Note

This trend report on the deep web and dark web of September 2024 is sectioned into Ransomware, Forums & Black Markets, and Threat Actor. We would like to state beforehand that some of the content has yet to be confirmed to be true.

 

Major Issues 

 

1)  Ransomware

 

(1) Lockbit

In September 2024, a major tire manufacturing company in Korea became the target of the notorious ransomware gang LockBit. This company is a global company representing the Korean tire industry, exporting products to over 180 countries worldwide and is a large-scale manufacturer. 

The fact that they became the target was known when the name of the victim company was posted on the Dedicated Leak Sites (DLS) operated by the LockBit gang on September 25, 2024. According to LockBit’s claims, even after about three weeks following the attack, the data recovery progress of the victim company was 0%. 

The LockBit gang appears to have encrypted the main data of the victim company and is threatening that data from a wide range of areas, including finance, payroll, legal, email, IT, and internal chats, is at risk of being leaked. This suggests that both the company’s critical operational information and employees’ personal information are exposed to risk. This incident serves as a reminder that even global companies are not immune to cyber attacks, and it clearly demonstrates the importance of strengthening cybersecurity for companies.

Figure 1. Company listed as a victim on LockBit’s DLS 

 

In February 2024, Operation Cronos, led by the United Kingdom’s National Crime Agency (NCA), dealt a critical blow to LockBit. Through this operation:

• LockBit’s dark web site was seized.
• The identities of key affiliates were identified or arrested.
• Over 200 cryptocurrency accounts were frozen.

 

This large-scale law enforcement operation caused significant disruption to LockBit’s operational capabilities, resulting in many affiliates leaving the gang. This was confirmed through the analysis of the following trends in activity decline. Note that the number of LockBit DLS victim postings in Figure 2 and Figure 3 may vary slightly depending on the timing and method of aggregation.
 

Figure 2. Number of LockBit DLS victim postings (2023-11 to 2024-06) 

 

For reference, Azim Khodjibaev, a cybersecurity researcher at Cisco Talos, evaluated the surge in May as follows: 

 “This appears to be a false attempt to show that Operation Cronos did not affect LockBit.” “It is interpreted as a show of force for new affiliates and those considering joining LockBit.”  

Operation Cronos dealt a continuous and serious blow to LockBit’s operations. However, LockBit continues its activities, demonstrating resilience. Despite the temporary (false) rebound attempt in May, its disappearance from the major ransomware gang rankings after June suggests that the gang’s operations have been significantly curtailed.

 

Figure 3. Number of LockBit DLS victim postings (2023-09 vs 2024-09)