The Federal Bureau of Investigation (FBI) has provided indicators of compromise (IoCs) as well as facts of the tactics, techniques, and procedures (TTPs) connected with Lockbit 2.0 ransomware.
The Lockbit ransomware-as-a-service (RaaS) operation has been around since September 2019. In summer 2021, there’s a new ransomware version launched, Lockbit 2.0. It possessed more superior functions, such as the capacity to automatically encrypt data across Windows domains by means of Active Directory group policies, and a Linux-based malware was likewise created that can take advantage of vulnerabilities present in VMware ESXi virtual machines.
The affiliates employed by the ransomware operation utilize a selection of TTPs for their attacks, which makes prohibition, discovery, and mitigation a problem for security groups. The first access is acquired by taking advantage of unpatched vulnerabilities, utilizing zero-day exploits, and paying for access to business networks through initial access brokers (IABs). Soon after the re-introduction of the RaaS, the attacker commenced promoting on hacking forums seeking to hire insiders who could offer network access in return for a slice of any ransom payment that is gained.
When access to a system has been obtained, the attackers employ a selection of publicly available tools for lateral movement, privilege upgrade, and exfiltrating sensitive information. Stolen files are employed as leverage to force victims into paying the ransom. When victims decline to give the ransom, stolen files are released on the Lockbit 2.0 data leak website.
The infection process brings about the removal of log files and shadow volume copies, and system details are listed including hostname, host setup, domain data, local drive settings, remote shares, and mounted external storage units. Affiliates can indicate the file types to copy from the administrator panel and transfer those files to an attacker-operated server using HTTP. Many affiliates make use of other tactics to realize the same goal, for instance, rclone and MEGAsync, and also publicly accessible file-sharing tools. After information exfiltration, the ransomware encrypts files on remote and local devices and keeps core system files unchanged. The ransomware then removes itself from the disk and makes persistence during startup. Lockbit 2.0 will leave without infection in case it finds Russian or any languages of the old Soviet republics.
Similar to a number of other RaaS operations, the group states it will not do ransomware attacks on healthcare companies; nevertheless, other groups have made the same promises but have still attacked the medical field. The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has cautioned all institutions in the HPH market to read and use the facts included in the FBI’s TLP: White Flash Alert
and take the appropriate steps to lessen their attack surface to the highest level achievable.
Action that must be taken includes setting up strong, unique passwords in all accounts, employing multi-factor authentication, always keeping software and OS updated, taking away unnecessary access to administrative accounts, segmenting sites, and using a host-based firewall and powerful data backup software.