FBI shares technical details of Lockbit ransomware and defense tips
The Federal Bureau of Investigation (FBI) released technical details and indicators of compromise associated with the LockBit ransomware attacks in a new flash alert issued this Friday.
He also provided information to help organizations block attempts by this adversary to breach their networks and asked victims to urgently report such incidents to their local FBI Cyber Squad.
The LockBit ransomware gang has been very active since September 2019, when it was launched as ransomware-as-a-service (RaaS), with gang representatives promoting the operation, providing support on Russian-language hacking forums and recruiting threat actors to breach and encrypt networks.
Two years later, in June 2021, LockBit announced RaaS LockBit 2.0 on their data leak site after ransomware actors were banned from posting on cybercrime forums [1, 2].
With the relaunch, the ransomware gang redesigned Tor sites and overhauled malware, adding more advanced features including automatic device encryption on Windows domains via Active Directory group policies.
The gang is now also trying to cut out the middlemen by recruiting insiders to provide them with access to corporate networks via virtual private network (VPN) and remote desktop protocol (RDP).
In January, it was discovered that LockBit had also added a Linux encryptor targeting VMware ESXi servers to its toolkit.
Among the technical details of how LockBit ransomware works, the FBI also revealed that the malware comes with a hidden debug window that can be activated during the infection process using the SHIFT + F1 hotkey.
Once it appears, it can be used to display real-time information about the encryption process and track the status of user data destruction.
This week’s advisory follows an alert issued by the Australian Cybersecurity Agency in August 2021 warning of rapidly escalating LockBit ransomware attacks.
Days later, Accenture, a Fortune 500 company and one of the world’s largest IT services and consulting firms, confirmed to BleepingComputer that it had been hacked after LockBit threatened to leak stolen data from its network and demanded a ransom of $50 million.
Two months later, Accenture also disclosed a data breach in documents filed with the SEC in October after “extracting proprietary information” in the August attack.
Companies urged to report LockBit ransomware attacks
Although the FBI did not specify what triggered the flash alert, it did ask administrators and cybersecurity professionals to share information about LockBit attacks targeting their companies’ networks.
“The FBI is looking for any information that can be shared, [including] delimitation logs showing communications to and from foreign IP addresses, a sample ransom note, communications with threat actors, bitcoin wallet information, decryption file, and/or a benign sample of a encrypted file,” the federal agency said.
“The FBI encourages recipients of this document to report information regarding suspicious or criminal activity to their local FBI office.
“By reporting any related information to the FBI’s Cyber Squads, you are helping to share information that enables the FBI to track malicious actors and coordinate with private industry and the United States government to prevent future intrusions and attacks.”
How to defend your network
The FBI also provides mitigations that would help defenders protect their networks from attempted LockBit ransomware attacks:
- Require all accounts with password logins (for example, service account, administrator accounts, and domain administrator accounts) to have strong, unique passwords
- Require multi-factor authentication for all services where possible
- Keep all operating systems and software up to date
- Remove unnecessary access to administrative shares
- Use a host-based firewall to only allow connections to administrative shares via Server Message Block (SMB) from a limited set of administrative machines
- Enable protected files in Windows operating system to prevent unauthorized modification of critical files.
Administrators can also hinder network discovery efforts of ransomware operators by taking these steps:
- Segment networks to prevent the spread of ransomware
- Identify, detect and investigate anomalous activity and potential traversal of indicated ransomware with a network monitoring tool
- Implement time-based access for accounts defined at admin level and above
- Disable command line and script activities and permissions
- Maintain offline backups of data and regularly maintain backup and restore
- Ensure all backup data is encrypted, immutable, and spans the organization’s entire data infrastructure
Paying ransoms is frowned upon, but…
The FBI also added that it does not encourage ransom payments and advises companies against it because there is no guarantee that paying will protect them from future attacks or data leaks.
Additionally, giving in to ransomware gangs’ demands further funds their operations and motivates them to target more victims. It also attracts other cyber criminal groups to join them in carrying out illegal activities.
Despite this, the FBI has acknowledged that the fallout from a ransomware attack could force companies to consider paying ransoms to protect shareholders, customers or employees. Law enforcement strongly recommends reporting such incidents to a local FBI office.
Even after paying a ransom, the FBI still urges timely reporting of ransomware incidents as it will provide critical information that would enable law enforcement to prevent future attacks by tracking ransomware attackers and holding them accountable. their actions.