Ransomware-as-a-Service gang LockBit 3.0 has posted UK-based car dealership Pendragon onto its dark web blog. The gang has demanded $60m for the return of two terabytes of data, it claims. Pendragon is refusing to cooperate, announcing the leak themselves on Friday. The cybercrime group may be rebranding to 4.0 as its builder was leaked in September triggering odd behaviour, say analysts.
Pendragon posted on LockBit 3.0 blog
The gang claims to have lifted more than two million files “of all categories”. LockBit 3.0 is refraining from announcing the reason for publishing the data of the victim, but clarifies that “all available data” will be published, promising an update on the ransom on 28 October.
Pendragon, however, publicised the cyberattack on Friday. The company’s chief marketing officer Kim Costello told The Times in an interview that it was under a “live cyberattack and is being held to ransom by a gang connected to a sophisticated group known as LockBit 3.0.”
The same day, Pendragon contacted its major clients, including Porsche and Mercedes, as well as its 4,000 members of staff.
Pendragon has more than 200 dealerships in the UK, including retailers CarStore, Evans Halshaw and Stratone.
The attack began one month ago. The gang has been in daily communication since. Pendragon has refused to engage with LockBit 3.0’s demands, despite having been shown proof that the data is genuine. “We refuse to be held hostage by this group and we will not be paying a ransom demand,” says Costello.
The company is currently undergoing an investigation into the attack. It has so far found that its servers were hacked but that the attackers had stolen only 5% of its database. Security experts have since protected the rest of its systems.
According to security updates on the company’s website, Pendragon is continuing to service its customers and communities “as normal”.
LockBit 3.0 continues its crime spree
LockBit 3.0 has been on a crime rampage over the past few months. Last week the gang hit UK-based insurer Kingfisher, claiming to have lifted 1.4 terabytes of data from the company, which has until 28 November to negotiate with the gang’s demands.
In October, LockBit was revealed as the cybercrime group that perpetrated the attack on the NHS
Over the summer, reducing staff to using pen and paper during the attack. According to security company NCC group, the gang was responsible for 40% of all ransomware attacks in August, making it the most prolific ransomware that month.
However, the gang is not without its own issues. LockBit itself was hacked in August as well. A DDoS attack was launched on LockBit’s dark web server, which hosts leaks from companies the gang has ransomed. In September, the LockBit 3.0 builder was leaked.
From this point, the behaviour of the gang has become increasingly erratic. “LockBit has been noticeably different since their builder was leaked a few weeks ago. They haven’t been posting at their normal pace as they were way behind weekly affiliate standards,” explains threat researcher Dominic Alvieri.
At least ten ‘new’ ransomware variants of LockBit have been spotted in the wild since the leak, explains Allan Liska, security lead at Recorded Future.
This activity is leading to rumours of the gang rebranding as LockBit 4.0. “Nothing has been confirmed as of yet but the feeling is that a tweak in the ransomware code or a new leak site is in the works,” continues Alvieri.
LockBit 4.0 is rumoured to be online by November.
Read more: LockBit 3.0 used in ransomware attack on Advanced that knocked out NHS 111 services
