The FBI recently posted a flash alert asking for any suspicious activity linked to LockBit Ransomware to be reported immediately to the Cyber Squad. The LockBit Ransomware gang, who came on the scene in September 2019 announced the LockBit 2.0 Ransomware-as-a-Service (RaaS) in June 2021.
The impact
When the LockBit infection spreads, it gains the ability to delete log files and any shadow copies that exist in the disk. LockBit 2.0 covers system information to include hostname, host configuration, domain information, local drive configuration, remote shares and mounted external storage devices. Like many other Ransomware operations, LockBit 2.0 attempts to encrypt data that is saved in local or remote devices however, it bypasses the files that are connected to core system functions. After the damage has been done, LockBit removes itself from the disk and creates persistence at startup. Prior to encryption, LockBit affiliates primarily use the Stealbit application obtained directly from the LockBit panel to remove defined file types.
The remediation
The flash alert highlights how to activate a debug window by pressing shift+F1 immediately at the start of the attack. The window then pops up displaying the status and information on the process and the status of encryption and deletion of data.
Mitigation includes:
- Ensure accounts with password logins like admin accounts, domain admin accounts, and service accounts have robust passwords
- Enforce multi-factor authentication for
- Update operating systems and software — as soon as updates are available
- Remove any unnecessary admin access
- Use host-based firewalls that only allow connections to admins via server message block (SMB) from a limited set of administrator machines
- Allow protected files in the Windows OS to stop unauthorised changes to critical files
Source: Security Affairs