[Weekend Briefing] Researchers find newest version of LockBit ransomware in Korea

By Kuksung Nam, Dain Oh, and Sojun Ryu, The Readable
Aug. 5, 2022 7:00PM KST Updated Aug. 11, 2022 5:04PM KST

Hello, this is Kuksung Nam, Dain Oh, and Sojun Ryu in South Korea. We have picked five news stories for you. Have a great weekend!

1. Researchers Find Newest Version of LockBit Ransomware in Korea

Researchers at a cybersecurity firm based in South Korea said in a report on Tuesday that they had identified the spread of LockBit 3.0, the newest version of LockBit ransomware, within the country. Although the ransomware group released the latest version early in July, the older version was being distributed in South Korea, according to the ESTsecurity Security Response Center (ESRC) researchers. ESRC added in the report that the VenusLocker group, or a hacking group that mimics VenusLocker, appears to be behind the attack. The report stated that LockBit 3.0 is distributed through phishing emails disguised as a cover letter in a Hangul Word Processor (HWP) file, a widely used word processor in South Korea. LockBit has become a major threat to cybersecurity, dominating 34.3% of the entire ransomware scene. It has made phenomenal progress in just three years.

2. Korean Crypto Exchanges Suspend Solana Withdrawals

South Korea based cryptocurrency exchanges have temporarily suspended the deposit and withdrawal services for Solana’s sol token. Bithumb, one of the largest cryptocurrency exchanges in the country, wrote in a statement to its users on Wednesday that “as soon as the [Solana Foundation] network is stable, we will resume deposit and withdrawal services.” Other cryptocurrency exchanges such as Upbit, Coinone, and Korbit also suspended their services on Wednesday morning. The statement came after there was a hacking attack on the ecosystem which has affected thousands of wallets linked to the Solana cryptocurrency network. The Solana Status, a twitter account run by the Solana Foundation, confirmed the attack on the August 3, stating that “an exploit allowed a malicious actor to drain funds from a number of wallets on Solana.”

3. 129 Sextortion and Phishing Scammers Were Arrested in Korea

Three phishing gangs behind sextortion and messenger scams which caused 538 victims to suffer were taken into custody by South Korean law enforcement. Gyeonggi Nambu Police Agency, a police agency which oversees the southern province of Gyeonggi-do, announced Tuesday that a total of 129 suspects were arrested for blackmailing the victims and extorting 4.45 billion won ($3.43 million) collectively.

CCTV footage provided by Gyeonggi Nambu Police Agency. As part of money laundering, a suspect is making a phishing victim transfer money directly to a gold shop. Source: Gyeonggi Nambu Police Agency, South Korea

According to a press release by the police, the gangs organized their crime from March 2021, communicating through foreign social networks to avoid detection. The gangs reached out to the victims via social media and made them use video chat to conduct sextortion. Once the victims installed malicious software on their mobile phones, the gangs stole contact information from their devices and threatened to release the victims’ recorded videos if not paid. As part of money laundering, the gangs coerced some of the victims into transferring money directly to a gold shop.

The police put 35 suspects in jail, while requesting that Interpol issue a red notice on a gang leader who is believed to be in China. In addition, the police seized 190 million won in cash, 238 debit cards, and 76 mobile phones and USIM cards from the suspects. “The scammers conducted their crime, divided in the two countries of Korea and China, and the police were able to catch one leader in Korea,” Seong-taek Kim, chief of investigation at the cybercrime investigation unit of the police agency told The Readable. “We are continuing our analysis to apprehend the rest of the criminals,” said Kim.

4. Korea Teens Under Investigation for Hacking Exam Answers

South Korean law enforcement is investigating two high school students in the school district of Gwangju, a city in southwestern South Korea, for allegedly breaking into their teachers’ office and hacking the teachers’ laptop computers to gain access to the first semester examination papers and answers. According to the police, the students successively stole the examination papers and answers of seven subjects before the midterm test and nine subjects before the final test. To read the full story, click here.

Design by Areum Hwang

5. Collaboration Between Magnus and NoCry. And Their Feedback

The Readable recently published an article about the Magnus and NoCry ransomware groups, which are active on Telegram. An analyst at S2W, a cybersecurity firm, first discovered that the two groups were cooperating. With the data provided by the analyst, The Readable analyzed the related contents more deeply. After the article was published, Magnus responded to The Readable, claiming that “Mr Clancy” was no longer working with them and had stopped developing ransomware. Magnus also added that Mr Clancy was a former developer of NoCry. Although the group introduced themselves as “Magnus Administration” in the first email they sent us, it seems clear that the two groups are working together, sharing information about Mr Clancy, who was a member of NoCry. To read The Readable’s original story, click here.

Design by Areum Hwang

hello@thereadable.co

The cover image of this article was designed by Sangseon Kim.


Kuksung Nam is a cybersecurity journalist for The Readable. She covers cybersecurity issues in South Korea, including the public and private sectors. Prior to joining The Readable, she worked as a political reporter for one of the top-five local newspapers in South Korea, The Kyeongin Ilbo, where she reported several exclusive stories regarding the misconduct of local government officials. She is currently focused on issues related to anti-fraud, as well as threats and crimes in cyberspace. She is a Korean native who is fluent in English and French, and she is interested in delivering the news to a global audience.

Dain Oh is an award-winning cybersecurity journalist based in South Korea and the founding editor-in-chief of The Readable by S2W. Before joining S2W, she worked as a reporter for The Electronic Times, the top IT newspaper in Korea, covering the cybersecurity industry on an in-depth level. She reported numerous exclusive stories, and her work related to the National Intelligence Service led to her being honored with the Journalist of the Year Award in 2021 by the Korea Institute of Information Security and Cryptology in a unanimous decision. She was also the first journalist to report on the hacking of vulnerable wallpads in South Korean apartments, which later became a nation-wide issue.

Sojun Ryu is a cybersecurity researcher for The Readable. He graduated from the “Best of the Best” next-generation security expert training program (BoB) at the Korea Information Technology Research Institute (KITRI) in 2013, and holds a master’s degree in information security from Sungkyunkwan University in Korea. He worked at KrCERT/CC for seven years, analyzing malware and responding to incidents. He is also one of the authors of "Operation Bookcodes," published by KrCERT/CC in 2020. Recently, Ryu has been focusing on threat intelligence, cybercrime, and advanced persistent threats (APT) by expanding into the deep, dark web with TALON, the Cyber Threat Intelligence group at S2W.