LockBit 2.0 Ransomware affiliates targeting Renowned Organizations
THREAT LEVEL: Red.
For a detailed advisory, download the pdf file here
Since September 2021, LockBit 2.0 has targeted 500+ organizations in vital areas globally. The most recent attack targeted well-known tire producer Bridgestone, software behemoth Accenture, and the French Ministry of Justice. LockBit 2.0 ransomware compromises victim networks through a variety of techniques, including, but not limited to, purchased access, unpatched vulnerabilities, insider access, and zero-day exploit. Some of the know vulnerabilities exploited are CVE-2021-22986 affecting BIG-IP products and CVE-2018-13379 impacting FortiOS.
The ransomware first assesses the system and user language settings and only targets those that do not match a predefined list of Eastern European languages. It then erases system logs and shadow copies on disk as soon as the infection begins. In addition to this, it also collects system data such as hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices. Furthermore, it tries to encrypt all data stored to any local or remote device, but it ignores files linked with critical system operations. After the encryption, the ransomware deletes itself from the disk and creates persistence upon startup.
Lockbit 2.0 affiliates typically employ the Stealbit program received straight from the Lockbit panel to exfiltrate certain file types prior to encryption. The affiliate can adjust the desired file types to adapt the attack to the target. Additionally, they frequently employ publicly accessible file-sharing platforms such as privatlab.net, anonfiles.com, sendspace.com, fex.net, transfer.sh, and send.exploit.in. While some of these programs and services may serve legitimate reasons, others may be exploited by threat actors.
The Organizations can mitigate the risk by following the recommendations: •Use multi-factor authentication. •Keep all operating systems and software up to date. •Remove unnecessary access to administrative shares. •Maintain offline backups of data and Ensure all backup data is encrypted and immutable. •Enable protected files in the Windows Operating System for critical files.
The Mitre TTPs commonly used by LockBit 2.0 are:
TA0040 – ImpactTA0042 – Resource Development TA0001 – Initial Access TA0002 – Execution TA0003 – Persistence TA0005 – Defense Evasion TA0006 – Credential Access TA0007 – Discovery TA0008 – Lateral Movement TA0009 – Collection TA0011 – Command and ControlTA0010 – ExfiltrationT1190: Exploit Public-Facing ApplicationT1047: Windows Management InstrumentationT1059: Command and Scripting InterpreterT1059.003: Windows Command ShellT1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderT1055: Process InjectionT1070.004: Indicator Removal on Host: File DeletionT1112: Modify RegistryT1497: Virtualization/Sandbox EvasionT1110: Brute ForceT1056.004: Credential API HookingT1012: Query RegistryT1018: Remote System DiscoveryT1057: Process DiscoveryT1021: Remote ServicesT1021.001: Remote Services: Remote Desktop ProtocolT1021.002: Remote Services: SMB/Windows Admin SharesT1056.004: Credential API HookingT1090.003: Proxy: Multi-hop ProxyT1567.002: Exfiltration Over Web Service: Exfiltration to Cloud StorageT1486: Data Encrypted for ImpactT1490: Inhibit System Recovery
Vulnerability Details
Indicators of Compromise (IoCs)
Recent Breaches
bridgestoneamericas.com
accenture.com
justice.fr
Patch Link
https://www.fortiguard.com/psirt/FG-IR-18-384
https://support.f5.com/csp/article/K03009991
References
https://www.ic3.gov/Media/News/2022/220204.pdf
https://threatpost.com/accenture-lockbit-ransomware-attack/168594/
What’s new on HivePro
Get through updates and upcoming events, and more directly in your inbox