The Federal Bureau of Investigation (FBI), the Cybersecurity and Information Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a security alert detailing the Indicators of Compromise (IoCs) and Tactics, techniques, and procedures (TTPs) associated with the LockBit 3.0 ransomware operation.
Since January 2020, LockBit, also reffered to as LockBit Black, has functioned based on the ransomware-as-a-service (RaaS) model, targeting a wide array of businesses and critical infrastructure entities.
LockBit 3.0, which is a successor to LockBit 2.0, and LockBit versions, is more modular and evasive and shares similarities with Blackmatter and Blackcat ransomware.
“LockBit 3.0 will only infect machines that do not have language settings matching a defined exclusion list. However, whether a system language is checked at runtime is determined by a configuration flag originally set at compilation time. Languages on the exclusion list include, but are not limited to, Romanian (Moldova), Arabic (Syria), and Tatar (Russia). If a language from the exclusion list is detected, LockBit 3.0 will stop execution without infecting the system,” the advisory says.
To gain initial access to target networks Lockbit operators use various techniques such as remote desktop protocol (RDP) exploitation, drive-by compromise, phishing campaigns, abuse of valid accounts, and exploitation of public-facing applications.
Once infecting the system, the malware takes steps to establish persistence, escalate privileges, carry out lateral movement, and delete log files, files in the recycle bin folder, and shadow copies, before starting the encryption routine.
“LockBit affiliates have been observed using various freeware and open source tools during their intrusions,” the advisory notes. “These tools are used for a range of activities such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration.”
LockBit 3.0 operators use Stealbit, a custom exfiltration tool used previously with LockBit 2.0, an open-source command line cloud storage manager and publicly available file sharing services, such as MEGA, to exfiltrate sensitive company data files prior to encryption.
To avoid being infected with the LockBit 3.0 ransomware, organizations are advised to implement security protections, including creating and implementing a recovery plan, using strong passwords for all accounts, implementing phishing-resistant multi-factor authentication, keeping all systems and software updated, implementing network segmentation, installing real time detection for antivirus software, creating backups of all data, disabling unused ports and services, and auditing user accounts.
