Affiliates LockBit 2.0 Ransomware targeting

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here

Since September 2021, LockBit 2.0 has targeted 500+ organizations in vital areas globally. The most recent attack targeted well-known tire producer Bridgestone, software behemoth Accenture, and the French Ministry of Justice. LockBit 2.0 ransomware compromises victim networks through a variety of techniques, including, but not limited to, purchased access, unpatched vulnerabilities, insider access, and zero-day exploit. Some of the know vulnerabilities exploited are CVE-2021-22986 affecting BIG-IP products and CVE-2018-13379 impacting FortiOS.

The ransomware first assesses the system and user language settings and only targets those that do not match a predefined list of Eastern European languages. It then erases system logs and shadow copies on disk as soon as the infection begins. In addition to this, it also collects system data such as hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices. Furthermore, it tries to encrypt all data stored to any local or remote device, but it ignores files linked with critical system operations. After the encryption, the ransomware deletes itself from the disk and creates persistence upon startup.

Lockbit 2.0 affiliates typically employ the Stealbit program received straight from the Lockbit panel to exfiltrate certain file types prior to encryption. The affiliate can adjust the desired file types to adapt the attack to the target. Additionally, they frequently employ publicly accessible file-sharing platforms such as privatlab.net, anonfiles.com, sendspace.com, fex.net, transfer.sh, and send.exploit.in. While some of these programs and services may serve legitimate reasons, others may be exploited by threat actors.

The Organizations can mitigate the risk by following the recommendations: •Use multi-factor authentication. •Keep all operating systems and software up to date. •Remove unnecessary access to administrative shares. •Maintain offline backups of data and Ensure all backup data is encrypted and immutable. •Enable protected files in the Windows Operating System for critical files.

The Mitre TTPs commonly used by LockBit 2.0 are:

TA0040 – Impact
TA0042 – Resource Development
TA0001 – Initial Access
TA0002 – Execution
TA0003 – Persistence
TA0005 – Defense Evasion
TA0006 – Credential Access
TA0007 – Discovery
TA0008 – Lateral Movement
TA0009 – Collection
TA0011 – Command and Control
TA0010 – Exfiltration
T1190: Exploit Public-Facing Application
T1047: Windows Management Instrumentation
T1059: Command and Scripting Interpreter
T1059.003: Windows Command Shell
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1055: Process Injection
T1070.004: Indicator Removal on Host: File Deletion
T1112: Modify Registry
T1497: Virtualization/Sandbox Evasion
T1110: Brute Force
T1056.004: Credential API Hooking
T1012: Query Registry
T1018: Remote System Discovery
T1057: Process Discovery
T1021: Remote Services
T1021.001: Remote Services: Remote Desktop Protocol
T1021.002: Remote Services: SMB/Windows Admin Shares
T1056.004: Credential API Hooking
T1090.003: Proxy: Multi-hop Proxy
T1567.002: Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1486: Data Encrypted for Impact
T1490: Inhibit System Recovery