The Federal Bureau of Investigation (FBI) has released technical details and indicators of compromise related to the LockBit ransomware attack.
https://www.ic3.gov/Media/News/2022/220204.pdf
LockBit 2.0 can be described as a highly obfuscated ransomware that uses bitwise operations to decrypt strings and load the necessary modules to evade detection.
It evades detection by using bitwise operations to decrypt strings and load the necessary modules.
It also provides information on how to stop network intrusion.
The LockBit ransomware has been very active since September 2019, when it was launched as a Ransomware-as-a-Service (RaaS), recruiting collaborators on Russian-language hacking forums to break into networks and encrypt them for blackmail money
In June 2021, after ransomware groups were banned from posting on cybercrime forums, LockBit announced “LockBit 2.0 RaaS” on its data leak site
This group has redesigned the Tor site and added more advanced features such as hiding malware and automatically encrypting devices across a Windows domain via Active Directory Group Policy.
They also seek to eliminate middlemen by recruiting insiders to provide access to corporate networks via virtual private networks (VPNs) and remote desktop protocols (RDPs).
In January, we learned that RockBit had also added a Linux cryptographic device to its toolkit that targets VMware ESXi servers.
The FBI also revealed technical details about the LockBit ransomware’s behavior, including that the malware comes with a hidden debug window that can be launched using the SHIFT + F1 keyboard shortcut during the infection process.
When this window appears, you can view real-time information about the encryption process and track the status of user data destruction.
This advisory follows an alert issued by the Australian cybersecurity agency in August 2021, warning of a rapid escalation in LockBit ransomware attacks.
Accenture, a Fortune 500 company and one of the world’s largest IT services and consulting firms, had threatened to leak data that LockBit had stolen from its network and demanded a ransom of $50 million.
The FBI did not say what prompted the release of the report, but it urged administrators and cybersecurity experts to share information about LockBit attacks targeting corporate networks.
The FBI is seeking any and all information that can be shared, including perimeter logs showing communications with foreign IP addresses, sample ransom notes, communications with threat actors, bitcoin wallet information, decrypted files, and samples of encrypted file goodness. We are seeking any information that you can share, including samples
The FBI encourages anyone receiving this document to report any information about suspicious or criminal activity to their local FBI field office.
By reporting relevant information to the FBI Cyber Squad, you will be helping the FBI share information to track down malicious actors and work with the private sector and the U.S. government to prevent future intrusions and attacks
How to defend your network
The FBI presents measures to protect your network from LockBit ransomware attacks.
- Mandate that all accounts that log in with a password (e.g., service accounts, admin accounts, domain admin accounts) have a strong, unique password.
- To the extent possible, require multi-factor authentication for all services.
- Keep all operating systems and software up to date
- Eliminate unnecessary access to administrative shares
- Use host-based firewalls to prevent limited administrative machines from accessing administrative shares via SMB (Server
- Only allow connections to management shares via SMB (Server Message Block) from limited administrator machines
- Enable protected files in the Windows operating system to prevent unauthorized changes to critical files.
Administrators can also hinder the network discovery activities of ransomware operators by taking the following measures.
- Segment your network to prevent the spread of ransomware.
- Use network monitoring tools to identify, detect, and investigate unusual activity and possible ransomware intrusion.
- Set up time-based access rights for accounts above the administrator level.
- Disable command line and scripting actions and privileges
- Maintain offline backups of data and regular backups and restores
- Ensure all backup data is encrypted, immutable, and covers the organization’s data infrastructure. Covering the entire data infrastructure of the organization
The FBI also does not recommend paying the ransom, as paying it will not necessarily protect you from future attacks or data breaches.
In addition, complying with the demands of ransomware groups gives them an incentive to further fund their activities and target more victims. It also gives other cybercrime groups an incentive to join them in their illegal activities.
But the FBI acknowledges that the impact of ransomware attacks may force companies to consider paying ransoms to protect their shareholders, customers and employees.
Even after the ransom has been paid, the FBI encourages people to report ransomware incidents promptly because it can provide critical information to prevent future attacks by tracking ransomware attackers and holding them accountable for their actions.
Comments