Summary
- Unit 42 of Palo Alto Networks has found a new cluster named CL-CRI-1040 that has been tracked to a tool named Project AK47.
- Project AK47 has a DNS-based backdoor, an HTTP-based backdoor, a new ransomware species AK47/X2ANYLOCK and loaders, according to Unit 42.
- One of the AK47 ransomwares has a Tox ID, a negotiation ID for the leak site of the Warlock ransomware group.
- This suggests the two groups are the same or closely related.
- Furthermore, the investigation reveals the CL-CRI-1040 activity group previously deployed LockBit 3.0 and Warlock ransomware.
By Hiroaki Hara and Mark Lim
Original Article