Cyber Crime

FBI issued a flash alert on Lockbit ransomware operation

The FBI released a flash alert containing technical details associated with the LockBit ransomware operation.

The Federal Bureau of Investigation (FBI) has issued a flash alert containing technical details and indicators of compromise associated with LockBit ransomware operations.

The LockBit ransomware gang has been active since September 2019, in June 2021 the group announced the LockBit 2.0 RaaS. Like other ransomware gangs, Lockbit 2.0 determines the system and
user language settings and only targets those not matching a set list of languages that are
Eastern European.

After ransomware ads were banned on hacking forum, the LockBit operators set up their own leak site promoting the latest variant and advertising the LockBit 2.0 affiliate program. 

“As infection begins, Lockbit 2.0 deletes log files and shadow copies residing on disk. Lockbit 2.0 enumerates system information to include hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices. Lockbit 2.0 attempts to encrypt any data saved to any local or remote device but skips files associated with core system functions.” reads the flash alert. “Once completed, Lockbit 2.0 deletes itself from disk and creates persistence at startup. Prior to encryption, Lockbit affiliates primarily use the Stealbit application obtained directly from the Lockbit panel to exfiltrate specific file types.”

The group is very active in this period, the list of victims is very long and includes Riviana, Accenture, Wormington & Bollinger, Anasia Group, Bangkok Airways, Italian energy company ERG, Vlastuin Group, E.M.I.T. Aviation Consulting, SCIS Air Security, Peabody Properties, DATA SPEED SRL, Island independent buying group, Ministry of Justice of France, Day Lewis, Buffington Law Firm and tens of other companies worldwide.

Ransomware operators have continuously improved the ransomware across the years by implementing new features, such as the support for Linux and VMware ESXi systems and the capability to abuse of group policies to encrypt Windows domains.

The flash alert details a Hidden debug / Status Window which can be activated by pressing Shift + F1 during the initial infection and provides real-time information on the process, status of user data destruction and encryption.

The FBI recommends victims avoid paying ransoms. The FBI is seeking any information about Lockbit operations that can be shared, including boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with the threat actors, Bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file.

“The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office.” concludes the alert. “By reporting any related information to FBI Cyber Squads, you are assisting in sharing information that allows the FBI to track malicious actors and coordinate with private industry and the United States Government to prevent future intrusions and attacks.”

The FBI flash alert also includes mitigations to prevent LockBit ransomware infections:

  • Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords
  • Require multi-factor authentication for all services to the extent possible
  • Keep all operating systems and software up to date
  • Remove unnecessary access to administrative shares
  • Use a host-based firewall to only allow connections to administrative shares via server message block (SMB) from a limited set of administrator machines.
  • Enable protected files in the Windows Operating System to prevent unauthorized changes to critical files.

To limit an adversary from learning the organization’s enterprise environment, limit common system and network discovery techniques by taking the following actions:

  • Segment networks to prevent the spread of ransomware
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool
  • Implement time-based access for accounts set at the admin level and higher
  • Disable command-line and scripting activities and permissions
  • Maintain offline backups of data, and regularly maintain backup and restoration
  • Ensure all backup data is encrypted, immutable, and covers the entire organization’s data infrastructure

In August, the Australian Cyber Security Centre (ACSC) warned of an escalation in LockBit 2.0 ransomware attacks against Australian organizations in multiple industry sectors starting July 2021. The Australian agency also published 2021-006: ACSC Ransomware Profile – Lockbit 2.0 which includes info related to the activity of the gang, such as initial access, threat activity and mitigations.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Lockbit ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Crooks use a fake antivirus site to spread Venom RAT and a mix of malware

Researchers found a fake Bitdefender site spreading the Venom RAT by tricking users into downloading…

1 hour ago

Iranian Man pleaded guilty to role in Robbinhood Ransomware attacks<gwmw style="display:none;"></gwmw>

Iranian man pleads guilty to role in Baltimore ransomware attack tied to Robbinhood, admitting to…

2 hours ago

DragonForce operator chained SimpleHelp flaws to target an MSP and its customers

Sophos warns that a DragonForce ransomware operator chained three vulnerabilities in SimpleHelp to target a…

13 hours ago

Russia-linked APT Laundry Bear linked to 2024 Dutch Police attack

A new Russia-linked APT group, tracked as Laundry Bear, has been linked to a Dutch…

20 hours ago

Nova Scotia Power confirms it was hit by ransomware attack but hasn’t paid the ransom

Nova Scotia Power confirms it was hit by a ransomware attack but hasn't paid the…

1 day ago

Crooks stole over $200 million from crypto exchange Cetus Protocol

Cetus Protocol reported a $223 million crypto theft and is offering to drop legal action…

1 day ago