Pierluigi Paganini
March 18, 2023
The U.S. Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) released a joint advisory that provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with the notorious LockBit 3.0 ransomware.
“The Federal Bureau of Investigation (FBI), CISA, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) has released a joint cybersecurity advisory (CSA), #StopRansomware: LockBit 3.0. This joint advisory details known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) that FBI investigations correlated with LockBit 3.0 ransomware as recently as March 2023.” reads the advisory published by US agencies. “LockBit 3.0 functions as an affiliate-based ransomware variant and is a continuation of LockBit 2.0 and LockBit.”
The Lockbit gang has been active since at least 2019 and today it is one of the most active ransomware groups offering a Ransomware-as-a-Service (RaaS) model.
The LockBit 3.0 ransomware (aka LockBit Black) was launched in June 2022 and is a continuation of previous versions of the ransomware, LockBit 2.0 (released in mid-2021), and LockBit.
The LockBit 3.0 ransomware is a modular malware that is more evasive than its previous versions, its shared similarities with Blackmatter and Blackcat ransomware.
“LockBit 3.0 is configured upon compilation with many different options that determine the behavior of the ransomware. Upon the actual execution of the ransomware within a victim environment, various arguments can be supplied to further modify the behavior of the ransomware. For example, LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode (see LockBit Command Line parameters under Indicators of Compromise).” reads the joint alert.
“If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then a password argument is mandatory during the execution of the ransomware.”
By protecting the code with encryption, the latest LockBit version can avoid the detection of signature-based anti-malware solutions.
The ransomware doesn’t infect machines whose language settings are included in an exclusion list, which includes Romanian (Moldova), Arabic (Syria), and Tatar (Russia).
Initial attack vectors used by affiliates deploying LockBit 3.0 ransomware include remote desktop protocol (RDP) exploitation, drive-by compromise, phishing campaigns, abuse of valid accounts, and exploitation of public-facing applications.
Upon execution in the target network, the ransomware attempts to escalate privileges if they are not sufficient, terminate processes and services, delete logs, files in the recycle bin folder, and shadow copies residing on disk.
LockBit 3.0 attempts to perform lateral movement by using a preconfigured list of credentials hardcoded at compilation time or a compromised local account with elevated privileges.
Operators can also compile LockBit 3.0 for spreading via Group Policy Objects and PsExec using the Server Message Block (SMB) protocol.
The affiliates have been observed using various freeware and open-source tools furing their attacks.
“These tools are used for a range of activities such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration. Use of PowerShell and Batch scripts
are observed across most intrusions, which focus on system discovery, reconnaissance, password/credential hunting, and privilege escalation. Artifacts of professional penetration-testing tools such as Metasploit and Cobalt Strike have also been observed.” continues the report.
The alert states that LockBit 3.0 is capable of bypassing User Account Control (UAC) to execute code with elevated privileges via elevated Component Object Model (COM) Interface. It also supports a Safe Mode feature to bypass endpoint antivirus and detection.
The alert also provides mitigations and security controls to prevent and reduce the impact of the threat.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, RaaS)
