FBI urges users to use strong passwords and multi-factor authentication.
The Federal Bureau of Investigations (FBI) has issued a new warning about LockBit 2.0, in which it is recommended that companies enable multi-factor authentication (MFA) and use strong, unique passwords for all admin and high-value accounts to thwart the strain of ransomware that is used by one of the busiest cybercriminal groups on the planet.
MFA is crucial for protecting against the compromised user and admin passwords, but Microsoft has found that 78% of organizations use Azure Active Directory without enabling MFA.
LockBit 2.0 targets Windows PCs and now Linux servers too via a vulnerability in VMware’s ESXi virtual machines, affecting Accenture and the French Ministry of Justice, among others.
LockBit’s operators make use of any action they can to endanger the integrity of a network, as long as it works. As noted in the FBI report, these include, but are not limited to, buying access to a network that has already been compromised from “access brokers,” exploiting unpatched software bugs, and even paying for insider access, as well as using exploits for previously unknown zero-day holes.
Throughout the years, the group has evolved its techniques. The FBI says LockBit’s operators have begun advertising for insiders at target companies to help them gain access to the network. An insider was promised a piece of the profits if the attack succeeded. The company had begun automatically encrypting Windows devices in other domains a month earlier by abusing group policies within Active Directory.
Before encrypting files, LockBit uses penetration-testing tools such as Mimikatz to escalate privileges and use multiple tools to exfiltrate data (to threaten victims with a leak if they refuse to pay). LockBit always leaves a ransom note with instructions on how to retrieve the decryption key.
It is similar to other ransomware operations linked to Russia in that LockBit 2.0 checks for the user’s and system’s language settings and excludes an organization from attack if it is one of 13 Eastern European languages. As of February 2022, the FBI lists the language codes in LockBit 2.0 – such as 2092 for Azeri/Cyrillic and 1067 for Armenian – that prevent it from activating.
“If an Eastern European language is detected, the software exits without infection,” the FBI notes.
A Lockbit 2.0 infection collects information from the infected device, including its hostname, configuration, domain, local drive configuration, remote shares, and mounted external storage devices.
According to FBI reports, it then tries to encrypt any data stored locally or remotely but skips files associated with core system functions. Then, it is removed from the disk, and persistence is created at startup.
The FBI suggests requiring strong, unique passwords and multi-factor authentication (MFA) for webmail, VPNs, and accounts for critical systems and keeping operating systems and software updated, and removing unnecessary access to administrative shares. Also recommended are a host-based firewall and “protected files” in Windows, which refers to Microsoft’s controlled folder access.
The report also recommends companies segment their networks, investigate any abnormal activity, implement time-based access for accounts with admin rights and higher, disable command-line and scripting activities, and, of course, maintain a backup of their data offline.