LockBit ransomware team is a very active hacking group that mostly aims at big companies to encrypt their data. As the encryption completes, the hacking group contacts the target company to negotiate the price of decrypting the storage. The Federal Bureau of Investigation has shared some advice and information as a flash alert.
Ransomware-as-a-service
In June 2021, the team has announced LockBit 2.0 Ransomware-as-a-Service with enhanced software capabilities, looking for new affiliates. It is now able to automatically encrypt devices across Windows domains via Active Directory group policies. The team also promises to pay millions to the insiders who give access credentials of VPNs and RDPs.
FBI has shared information regarding the malware; the hidden debug feature for the encryption process. It can be reached by pressing the Shift + F1 buttons on the keyboard. It shows the details of the process in real-time.
The agency asks for any kind of information such as logs, a sample note, communication logs, Bitcoin wallet information, and decrypting software to be shared with them. FBI has also provided guidance for protection against LockBit ransomware attacks.
How to defend against LockBit ransomware?
- Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords.
- Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
- Keep all operating systems and software up to date. Prioritize patching known exploited vulnerabilities.
- Remove unnecessary access to administrative shares, especially ADMIN$ and C$.
- Use a host-based firewall to only allow connections to administrative shares via server message block (SMB) from a limited set of administrator machines.
- Enable protected files in the Windows Operating System to prevent unauthorized changes to critical files.
Those further steps can also be taken to make it even more difficult for LockBit attacks:
- Segment networks to prevent the spread of ransomware.
- Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.
- Implement time-based access for accounts set at the admin level and higher.
- Disable command-line and scripting activities and permissions.
- Maintain offline backups of data, and regularly maintain backup and restoration.
- Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
FBI does not advise paying the ransom to the threat actors as it means providing financial resources and motivates them to target more victims. You can read the full technical details by following the link below.
Click here to read FBI’s documentation for LockBit ransomware