A joint Cybersecurity Advisory was issued by CISA on March 16 for the ransomware variant, LockBit 3.0, which is a continuation of previous variants, LockBit 2.0 and LockBit. The variant has been functional since January 2020. LockBit 3.0 can modify its own behavior within its environment which can make it harder to detect.
LockBit 3.0 employs several methods for evasion. One such method is that it encrypts the ransomware payload itself to make it harder to detect. The payload is then decrypted only when needed, immediately before execution.
The group will gain initial access through abuse of credentials, RDP (remote desktop protocol), exploiting website vulnerabilities and phishing campaigns, and abuse of compromised accounts. The variant will launch commands during execution, attempt to escalate privileges, and will also attempt to exfiltrate data prior to encryption.
LockBit 3.0 leaves behind a ransom note as an Indicator of Compromise (IoC) threatening victims to pay their ransom requests or have their stolen and encrypted data shared on TOR darknet sites for purchase.
Additional important IoC’s include:
- LockBit 3.0 Black Icon
- LockBit 3.0 Wallpaper that contains the link for the ransomware note
- LockBit Command Line Parameters
- Mutual Exclusion Object (Mutex) Created
- UAC Byass via Elevated Com Interface
- Volume Shadow Copy Deletion
For more information on IoCs, the list of publicly available file-sharing services used by LockBit 3.0 to exfiltrate data, and more technical details, see CISA’s original advisory on LockBit 3.0.
Actionable recommendations to mitigate these threats include:
- Remediating known exploited vulnerabilities
- Phishing awareness training
- Enable phishing-resistant Multi-Factor Authentication
- Implement incident response and recovery plans
- Enforce strong password policies
- Segment networks
- Maintain offline backups of your data and be sure to test your backups
- Utilize network monitoring to identify, detect and investigate abnormal activity
Incident Response and Recovery plans are an important part of your cyber posture. The development of an incident response plan and properly training to respond to incidents before they happen using the plan allows for a swifter and more effective response to a real-life incident. Having a well-documented Cyber Incident Response plan is a must. SecuLore’s Incident Response Drills help you develop a documented plan and provides you with the knowledge to test your plan to ensure that it meets your needs.
SecuLore™ OverWatch provides continuous network monitoring through our patented Paladin™ technology to detect vulnerabilities in your network and detect anomalous behavior. The technology passively captures all traffic on your network to identify threats that are often missed by other layers of security. The packet captures are sent to our Security Operations Center to be processed via a unique behavioral analysis that is constantly reviewed by our team of CEH (Certified Ethical Hackers).
SecuLore Support Team