The Federal Bureau of Investigations (FBI) has published a fresh warning about LockBit 2.0. recommending that companies enable multi-factor authentication (MFA) and use strong, unique passwords for all admin and high-value accounts to thwart the strain of ransomware that is used by one of the busiest attack groups on the internet today.
MFA is vital to protecting against compromised user and admin passwords, but Microsoft has found that 78% of organizations using Azure Active Directory don't enable MFA.
LockBit 2.0 targets Windows PCs and now Linux servers too via bugs in VMWare's ESXi virtual machines, and has hit tech consulting and services giant Accenture and France's Ministry of Justice among others.
SEE: Cybersecurity: Let's get tactical (ZDNet special report)
LockBit's operators use any method available to compromise a network, as long as it works. These include, but are not limited to, buying access to an already compromised network from "access brokers", exploiting unpatched software bugs, and even paying for insider access, as well as using exploits for previously unknown zero-day flaws, according to the FBI's report.
The group's techniques continue to evolve. The FBI says LockBit's operators have started advertising for insiders at a target company to help them establish initial access into the network. Insiders were promised a cut of the proceeds from a successful attack. A month earlier it began automatically encrypting devices across Windows domains by abusing group policies in Active Directory.
After compromising a network, LockBit uses penetration-testing tools like Mimikatz to escalate privileges and use multiple tools to exfiltrate data (to threaten victims with a leak if they don't pay) before encrypting files. LockBit always leaves a ransom note with instructions for how to obtain the decryption key.
Like other Russia-based ransomware operations, LockBit 2.0 determines the system and user language settings and excludes an organisation from attack if the languages are one of 13 Eastern European languages. The FBI lists the language codes in LockBit 2.0 as at February 2022 – such as 2092 for Azeri/Cyrillic and 1067 for Armenian – that cause it not to activate.
"If an Eastern European language is detected, the program exits without infection," the FBI notes.
Lockbit 2.0 identifies and collects an infected device's hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices.
It then attempts to encrypt data saved to any local or remote device but skips files associated with core system functions, according to the FBI. After this, it deletes itself from the disk and creates persistence at startup.
Besides requiring strong, unique passwords and MFA for webmail, VPNs and accounts for critical systems, the FBI also recommends a series of mitigations, including keeping operating systems and software up to date and removing unnecessary access to administrative shares. It also recommends using a host-based firewall and enabling "protected files" in Windows, referring to Microsoft's controlled folder access.
It also recommends that companies segment their networks, investigate any abnormal activity, implement time-based access for accounts set at the admin level and higher, disable command-line and scripting activities and permissions, and – of course maintain – offline backups of data.