unpatched systems to target.

Thai Meteorological Department cyber attack
. LockBit ransomware website with Twitter icon. Image: CRIL

The group also expanded its social media accessibility by placing a Twitter icon on its leak site.

Mitigation techniques to prevent ransomware attacks

Researchers highlight that precautionary steps can help in the early detection of incoming cyber attacks.

Using reputed anti-virus tools, and maintaining regular access management throughout the enterprise can help find instances of both unauthorized access and unsuccessful attempts.

Creating regular backups and keeping offline backups can help continue work despite systems going offline. Moreover, opting for automatic software updates and looking for insider threats can help find users who pose a threat to security.

The presence of an insider threat who is at a senior level must not be neglected despite their experience as it can open the window to hackers who bribe their way into the network of larger companies.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.





Source link