In a joint advisory, U.S. and international cybersecurity authorities have revealed that the LockBit ransomware gang has extorted approximately $91 million from U.S. organizations through around 1,700 attacks since 2020. LockBit, a Ransomware-as-a-Service (RaaS) operation, emerged as the leading global ransomware threat in 2022, with the highest number of victims reported on their data leak site. The advisory warns that LockBit continues to be prolific in 2023 and has targeted organizations across critical infrastructure sectors worldwide. The advisory includes a list of tools, detailed attack techniques, and mitigation measures to help organizations defend against LockBit. High-profile victims of LockBit include Continental, the Italian Internal Revenue Service, the UK Royal Mail, and the City of Oakland. The advisory is available here in *PDF Format: https://www.cisa.gov/sites/default/files/2023-06/aa23-165a_understanding_TA_LockBit_0.pdf Security Officer Comments:
The LockBit ransomware group has achieved success through its Ransomware-as-a-Service (RaaS) model, technical sophistication, exploitation of vulnerabilities, and effective extortion tactics. Operating as a RaaS allows LockBit to expand its reach and enable other cybercriminals to carry out attacks, amplifying its impact. The group continually evolves its ransomware variants, staying ahead of security measures. LockBit's ability to exploit weaknesses in critical infrastructure sectors enables it to target a wide range of organizations worldwide. By encrypting data and threatening to leak sensitive information online, LockBit creates a strong incentive for victims to pay. These factors have contributed to LockBit's significant success as a ransomware group. Additionally, the group has utilized various "off-the-shelf" tools such as AnyDesk, TeamViewer, LaZagne, PSExec, WinSCP, Putty, and PC Hunter to support their attacks. MITRE Attack:
Initial Access:
Affiliates deploying LockBit 3.0 ransomware gain initial access to victim networks via remote desktop protocol (RDP) exploitation [T1133], drive-by compromise [T1189], phishing campaigns [T1566], abuse of valid accounts [T1078], and exploitation of public-facing applications [T1190]. Execution and Infection Process:
During the malware routine, if privileges are not sufficient, LockBit 3.0 attempts to escalate to the required privileges [TA0004]. LockBit 3.0 performs functions such as: Enumerating system information such as hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices [T1082] Terminating processes and services [T1489] Launching commands [TA0002] Enabling automatic logon for persistence and privilege escalation [T1547] Deleting log files, files in the recycle bin folder, and shadow copies residing on disk [T1485], [T1490] LockBit 3.0 attempts to spread across a victim network by using a preconfigured list of credentials hardcoded at compilation time or a compromised local account with elevated privileges [T1078]. When compiled, LockBit 3.0 may also enable options for spreading via Group Policy Objects and PsExec using the Server Message Block (SMB) protocol. LockBit 3.0 attempts to encrypt [T1486] data saved to any local or remote device, but skips files associated with core system functions. After files are encrypted, LockBit 3.0 drops a ransom note with the new filename .README.txt and changes the host’s wallpaper and icons to LockBit 3.0 branding [T1491.001]. If needed, LockBit 3.0 will send encrypted host and bot information to a command and control (C2) server [T1027]. Once completed, LockBit 3.0 may delete itself from the disk [T1070.004] as well as any Group Policy updates that were made, depending on which options were set at compilation time. Exfiltration:
LockBit 3.0 affiliates use Stealbit, a custom exfiltration tool used previously with LockBit 2.0 [TA0010]; rclone, an open-source command line cloud storage manager [T1567.002]; and publicly available file sharing services, such as MEGA [T1567.002], to exfiltrate sensitive company data files prior to encryption. While rclone and many publicly available file sharing services are primarily used for legitimate purposes, they can also be used by threat actors to aid in system compromise, network exploration, or data exfiltration. Suggested Correction(s):
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems. Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program. Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline? Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors. Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident. ’ Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services. Link(s):
https://www.bleepingcomputer.com/
https://www.cisa.gov/sites/default/files/2023-06/aa23-165a_understanding_TA_LockBit_0.pdf