Boeing confirmed that the LockBit ransomware gang attack in October 2023, which impacted certain parts and distribution operations of the company, carried a staggering $200 million cyber extortion demand from the cybercriminals, to not publish leaked data. Boeing on Wednesday acknowledged that it is the unnamed “multinational aeronautical and defense corporation headquartered in Virginia,” which is referenced in an unsealed indictment from the U.S. Department of Justice that unmasked the LockBitSupp administrator. Boeing did not provide an immediate response to The Cyber Express' inquiry seeking confirmation of this news, which was initially reported by Cyberscoop. The indictment in question singled out Dmitry Yuryevich Khoroshev as the principal administrator and developer behind the LockBit ransomware operation, as part of a coordinated international effort that included sanctions from the U.S., the U.K., and Australia. Boeing has not provided confirmation on the negotiations and if the company paid any ransom in exchange of the massive $200 million cyber extortion demand.

Boeing Cyber Extortion Saga

LockBit first listed Boeing as its victim on October 27 and set a ransom payment deadline for November 2. Boeing had chosen not to provide any comments or statements regarding the incident, at that time, leaving the LockBit claims unverified. Three days later LockBit took down Boeing’s name from the victims’ list fueling further speculations that it was a hoax or the company likely paid ransom. Following this incident, Boeing eventually confirmed falling victim to LockBit’s cyberattack. But as ransom negotiations reportedly failed, LockBit re-listed Boeing on its leak site and threatened to publish 4 gigabytes of sample data as proof of the Boeing data breach. The post also warned that, “All available data will be published!” in coming days. Following on the threat, LockBit published more than 40GB of data on November 10, as the company likely did not agree to pay the ransom demand. Boeing is yet to address the stolen data publicly.

Ransom Demands Getting Exorbitant

The indictment's reference to the unnamed company highlights the exorbitant ransom demands made by Khoroshev and his cohorts, totaling over $500 million in ransoms extorted from victims since late 2019. Of this, he got nearly $100 million from a 20% share on the ransom payments, which was further “used to continue funding the LockBit operation and its infrastructure.” Ransomware analysts are now calling the Boeing cyber extortion as one of the largest ransom demands from a ransomware gang till date. Researchers suspects LockBit likely made an inflated demand, without realistic expectations of receiving the full amount, merely to test the waters. Between September 2019 and February 2024, Khoroshev grew LockBit into a massive global criminal operation in which along with his affiliates he attacked approximately 2,500 victims, which included nearly 1,800 in the U.S. alone, the indictment said. Apart from Boeing LockBit’s victim list also contains law enforcement agencies, security firms, municipalities, schools, financial institutions and even multinational fast-food chains.

Who is LockBit Ransomware Gang?

The LockBit ransomware gang emerged in 2019, primarily targeting thousands of global companies, with a focus on those headquartered in the United States. Linked to Russian entities, LockBit has amassed tens of millions of dollars in ransom payments since its inception. According to the Cybersecurity and Infrastructure Security Agency (CISA), LockBit has executed over 1700 attacks in the United States, often by compromising and threatening to release sensitive data for financial gain. The recent Boeing data breach highlights the persistent threat posed by cyberattacks to major corporations. LockBit's aggressive tactics and specific targeting of Boeing, a key player in aerospace and defense, highlight the urgent need for robust cybersecurity measures. The ransomware group's imposed deadline heightens the urgency, highlighting the severe consequences of data breaches and the critical importance of safeguarding sensitive information. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Over a million Australians who frequented pubs and clubs have likely had their critical information exposed in Outabox data breach, a third-party content management and data storage provider for the hospitality and gaming sectors in the New South Wales and the Australian Capital Territory. According to the Outabox official website, the company founded in 2017 provides several services to clients in the gaming and entertainment industry across Australia, Asia and the US. Outabox confirmed the breach and said it likely took place “from a sign in system used by our clients.” It did not respond to any further requests for details on what type of data was likely impacted. The company has a facial recognition kiosk called TriAgem, which is deployed at entry points of clubs to scan patrons’ temperatures (used in post-covid days) and verify their membership on entry. Outabox did not confirm if this data was also impacted in the data breach incident.

“We are restricted by how much information we are able to provide at this stage given it is currently under active police investigation. We will provide further details as soon as we are able to,” Outabox said.

Australia’s National Cyber Security Coordinator said the government is coordinating a response in the Outabox data breach incident with local authorities in the NSW and ACT. “I know this will be distressing for those who have been impacted and we are working as quickly as we can, alongside Outabox, to ascertain the full scale of the breach,” said Lieutenant General Michelle McGuinness, who recently took over the role of the National Cyber Security Coordinator. The NSW government acknowledged that it was aware of the incident and was “concerned” of the potential impact on individuals. “We encourage clubs and hospitality venues to notify patrons whose information is affected,” it said.

NSW’s West Tradies Sends Breach Notifications

One such club, West Tradies, has issued a breach notification to its customers saying its external IT provider was “a target of a cyber extortion campaign.” It added that, “At this stage, we do not know if all patrons, or only some patrons, have been affected.”

“On the evening of 29 April 2024, we were formally notified by the external IT provider that it has been the target of a “cyber extortion campaign” and that an overseas third party is threatening to release personal information unless their demands are complied with,” West Tradies Club said.

