Article Details

Deja blues... LockBit boasts once again of ransoming IRS-authorized eFile.com. Add 'ransomware' to the list of certainties in life?. Notorious ransomware gang LockBit claims once again to have compromised eFile.com, which offers online services for electronically filing tax returns with the US Internal Revenue Service (IRS). To be clear: eFile.com is not owned nor operated by the IRS, nor is it part of the agency's e-file program, though it is an IRS-authorized e-file provider. The Register has not verified the crooks' latest claims, and neither the dot-com nor the IRS immediately responded to The Register's inquiries about the alleged breach. We will update this story as we receive additional information. If the criminals' boasts on its dark-web blog about the extortion do turn out to be true, it puts a lot of people's personal and financial data potentially at risk — so it's a good idea to keep an eye out for any suspicious banking activity. The website is said to have 14 days to cough up the demanded ransom. That all said, LockBit previously claimed to have extorted eFile.com in 2022. The gang may well just be re-posting on its blog its previous hit on the dot-com for clout or chaos. We're checking that out. Repeated target We recall that in March 2023, eFile.com's website was compromised and used it to deliver malware. That intrusion — about a month before America's tax day — was spotted by Reddit users who noted that when visiting eFile.com, they were taken to a phony browser update page with a link to download and run a .exe file. It turned out the redirection was caused by JavaScript maliciously added to the dot-com site, as confirmed by SANS Internet Storm Center founder Johannes Ullrich, which led to people being tricked into running the downloaded executable and backdooring their Windows PCs. eFile.com later removed the malicious code from its website. This latest talk of an alleged compromise hits right as late tax filers, who were granted an extension by the IRS in April, scramble to submit their documents prior to the October 15 deadline. And, of course, these claims come despite LockBit's ransomware operations being largely disrupted by global law enforcement earlier this year. While many of the gang's affiliates have moved on to greener pastures — or at least ones without as big of a targeted painted on them — LockBit ransomware refuses to die. According to Check Point's most recent monthly ransomware stats, LockBit3 ransomware was responsible for 8 percent of all infections in August, putting this particular strain in the No. 3 position behind RansomHub (15 percent) and Meow (9 percent).