“VelociRaptor played a critical role in this campaign, ensuring that actors secretly maintained continuous access while deploying the Lockbit and Babuk ransomware,” Talos researchers said. “The inclusion of this tool in the ransomware playbook is consistent with Talos’ findings.”2024 year in review,’ which highlights that threat actors are using an increasing variety of commercial and open-source products.’
Attribution and ransomware cocktail
Talos linked the campaign to Storm-2603, a suspected China-based threat actor, citing matching TTPs such as use of ‘cmd.exe’, disabling Defender protection, creating scheduled tasks, and manipulating Group Policy objects. The use of multiple ransomware strains – Warlock, Lockbit, and Babuk – in the same operation also adds credence to this attribution.
“Talos observed ransomware executables on Windows machines that were identified as Lockbit by EDR solutions, and were files encrypted with the Warlock extension ‘xlockxlock,'” the researchers said. “There was also a Linux binary on the ESXi server marked as Babyk Encryptor, which achieved only partial encryption and appended files with ‘.babyk’.”
