The Federal Bureau of Investigation (FBI) issued a flash alert on the technical information and indicators of compromise (IOC) associated with LockBit ransomware attacks. The alert provides information to help companies block attempts by the threat operators to breach their networks and asks victims to report any incidents to their local FBI Cyber Squad. Since launching as a ransomware-as-a-service (RaaS) in September 2019, the LockBit ransomware group has been actively promoting its operation, providing support on Russian-language hacking forums, and recruiting threat actors to breach and encrypt networks. After ransomware actors were banned from posting on cybercrime forums, LockBit announced the LockBit 2.0 RaaS on their leak website.
The ransomware group redesigned their Tor sites and overhauled the ransomware by adding advanced features, including automatically encrypting devices across Windows domains through Active Directory group policies. Additionally, the group is recruiting insiders in an attempt to eliminate intermediaries and gain access to corporate networks through Virtual Private Network (VPN) and Remote Desktop Protocol (RDP). The FBI discovered that LockBit added a Linux encryptor targeting VMware ESXi servers to its toolkit. Additionally, the FBI revealed the ransomware includes a hidden debug window that can be activated during the infection process using the ‘SHIFT + F1’ keyboard shortcut. Once the window appears, it can be used to view real-time information on the encryption process and track the user data destruction status.
The FBI advisory follows an alert by Australia’s cybersecurity agency warning of the rapid escalation of LockBit ransomware attacks. Fortune 500 company and one of the world’s largest IT services and consulting companies, Accenture, confirmed a breach after LockBit extracted proprietary information, threatened to leak data stolen from their network, and demanded a $50 million ransom. Even though the FBI didn’t explain what prompted the alert, it asked admins and cybersecurity professionals to share information about the LockBit ransomware attacks targeting company networks.
The FBI is looking for additional precise information, including boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with the threat actors, Bitcoin wallet information, the decryptor file, and/or benign sample of an encrypted file.
The FBI provided several mitigations measures to help defenders guard their networks against LockBit ransomware attacks:
- Require all accounts, including service accounts, admin accounts, and domain admin accounts to have strong, unique password logins.
- Require all services to have multi-factor authentication
- Update all operating systems and software
- Remove unnecessary access to administrative shares
- Use a host-based firewall allowing only connections to administrative shares through server message block from a limited set of administrator machines.
- Prevent unauthorized changes to critical files by enabling protected files in the Windows Operating System.
Admins can prevent ransomware operators’ network discovery efforts by implementing these measures.
- Segment networks prevent the ransomware from spreading
- Utilize a network monitoring tool to identify, detect, and investigate suspicious activity and potential traversal of the indicated ransomware.
- Implement time-based access for admin-level and higher accounts.
- Disable command-line, scripting activities, and permissions
- Maintain offline data backups and maintain backup and restoration regularly.
- Ensure all backup data is encrypted, immutable, and covers the entire organization’s data infrastructure.
Companies are urged not to pay ransoms because doing so does not guarantee protection against future attacks or data leaks. Additionally, giving in to the ransomware groups’ demands motivates them to target more victims, finances their operations, and encourages other groups to join them in launching illegal activities. The FBI realizes that fallout from a ransomware attack can force companies into paying ransom to protect shareholders, customers, or employees; law enforcement agencies recommend companies to report any incident to a local FBI field office.
Ransomware groups like LockBit are looking for creative ways to breach companies’ networks. Understanding the technical details and indicators of compromise can be difficult; however, taking the proper steps to protect your organization and improve its security posture removes much of the need for such understanding.
At SpearTip, our certified engineers investigate any suspicious activity and provide you with answers to properly assess the situation. Our Security Operations Centers provide companies with 24/7 protection against threats as our engineers constantly watch your network regardless of if the breach is from within the company or if they want to increase security measures from external threats. Detecting threats and being proactive is vital for quick response. Our engineers work in tandem with ShadowSpear, our endpoint detection response platform, is a great proactive tool in blocking any potential threats like LockBit from harming companies. ShadowSpear offers direct communication with our engineers as well as a customized dashboard to track threats in real-time.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.