LockBit 3.0 Claims Responsibility for Ransomware Attack on Hidalgo County

More than a week after the Hidalgo County Adult Probation Center was infected with ransomware, LockBit 3.0 has claimed responsibility for the attack. 

Hidalgo County is in the US state of Texas. Republicans John Cornyn and Ted Cruz are the current Senators from Texas. 

The attack was noticed over the February 3-5 weekend. The ransom note indicates that a payment was not made.

In a ransom note posted on 14 February, the ransomware gang has listed 6 March as the deadline for payment.

Hidalgo County prison and ransomware attack 

The ransomware news attack on Hidalgo County Adult Probation Center came out after Monday, 6 February. The attack resulted in the facility going offline over the weekend. 

The facility’s personnel were unable to access emails, and the county is reportedly still working on recovering any affected files. 

Hidalgo County IT Director Daniel Salinas said that they are in the process of retrieving everything, but hesitated to divulge the steps being taken, citing the technicality and lengthiness of the process, reported 5News. 

Hidalgo County Judge Richard F. Cortez confirmed that the incident occurred on Saturday, 4 February, and was resolved on Monday, reported myRGV.  

Cortez mentioned that the office was able to retrieve the information without giving in to the ransom demand, said the report. 

Only the Adult Probation Office was affected by the attack, according to Cortez, who also mentioned that the probation office operates under a different security system than other county offices.  

Lockbit 3.0: Modus Operandi

LockBit ransomware gang operates by encrypting and stealing files from targeted devices and then demands a ransom for their recovery.  

The strain LockBit 3.0, discovered in 2019, focuses on organizations with the capacity to pay a large ransom, has self-propagating capabilities, and introduces new features that make it harder to analyze. 

To launch the malware, a 32-character password is necessary, and the typical attack process includes infecting, encrypting, deleting, and altering.

If the ransom is not paid, the data may be sold on the dark web, and the gang leverages Windows Defender to deploy Cobalt Strike. 

According to a threat analysis report by VMware, analyzing LockBit 3.0 is challenging for security researchers because a unique password is required for every instance of the malware.  

Furthermore, the malware has extensive protection against analysis and employs several undocumented kernel-level Windows functions. 

The LockBit group follows a Ransomware-as-a-Service model that collaborates with affiliates who may lack the resources to carry out an attack.

As per a report by the U.S. Department of Health & Human Services, the affiliated hacker receives a percentage of the ransom payment.