September 2022

Cyber threats of the past 30 days as seen by Gatewatcher's CTI analysts

Identified Indicators of Compromise (IOCs)


Identified compromise reports


Highlight of the month

This month we focus on Lockbit one of the most dangerous ransomwares.

Known worldwide for its fast attacks, Lockbit has a unique ability that allows it to self-propagate in a computer system. This self-propagating ability is coupled with the fact that it can perform different stages of the attack at the same time.

Lockbit is a Ransomware-as-a-Service (or RaaS), which means that it can be bought or rented on the dark web. Profits from a successful attack are shared between the developers and affiliates. Ransomware is usually the final phase of a cyberattack, once the hacker has compromised the system and gained a foothold in the company. Lockbit entered the scene in September 2019 under the initial name ABCD, as it encrypted files and renamed the extension to “.abcd”. It then changed the extension to “.lockbit” which is now generated at runtime.

It is also an example of “dual threat” ransomware, which means that not only does it threaten to delete confidential files if the victim does not pay the ransom, but it also threatens to publish the files online on the dark web. LockBit is now demanding a ransom of about $40,000 per organization on average. It has targeted leading companies around the world, in the US, Europe, India and China but, interestingly, never in Russia.

In March 2022, less than a year after LockBit 2.0 emerged, researchers and threat hunters observed waves of a new variant they called LockBit 3.0, aka “LockBit Black.” Researchers noted that parts of LockBit 3.0’s code appear to be borrowed from the BlackMatter ransomware, hence the LockBit Black nickname.The ransomware was back in the news at the end of June this year, as its authors launched a “bug bounty” program with rewards ranging from $1,000 to $1 million (USD) for detecting flaws and weaknesses in its portfolio. This new iteration puts LockBit at the forefront of the ransomware landscape and also speaks to the growing use and increased sophistication of the ransomware-as-a-service (RaaS) model.


common vulnerabilities & exposures


malware families

Definition of the month

Macros, are a tool to automate actions in Microsoft Office. When used for malicious purposes, they hide in Microsoft Office files and are usually distributed via email attachments or ZIP files. Macros have several uses; for persistence via Normal.dotm, storing executables or commands in hidden columns of Excel files, executing code without user permissions via Excel Workbook. Malicious actors regularly use macros to deploy malware and ransomware. Recently, Microsoft changed the default behavior of Office applications to block macros in files from the Internet. With this change, attackers now have to convince victims to enable macros so that the malicious payload can run. You can protect yourself from this by disabling them and enabling (on Windows 10) Attack Surface Reduction (ASR) rules, to prevent Office apps from creating child processes.


targeted sectors


threats categories

About the cyber threats barometer

Malware, zero-day vulnerabilities, advanced persistent threats, industries and sectors particularly targeted, weak signals of emerging attacks…It’s no secret that knowledge of one’s adversary is a key factor for the security of an enterprise. The Cyber Threats Barometer gives you a monthly overview of the cyber threats detected in the previous month by LastInfoSec, Gatewatcher’s Cyber Threat Intelligence (CTI) platform.

LastInfoSec’s automated collection, analysis and correlation engines are continuously fed by more than three thousand data sources from multiple channels: social networks, specialized sites, dark and deep web. They make threat information available an average of 24 hours in advance of the competition and help operational response teams make better decisions by dramatically reducing their analysis and incident treatment times.