Like other ransomware-as-a-service (RaaS) operations, LockBit 2.0 looks for affiliates to perform the intrusion and exfiltration on targets.
The gang went on a hiring spree in the wake of DarkSide and REvil both shutting down operations, putting up wallpaper on compromised systems that includes text inviting insiders to help compromise systems, and promising payouts of millions of dollars.
LockBit 2.0 shows influences of and similarities to Ryuk and Egregor, particularly certain notable behaviors.
Ransomware Threat Landscape:
- Recently, Bangkok Airways has revealed it was the victim of a cyberattack from ransomware group LockBit, resulting in the publishing of stolen data. LockBit mostly targets organizations like enterprises and governments that will be disrupted enough by ransomware that paying up is the easy way out.
- Earlier this month the gang hit outsourcing and accounting firm Accenture. The company reported revenues of $44.33 billion in 2020 and had 569,000 employees across 50 countries. Rumors swirled that the cybercrimes demanded $50 million in cryptocurrency from the consulting MNC. The deadline was continually moved forward until Accenture concluded the stolen data was not significant.
- Another LockBit target was UK train operator Merseyrail, which fell victim in April 2021. Trains continued to run on time, but the criminals got bragging rights after reportedly pwning a company director's Office 365 account and using it to email employees and journalists about their achievement.
Indicators of Compromise
File Hashes
URLs
hxxp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd[.]onion
hxxp://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did[.]onion
hxxp://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid[.]onion
TTPs
T1070.001: Indicator removal on host: clear Windows Event Logs
T1041: Exfiltration Over C2 Channel
T1486: Data encrypted for impact
T1489: Service stop
T1490: Inhibit System Recovery
Details of the Operations:
On August 23, 2021, a Russian-speaking tech blog YouTube channel “Russian OSINT” published an interview with the representatives of LockBit uncovering details of their operations
The LockBit 2.0 representative claims their ransomware to have the most advanced technical features allowing it to stand up among its competitors. Stated features include:
- 1) the fastest encryption speed and data exfiltration
- 2) automated process of distribution and encryption.
- 3) Immediate data exfiltration
They do not attack healthcare and educational institutions, as well as social services and charities. Anything that contributes to the development of human beings and their safety remains untouched.
Metmox's Recommendations and Best practices:
Being aware of LockBit 2.0 capabilities, further developments, and how it is currently recruiting affiliates and insiders, it is advised to be prepared for upgrades and a lot more. Below are a few of Metmox’s recommendations that can help organizations prevent and mitigate the impact of attacks.
- LockBit 2.0 is known for actively exploiting public-facing applications. Therefore monitoring endpoints should be the first mitigation strategy. The group specifically prefers the following infrastructural endpoints:
- Corporate VPN - especially Citrix/FortiNET
- Externally exposed RDPs
- As a top-tier ransomware group, LockBit likely investigates recent CVEs including ProxyLogon and Microsoft Exchange exposure. Monitoring exposed endpoints and application of CVE-addressing patches is required.
- Perform periodic vulnerability assessments, and conduct regular patching or virtual patching for operating systems and applications. Ensure that all installed software and applications are updated to their latest versions.
- Perform security skills assessment and training for all personnel regularly, and conduct red-team exercises and penetration tests.
- LockBit prioritizes network investigation which enables them to steal sensitive data. Therefore, disrupting network movements via creating segregated segments of network, clear access hierarchy, and additional security for active directory, domain admin, and local domains can significantly complicate their operations.
- Multifactor authentication is required to protect employees’ accounts from obtaining account credentials by actors that might be used to escalate privileges and move laterally within the network.
- It is suggested to perform daily backups and keep them offline to avoid data loss.
- Audit and monitor all logs of events and incidents to identify unusual patterns and behaviors.