In recent months, a new encryption threat called Losttrust has emerged in cyberspace. It is believed to be a rebranding of the previously known Metaencryptor, based on similarities in their data leakage sites and encryption methods.
The activities of Losttrust started in March 2023 with attacks on organizations. However, it gained widespread recognition in September when the gang began using a data leakage site for public blackmail. Currently, there are 53 victims of Losttrust data leaks around the world, with some experiencing data leakage due to refusal to pay a ransom.
Metaencryptor, on the other hand, was launched in August 2022 and had 12 victims listed on its data leakage site until July 2023. In September, Losttrust launched a new data leakage website.
Stefano Favarato, a cybersecurity researcher, noticed that the new Losttrust site uses the same template and biography as the Metaencryptor data leakage site. Both sites claim to be the work of a group of experienced network security specialists.
Analysts from BleepingComputer discovered that the Losttrust and Metaencryptor encryptions are almost identical, with slight differences in the ransom notes, built-in public keys, and names/extensions of encrypted files. Another cybersecurity researcher, Malwarehunterteam, found that Losttrust and Metaencryptor are based on the same encryption sfile2-was.
Further analysis of the Losttrust encryption sample revealed that it can be launched with additional command line arguments to target specific paths or network resources. Losttrust also disables and stops various Windows services during execution to ensure all files can be encrypted, including those related to Firebird, Mssql, SQL, Exchange, and more.
Unlike other hacker groups, Losttrust presents themselves as former white hackers who turned to cybercrime due to poor payment for their services. Their ransom notes contain information about what happened to the company’s files and a unique link to a negotiation website on the Tor network. The demanded ransom amounts range from $100,000 to millions of dollars.
The data leakage website is used to blackmail victims by threatening to disclose stolen data if the ransom is not paid. It remains unknown whether paying the ransom will result in the deletion of data and the provision of a working decryption tool.