All registered clubs in New South Wales are required to keep certain information about members and guests under the Registered Clubs Act. Clubs are also required to keep certain information to comply with their responsible gambling and Anti-Money Laundering and Counter-Terrorism Financing obligations. To comply with these norms, West Tradies, used an external IT provider that would assist in keeping these records and operate its systems, it clarified.

More than 1 million Impacted in Outabox Data Breach?

A website that claims to allow people to search their names in the leaked database appeared on the open internet recently. The domain haveibeenoutaboxed[.]com, appears to be similar to a service provided by another Australian data leak search provider but it does not claim any links to it. The information posted on this website claims that facial recognition biometric, driver license scans, signature, club membership data, address, birthday, phone number, club visit timestamps, and slot machine usage is included in this data set. There are allegedly 1,050,169 records in the leaked data set and a simple name search shows redacted details of the patrons of different clubs. Majority of personally identifiable information has been removed at this stage.

Unpaid Overseas Developers the Cyber Extortionists?

The data leak search website is allegedly controlled by an offshore development team in the Philippines. Outabox hired offshore developers from the Philippines to create software systems that are installed at casinos and nightclubs across several countries. However, after a year and a half of work, the developers were abruptly cut off and left unpaid by Outabox, the owner of the leak site claimed. “While this outsourcing strategy is common in the industry, what followed was far from standard practice. The developers were granted unrestricted access to the back-end systems of gaming venues, including access to raw data,“ the leak site stated. Douglas Kirkham, the chief executive officer of West Tradies said “the Club was unaware that any data held by the Club had been disclosed to any third parties or that it had been disclosed overseas. If the allegations are true, those actions were taken without the Club’s knowledge or consent.”

“The Club did not authorise, permit, or know that the external IT provider had provided any information obtained from the Club to third parties.”

The Office of the Australian Information Commissioner has advised it has been notified by some impacted entities and is expecting to receive further notifications. Nearly 20 clubs have been listed on the leak site. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Borrowing from the playbook of ransomware purveyors, the darknet narcotics bazaar Incognito Market has begun extorting all of its vendors and buyers, threatening to publish cryptocurrency transaction and chat records of users who refuse to pay a fee ranging from $100 to $20,000. The bold mass extortion attempt comes just days after Incognito Market administrators reportedly pulled an “exit scam” that left users unable to withdraw millions of dollars worth of funds from the platform.

In the past 24 hours, the homepage for the Incognito Market was updated to include a blackmail message from its owners, saying they will soon release purchase records of vendors who refuse to pay to keep the records confidential.

“We got one final little nasty surprise for y’all,” reads the message to Incognito Market users. “We have accumulated a list of private messages, transaction info and order details over the years. You’ll be surprised at the number of people that relied on our ‘auto-encrypt’ functionality. And by the way, your messages and transaction IDs were never actually deleted after the ‘expiry’….SURPRISE SURPRISE!!! Anyway, if anything were to leak to law enforcement, I guess nobody never slipped up.”

Incognito Market says it plans to publish the entire dump of 557,000 orders and 862,000 cryptocurrency transaction IDs at the end of May.

“Whether or not you and your customers’ info is on that list is totally up to you,” the Incognito administrators advised. “And yes, this is an extortion!!!!”

The extortion message includes a “Payment Status” page that lists the darknet market’s top vendors by their handles, saying at the top that “you can see which vendors care about their customers below.” The names in green supposedly correspond to users who have already opted to pay.

We’ll be publishing the entire dump of 557k orders and 862k crypto transaction IDs at the end of May, whether or not you and your customers’ info is on that list is totally up to you. And yes, this is an extortion!!!!

Incognito Market said it plans to open up a “whitelist portal” for buyers to remove their transaction records “in a few weeks.”

The mass-extortion of Incognito Market users comes just days after a large number of users reported they were no longer able to withdraw funds from their buyer or seller accounts. The cryptocurrency-focused publication Cointelegraph.com reported Mar. 6 that Incognito was exit-scamming its users out of their bitcoins and Monero deposits.

CoinTelegraph notes that Incognito Market administrators initially lied about the situation, and blamed users’ difficulties in withdrawing funds on recent changes to Incognito’s withdrawal systems.

Incognito Market deals primarily in narcotics, so it’s likely many users are now worried about being outed as drug dealers. Creating a new account on Incognito Market presents one with an ad for 5 grams of heroin selling for $450.

The double whammy now hitting Incognito Market users is somewhat akin to the double extortion techniques employed by many modern ransomware groups, wherein victim organizations are hacked, relieved of sensitive information and then presented with two separate ransom demands: One in exchange for a digital key needed to unlock infected systems, and another to secure a promise that any stolen data will not be published or sold, and will be destroyed.

Incognito Market has priced its extortion for vendors based on their status or “level” within the marketplace. Level 1 vendors can supposedly have their information removed by paying a $100 fee. However, larger “Level 5” vendors are asked to cough up $20,000 payments.

The past is replete with examples of similar darknet market exit scams, which tend to happen eventually to all darknet markets that aren’t seized and shut down by federal investigators, said Brett Johnson, a convicted and reformed cybercriminal who built the organized cybercrime community Shadowcrew many years ago.

“Shadowcrew was the precursor to today’s Darknet Markets and laid the foundation for the way modern cybercrime channels still operate today,” Johnson said. “The Truth of Darknet Markets? ALL of them are Exit Scams. The only question is whether law enforcement can shut down the market and arrest its operators before the exit scam takes place.”