The FBI published last week a flash alert consisting of LockBit 2.0 technical details and attack indicators, and a list of recommendations to help organizations fend off threats.
The FBI also asked cyberattack victims to report incidents to their local FBI Cyber Squad as quickly as possible to help them track malicious actors and prevent future intrusions.
The flash alert describes LockBit 2.0 techniques, tactics and procedures deployed by the perpetrators, technical details of the ransomware strain, indicators of compromise (IOCs), information requested to help the FBI identify attackers and hold them accountable, and recommended mitigations.
LockBit 2.0 ransomware breaches networks through techniques such as exploiting unpatched vulnerabilities, purchased access, zero-day exploits and insider involvement. Once in the network, threat actors escalate their privileges through publicly available tools, such as Mimikatz.
They then use a mixed set of public and custom tools to leak harvested data, which they finally encrypt with the LockBit malware and leave on the compromised device along with a ransom note.
The LockBit ransomware gang’s activity has surged since its launch as a ransomware-as-a-service (Raas) in September 2019, when it extensively promoted the operation, recruited members to breach networks, and provided support to its customers on Russian hacking forums.
A couple of years later, the malware gang announced LockBit 2.0 on their leak website after ransomware threat actors were banned from promoting their services on hacking forums. LockBit 2.0 saw a new website design as well as improved and advanced features within the product, including the ability to encrypt devices automatically across Windows domains by exploiting Active Directory group policies.
The FBI’s flash alert encompasses a series of recommendations to help network administrators fend off LockBit 2.0 ransomware attacks. Namely:
- Implement new password policies to enforce the use of strong, unique passwords for all accounts
- Make multi-factor authentication (MFA) mandatory for all services
- Restrict access to administrative shares (especially ADMIN$ and C$)
- Enable protected files (Windows OS) to restrict unauthorized modifications to important files
- Use a host-based firewall to allow connections exclusively from a restricted set of administrator devices through server message block (SMB)
- Perform network segmentation to curb ransomware spreading
- Use an endpoint detection and response (EDR) tool to identify, detect and investigate abnormal activity on the network
- Keep offline backups of data and perform regular maintenance on backups
- Encrypt all backup data and make sure it’s immutable (non-alterable, non-removable)
- Restrict or disable scripting and command-line activities and permissions
- Implement time-based access for admin accounts (and higher)