The FBI has issued a flash report [PDF] that details indicators of compromise (IOC) linked to LockBit 2.0 ransomware. An IOC is a piece of evidence found during digital forensics that indicates a network or computer may be been breached.
LockBit 2.0 Ransomware
LockBit 2.0 is an example of Ransomware-as-a-Service (RaaS). The FBI says this malware-for-hire uses a wide variety of tactics, techniques, and procedures to attack systems. Examples of how it infiltrates networks include unpatched vulnerabilities, zero-day exploits, bribing an employee, or an employee themself that deploys the ransomware.
Once inside a network it uses publicly available tools to escalate its system privileges. The attacks then use other tools to steal data followed by encryption of the system. A ransom note is left within each affected directory with instructions to receive the deception key. These techniques are standard for ransomware and not unique to LockBit 2.0.
In July 2021, LockBit 2.0 released an update which featured the automatic encryption of devices across windows domains by abusing Active Directory group policies. In August 2021, LockBit 2.0 began to advertise for insiders to establish initial access into potential victim networks, while promising a portion of the proceeds from a successful attack. LockBit 2.0 also developed a Linux-based malware which takes advantage of vulnerabilities within VMWare ESXi virtual machines.
The ransomware was programmed to avoid certain systems. It determines the system and user language settings and only targets those not matching a set list of languages that are Eastern European. If an Eastern European language is detected, the program exits without infection.
The report shares mitigations to reduce the risk of compromise against LockBit 2.0. These include:
- Using strong, unique passwords
- Requiring multi-factor authentication
- Keep operating systems and software up to date
- Remove unnecessary access to administrative network shares
- Use a host-based firewall
- Enable protected files for computers using Windows
The FBI report does not disclose any specific entity affected by LockBit 2.0. The agency says it is seeking any information that can be shared, including: boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with the attackers, Bitcoin wallet information, the decryption key, and/or a benign sample of an encrypted file. The FBI recommends against paying the ransom.