A report has been released regarding the tools and tactics used by Lockean, which is believed to have ties with several RaaS including DoppelPaymer, Maze, Sodinokibi, Prolock, and Egregor.

About Lockean

The group first appeared last year when it targeted a French company and deployed the DoppelPaymer ransomware.
  • In the last one and half years, the ransomware group attacked the networks of eight French companies and stole data before spreading malware to various victims.
  • Some of the targeted businesses included Gefco (a transport company), the Ouest-France (a newspaper), and Fareva and Pierre Fabre (pharmaceutical).
  • Four additional unnamed companies were identified as victims by ANSSI, France’s national cybersecurity agency, and two incidents were noted by Intrinsec and the DFIR Report.
  • Lockean’s average cut of paid ransoms stands at 70% while the rest goes to RaaS maintainers.

Attack tactics

According to the report from France CERT the group had targeted seven companies from June 2020 to March 2021 to deploy ransomware strains such as Maze, Egregor, ProLock, and REvil.
  • In most of the attacks, attackers gained initial access to the victim network via the Qbot banking trojan, which distributed multiple ransomware strains.
  • In one instance, the group used IcedID to get access to the network. For lateral movement, the attackers used Cobalt Strike and Adfind, BloodHound, and BITSadmin tools.
  • Looking at the IoCs, several IP addresses related to Conti ransomware have been found, implying Lockean’s connection with other RaaS operations focused in different regions. Furthermore, to increase profits, the gang used double extortion and stole data from the victim using the Rclone tool.


The report suggests that several ransomware gangs, as well as independent groups, are now working together using the affiliate model. The report is expected to help organizations defend themselves by using the insight and IoCs provided by the experts from CERT. Moreover, to stay protected from such threats, organizations are suggested to take regular backups of sensitive data and use reliable anti-malware defenses.

Cyware Publisher