Though history would indicate it cannot be counted out completely as of yet, the world’s biggest infostealer malware service has been dealt a severe blow by an international law enforcement raid. That means at least a little more inconvenience and trouble for its clients, some of whom are among the world’s most active data theft and ransomware gangs.
The Lumma group lost its control panel to the DOJ, severing it from clients and its central marketplace of stolen data, as well as some 2,300 domains belonging to the group, which has infected over 394,000 Windows computers globally. Due to being based in Russia there is some chance that it will regroup and continue to be a substantial threat, but the development is still a very positive one for the cybersecurity landscape.
“Innovative” infostealer malware gang disrupted
Lumma is the world’s most-used infostealer malware service due to offering a robust range of methods of compromise to its clients and constant maintenance by its team. One of its biggest clients is Scattered Spider, the group that went on a ransomware rampage in 2023 and recently re-emerged to cause havoc with some major UK retailers.
Lumma cannot be discounted as a threat at this point, as it would be far from the first time that a major cybercrime group took a few months to regroup after a law enforcement raid and came back strong. Scattered Spider themselves are an example of this as well as Emotet, LockBit and the similar Bumblebee infostealer malware among many others. But the group will likely be struggling for some time due to the scope of the raid which included both public agencies and private cybersecurity partners from the United States, Europe and Japan.
Lumma threat limited, but vigilance still required
Subscribers to Lumma’s infostealer malware service were paying a relative premium for the “top of the line” in credential theft, with its subscription fees ranging from $250 to $1,000. That bought automatic access to a broad variety of apps, browsers and crypto wallets once they penetrated target systems, along with a variety of templates to assist with those initial attacks.
The raid not only disrupts that service, but one of the world’s largest underground markets for stolen personal information. Lumma also directly ran their own forum for the buying and selling of all sorts of personal and financial information obtained by their tools. Loss of the group’s control panel means they will at minimum have to regroup and set up another forum, though there are indications they have already shifted this sort of business to Telegram.
The group was also in quite an expansion phase when disrupted, putting up an average of about 74 new attack domains per week. Well over half of their total collection of domains was seized in the raid. The FBI and CISA are nevertheless advising vigilance for continued attacks with the group’s infostealer malware, which has appeared everywhere from seemingly legitimate GitHub project updates to “malvertising” ads served by legitimate sites.
