{
	"id": "d95a10ea-795a-4c50-b08b-601d56ca056b",
	"created_at": "2026-04-06T00:18:08.356046Z",
	"updated_at": "2026-04-10T13:11:50.332411Z",
	"deleted_at": null,
	"sha1_hash": "2969c66f5163bbcdab5dbeb2b4c55a34ccbd9013",
	"title": "Russian ransomware group claims attack on Bulgarian refugee agency",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45826,
	"plain_text": "Russian ransomware group claims attack on Bulgarian refugee\r\nagency\r\nBy AJ Vicens\r\nPublished: 2022-05-04 · Archived: 2026-04-05 16:57:18 UTC\r\nA ransomware group believed to have strong ties within Russia said Wednesday that it will release files it took\r\nfrom the Bulgarian government agency responsible for refugee management, a nation that has reportedly hosted\r\nhundreds of thousands of fleeing Ukrainians.\r\nLockBit 2.0 posted a notice to the dark web portal it uses to identify and extort its victims saying it had files from\r\nthe Bulgarian State Agency for Refugees under the Council of Ministers. “All available data will be published!”\r\nthe notice read under the group’s trademark bright red countdown clock, which has a May 9 publication date but\r\nno specific posted ransom demand.\r\nThe agency didn’t immediately return an emailed request for comment. A spokesperson at the Bulgarian embassy\r\nin Washington, D.C., told CyberScoop Wednesday he didn’t have information on the incident and would look into\r\nit.\r\nThe agency’s website remains functional, but a notice on the site’s home page includes a notice that “due to\r\nnetwork problems, the e-addresses of the State Agency for Refugees at the Council of Ministers are temporarily\r\nunavailable!!!” according to a Google translation.\r\nNearly 5.7 million Ukrainian refugees have fled their country since the Feb. 24 Russian invasion, according to\r\ndata from the United Nations High Commissioner for Refugees. Nearly 230,000 of those made their way to\r\nBulgaria, with 100,700 remaining in the country, according to the Sofia Globe, a news organization in the\r\ncountry’s capital.\r\n“This is simply the latest in a very long list of hits on organizations which provide critical\r\nservices.”\r\nBrett Callow, threat analyst at Emsisoft\r\nLockBit 2.0 is the successor to LockBit, a ransomware variant first spotted in September 2019, according to\r\ncybersecurity firm Emsisoft. Originally known as ABCD ransomware — named for the file extension appended to\r\nencrypted files, with the extension later updating to “LockBit” — the crew launched its own leak site in\r\nSeptember 2020.\r\nBy June 2021, after a string of attacks, the developers behind the malware launched “LockBit 2.0,” along with\r\nadvertising material boasting of its fast encryption and data exfiltration speeds, relative to other ransomware\r\nvariants. As of July 2021 Emsisoft estimated that there could have been nearly 40,000 ransomware incidents\r\ninvolving LockBit malware.\r\nhttps://www.cyberscoop.com/lockbit-ransomware-attack-bulgarian-refugee-agency/\r\nPage 1 of 2\n\n“This is simply the latest in a very long list of hits on organizations which provide critical services,” said Brett\r\nCallow, a threat analyst at Emsisoft. “Hospitals, [search and rescue], fire departments, and charities for the\r\ndisabled have all been targeted. The individuals involved with ransomware are conscienceless scumbags and the\r\nsooner we find a way to deal with the problem, the better.”\r\nIt’s also not the first cyberattack targeting officials trying to aid Ukrainian refugees.\r\nLike other major ransomware efforts, there’s believed to be a core group behind LockBit that works with\r\n“affiliates,” who keep 70% to 80% of ransomware proceeds. In an August 2021 interview with a Russian-speaking\r\ntech blog, a representative for the group espoused a series of political positions that correlated heavily with the\r\nanti-American and anti-Western narratives promoted by Russian government officials and popular Russian media,\r\naccording to an analysis by Florida-based cybersecurity firm AdvIntel.\r\nThe LockBit 2.0 representative said in the interview that the group does not attack “social services and charities,”\r\nbut the AdvIntel analysis concluded that the group is like other ransomware groups where “‘moral agendas’ never\r\ngo beyond such flamboyant phrases.”\r\nIn late February the group posted a notice to its site claiming neutrality with respect to the Russian invasion,\r\nReuters reported in March. The statement claimed its “pentesters” were mostly Russian and Ukrainians, but that\r\nthe group included people from around the world, SC Media reported at the time.\r\nSource: https://www.cyberscoop.com/lockbit-ransomware-attack-bulgarian-refugee-agency/\r\nhttps://www.cyberscoop.com/lockbit-ransomware-attack-bulgarian-refugee-agency/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cyberscoop.com/lockbit-ransomware-attack-bulgarian-refugee-agency/"
	],
	"report_names": [
		"lockbit-ransomware-attack-bulgarian-refugee-agency"
	],
	"threat_actors": [],
	"ts_created_at": 1775434688,
	"ts_updated_at": 1775826710,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2969c66f5163bbcdab5dbeb2b4c55a34ccbd9013.pdf",
		"text": "https://archive.orkl.eu/2969c66f5163bbcdab5dbeb2b4c55a34ccbd9013.txt",
		"img": "https://archive.orkl.eu/2969c66f5163bbcdab5dbeb2b4c55a34ccbd9013.jpg"
	}
}