The FBI has published indicators of compromise (IoCs) and information of the tactics, techniques, and procedures (TTPs) related to Lockbit 2.0 ransomware.
The Lockbit ransomware-as-a-service (RaaS) operation has been busy starting September 2019. In summer 2021, there is a new ransomware version released, Lockbit 2.0. It had more sophisticated capabilities, which include the capability to automatically encrypt data files across Windows domains through Active Directory group policies, and a Linux-based malware was also developed that may exploit vulnerabilities existing in VMware ESXi virtual machines.
The affiliates doing work for the ransomware operation utilize a collection of TTPs in their attacks, which makes deterrence, identification, and mitigation a difficult task for security squads. Preliminary access is acquired by exploiting unpatched vulnerabilities, making use of zero-day exploits, and buying access to business networks via initial access brokers (IABs). Immediately after the relaunch of the RaaS, the threat actor began advertising on hacking forums attempting to get insiders who could give network access in exchange for a percentage of any ransom payment that is made.
As soon as access to a network has been obtained, the threat actors utilize a variety of publicly available tools for lateral movement, privilege escalation, and exfiltrating sensitive data. Stolen information is utilized as leverage to push victims into giving the ransom. In case victims do not like to pay the ransom, stolen files are posted on the Lockbit 2.0 data leak webpage.
The infection process results in the deletion of log files and shadow volume copies, and system data is enumerated like hostname, host settings, domain details, local drive setup, remote shares, and mounted external storage devices. Affiliates can identify the file types to exfiltrate from the admin panel and upload those files to an attacker-managed server by using HTTP. Certain affiliates make use of other techniques to accomplish the same purpose, like rclone and MEGAsync, and publicly accessible file-sharing platforms. After files exfiltration, the ransomware encrypts files on local and remote devices and leaves core system files intact. The ransomware then deletes itself from the disk and adds persistence at startup. Lockbit 2.0 will go without infection when it detects Russian or any languages of the former Soviet republics.
Just like many other RaaS operations, the group says it will not perform ransomware attacks on healthcare providers; nonetheless, other groups have made similar statements yet have still attacked the medical industry. The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has instructed all companies in the HPH industry to read and implement the data contained in the FBI’s TLP: White Flash Alert
and do something to minimize their attack surface to the greatest degree possible.
Steps that ought to be taken consist of using strong, unique passwords with all accounts, using multi-factor authentication, always updating software and operating systems, getting rid of unnecessary access to administrative shares, segmenting systems, and employing a host-based firewall and strong data backup system.