Ransomware Attack on Kronos Corporate Group by LockBit

On August 13, 2024, Kronos Corporate Group, an international holding company dedicated to enhancing lives through meaningful connections, fell victim to a ransomware attack orchestrated by the notorious cybercriminal group LockBit. The attack targeted the company's public-facing domain, kronospublic.com, disrupting its operations and potentially compromising sensitive data.

About Kronos Corporate Group

Kronos Corporate Group is a prominent European management consulting firm specializing in procurement and supply chain solutions. Officially registered as "Kronos Corporate Group," the company operates across various offices located in Belgium, France, and Italy. Known for its commitment to value creation, Kronos Group has established itself as a leading pan-European procurement service provider through strategic partnerships with organizations such as Kloepfel Group and EPSA.

The firm has successfully supported over 60 clients across various sectors throughout Europe and beyond. Kronos Group is characterized by a flexible and agile consulting approach, allowing it to adapt quickly to the needs of its clients and deliver tailored solutions that drive business efficiency. The company's emphasis on dynamic training opportunities for its team enhances their skills and the overall value they provide to clients.

Attack Overview

The ransomware attack on Kronos Corporate Group was executed by LockBit, a highly sophisticated ransomware-as-a-service (RaaS) group. LockBit has been active since September 2019 and is responsible for over one-third of all ransomware attacks in the latter half of 2022 and the first quarter of 2023. The attack on Kronos disrupted its operations and raised concerns about the potential compromise of sensitive data.

About LockBit

LockBit distinguishes itself through its modular ransomware that encrypts its payload until execution, hindering malware analysis and detection. It uses a combination of RSA-2048 and AES-256 encryption algorithms to encrypt victims' files. Employing "double extortion" tactics, LockBit exfiltrates sensitive data and threatens to release it publicly if the ransom is not paid. The ransomware demands payment in Bitcoin, typically ranging from several thousand to several hundred thousand dollars.

LockBit is designed to exploit vulnerabilities in Remote Desktop Protocol (RDP) services and unsecured network shares to spread quickly across a network. Additionally, it performs a check to avoid executing on computer systems with installed languages common to the Commonwealth of Independent States (CIS) region. Indicators of Compromise (IOCs) for LockBit include the creation of a mutual exclusion object (Mutex) when executed, the use of a unique icon, and changes to the victim's computer wallpaper.

Potential Vulnerabilities

The attack on Kronos Corporate Group underscores the vulnerabilities that can arise in cloud-based systems. Despite the company's business model and emphasis on value creation, the incident highlights the critical need for enhanced cybersecurity measures to protect against increasingly sophisticated ransomware attacks. The integration of modern communication platforms and data analytics in workforce management solutions, while beneficial, also presents potential entry points for cyber adversaries.

Sources

• Kronos Group Official Website
• Cyber.gov.au - Ransomware Profile: LockBit 3.0