The joint advisory details tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs) that the FBI has found to be correlated with a ransomware variant from that group, including examples seen as recently as this month. It also outlines steps organizations can take to better defend themselves.
LockBit has claimed credit for high-profile attacks, such as those against the U.K.’s Royal Mail and a Canadian hospital (it reportedly apologized for the latter). It is also allegedly behind attacks on U.S. local and state government agencies, with recent instances including two agencies in Pierce County, Wash., California’s Department of Finance and the Housing Authority of the City of Los Angeles.
Since January 2020, LockBit has been used by affiliates, per the advisory. Affiliates are malicious actors who deploy ransomware against victims but who did not themselves develop it. According to WIRED, LockBit affiliates collect extortion from victims, then pay a fee to the core developer team.
“Affiliates deploying the LockBit RaaS use many varying TTPs and attack a wide range of businesses and critical infrastructure organizations, which can make effective computer network defense and mitigation challenging,” per the joint advisory.
The advisory focuses specifically on LockBit 3.0, or LockBit Black, which it describes as “more modular and evasive than ... previous versions” of the ransomware. LockBit 3.0 shares “similarities with BlackMatter and BlackCat ransomware.”
RECOMMENDATIONS
Backups
- Maintain multiple copies of important data and servers in physically separate, segmented, secure locations to enable recovery and maintain offline backups
- Ensure backup data is encrypted and immutable
- Practice restoring from backups
Account and Access Control
- Follow strong password practices and management
- Require phishing-resistant MFA on as many services as possible, and at least on those accounts and services that access critical systems
- Audit accounts with admin privileges and adopt a “principle of least privilege” approach to access control
- Check for unrecognized or new accounts in domain controllers, servers, workstations and active directories
- Make higher-level access privileges time-based, so that access is only granted for the time needed to complete a specific task
Defenses
- Regularly and promptly patch firmware, operating systems and software
- Prioritize mitigating known exploited vulnerabilities
- Segment networks, to impede ransomware’s spread
- “Disable command-line and scripting activities and permissions” to reduce ransomware actors’ abilities to move laterally and escalate their privileges
Catch Attempts & Reduce Attack Surfaces
- Use a network monitoring tool to “identify, detect and investigate abnormal activity” and potential lateral movement of ransomware actors
- Use — and regularly update — antivirus software, and turn on real-time detection features
- Disable unused ports
- “Disable hyperlinks in received emails” and consider adding banners to emails that alert recipients if they were sent from outside the organization.
Validate Security
- Test your organization’s security controls against the MITRE ATT&CK techniques associated with LockBit 3.0
Find more detailed advice and explanations in the joint advisory here.
