Cyberattacks exploiting critical vulnerabilities in ConnectWise’s remote monitoring and management (RMM) tool revealed this week have snowballed and some bad actors are using it to deploy LockBit ransomware, which was the target of a recent international law enforcement operation.

The information shows the merging of two of the more significant news stories in the cybersecurity field this week.

Researchers with cybersecurity vendors Sophos and Huntress said that in the wake of the two flaws in ConnectWise’s ScreenConnect remote desktop access tool being publicized – including proof-of-concept (PoC) code posted on GitHub showing how the bugs can be exploited and others outlined by security pros – cybercriminals have ramped up efforts to find unpatched ScreenConnect servers.

In a report, Andrew Brandt, principal researcher with the Sophos X-Ops threat intelligence unit, and Angela Gunn, a senior threat researcher, wrote that the number of security events involving ScreenConnect has more than doubled since February 21, two days after ConnetWise published an alert about the vulnerabilities.

ScreenConnect is used by IT technical pros to remotely address support issues in desktops and mobile devices.

“Many companies and managed service providers use ScreenConnect, and not all behavior we observed came as a direct result of the vulnerability being exploited, but Sophos believes a significant number of the current wave of telemetry events were captured as a direct result of the increased threat actor attention to ScreenConnect,” Brandt and Gunn wrote.

Attackers Targeting ScreenConnect

In their initial statement, ConnectWise officials said they hadn’t seen instances of hackers exploiting the flaws, but a day later reported that its incident response team had investigated and confirmed “notifications of suspicious activity” and published three IP addresses used by attackers.

The two ScreenConnect vulnerabilities include an authentication bypass flaw – CVE-2024-1709, which has the highest severity rating of 10 – that can give attackers access to systems or confidential information. The second one – CVE-2024-1708, with an 8.4 out of 10 severity rating – is a path-traversal flaw that can let bad actors executive remote code or directly impact confidential data or critical systems.

Given the interest hackers have in such RMM tools – which allow them to attack a single company and get access to multiple customers – it’s not surprising the ScreenConnect vulnerabilities are getting such attention. The group REvil in 2021 showed what can be accomplished when it targeted Kaseya’s Virtual System Administrator (VSA) RMM software in an attack that caused downtime issues for more than 1,000 managed service providers (MSPs) and customers.

Enter LockBit

Hackers are now coming at SceenConnect with LockBit. Sophos said at least one bad actor is deploying a ransomware executable that has a payload identical to one found in more than 30 of its customer networks starting February 22, a “distribution pattern [that] is strongly indicative of the threat actor pushing the payload from a compromised server.”

The attackers used the LockBit 3 ransomware builder tool to build the executable for the attacks this week, Brandt and Gunn wrote. The LockBit 3 tool was leaked in 2022, so this latest sample may not have come from the original LockBit developers and could be a copycat build.

“However, the ransomware did not call itself LockBit,” they wrote, adding that the ransom note used refers to “buhtiRansom” and Sophos refers to this as the buhtiRansom LockBit variant.

A different attacker dropped a different payload, which included a ransom note and changed the desktop background that referred to “LockBit Black.”

Other attacks dropped such malware as the AsyncRAT remote access trojan and the Vidar/Redline information stealer.

Huntress officials also told media outlets that their analysts detected LockBit ransomware being deployed on customer systems in a range of industries, including health clinics and local governments.

Law Enforcement vs. LockBit

The deployment of LockBit ransomware leveraging the ConnectWise vulnerabilities comes after law enforcement agencies from the United States, UK, and other countries seized public-facing web pages and infrastructure used by the prolific ransomware-as-a-service (RaaS) group, which the U.S. Justice Department said has run more than 2,000 attacks in the United States and around the world since January 2020, collecting more than $144 million in ransom payments.

The authorities also collected and developed decryption keys to enabled some victims to regain access their encrypted data and arrested two Russian nationals for allegedly deploying the LockBit ransomware against companies in such sectors as manufacturing and semiconductors.

Ransomware Group’s Ongoing Problems

In its own research this week, cybersecurity firm Trend Micro wrote that while LockBit has been a dominant ransomware variant, the group behind the malware had been running into a range of “logistical, technical, and reputational problems,” and this was before the law enforcement operation against it.

These have included the leak of the builder code in 2022, which allowed groups to run out their own LockBit-based variants. That the leak was from a disgruntled developer showed cracks in the group’s operations, the Trend Micro analysts wrote, adding that it also was a security failure, a blow to its brand, and a hit on its technical advantage.

There were other problems that caused confidence in the group to drop and its overall share of ransomware impact has declined over the past two years, though it kept its title as the intrusion set with the largest number of attacks. Its numbers have been helped occasionally by law enforcement actions against rivals, like Hive and BlackCat, also known as ALPHV.

The problems have “forced LockBit to take action by working on a new much-awaited version of their malware,” they researchers wrote. “However, with the seeming delay in the ability to get a robust version of LockBit to the market, compounded with continued technical issues — it remains to be seen how long this group will retain their ability to attract top affiliates and hold its position. … It is our hope that LockBit is the next major group to disprove the notion of an organization being too big to fail.”