“Velociraptor played a significant role in this campaign, ensuring the actors maintained stealthy persistent access while deploying LockBit and Babuk ransomware,” Talos researchers added. “The addition of this tool in the ransomware playbook is in line with findings from Talos’ ‘2024 Year in Review,’ which highlights that threat actors are utilizing an increasing variety of commercial and open-source products.”
Attribution and the ransomware cocktail
Talos links the campaign to Storm-2603, a suspected China-based threat actor, citing matching TTPs like the use of ‘cmd.exe’, disabling Defender protections, creating scheduled tasks, and manipulating Group Policy Objects. The use of multiple ransomware strains in a single operation – Warlock, LockBit, and Babuk – also bolstered confidence in this attribution.
“Talos observed ransomware executables on Windows machines that were identified by EDR solutions as LockBit, and encrypted files with the Warlock extension ‘xlockxlock’,” the researchers added. “There was also a Linux binary on ESXi servers flagged as the Babuk encryptor, which achieved only partial encryption and appended files with ‘.babyk’.”
