LockBit 2.0 Emerges: The Next Generation Ransomware Unveiled

Similar to other ransomware-as-a-service (RaaS) operations, LockBit 2.0 has begun recruiting affiliates to carry out intrusions and exfiltration on targeted systems.

In the aftermath of DarkSide and REvil shutting down their operations, the LockBit gang has embarked on a hiring spree, enticing insiders to aid in compromising systems by plastering wallpapers on compromised systems and offering multimillion-dollar payouts.

LockBit 2.0 exhibits characteristics and behaviors reminiscent of Ryuk and Egregor, showcasing the influence of these notorious ransomware strains.

The Evolving Ransomware Threat Landscape

Recently, Bangkok Airways fell victim to a cyberattack orchestrated by the LockBit ransomware group, resulting in the exposure of stolen data. LockBit typically targets enterprises and government entities, exploiting their vulnerabilities to coerce them into paying ransoms to restore normalcy.

Accenture, a prominent outsourcing and accounting firm, also faced a LockBit attack earlier this month. With revenues of $44.33 billion in 2020 and a global workforce of 569,000 employees spanning 50 countries, Accenture allegedly received a $50 million cryptocurrency ransom demand from the cybercriminals. The deadline was repeatedly extended until Accenture concluded that the stolen data held little significance.

In yet another high-profile incident, UK train operator Merseyrail fell victim to LockBit in April 2021. Despite the trains running on schedule, the cybercriminals managed to compromise a company director's Office 365 account, exploiting it to boast about their achievement by sending emails to employees and journalists.

Indicators of Compromise

File Hashes:

• Sha256 – 0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049

URLs:

• hxxp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd[.]onion
• hxxp://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did[.]onion
• hxxp://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid[.]onion

Tactics, Techniques, and Procedures (TTPs):

• 001: Impair defenses: disable or modify tools
• 001: Indicator removal on host: clear Windows Event Logs
• T1041: Exfiltration Over C2 Channel
• T1486: Data encrypted for impact
• T1489: Service stop
• T1490: Inhibit System Recovery

Insights into the Operations

On August 23, 2021, a Russian-speaking tech blog YouTube channel called "Russian OSINT" published an interview with representatives of LockBit, unveiling crucial details about their operations. The LockBit 2.0 representative boasted about their ransomware's advanced technical features, enabling it to outperform competitors. Notable features include:

1. The fastest encryption speed and data exfiltration capabilities
2. Automated distribution and encryption processes
3. Immediate data exfiltration capabilities

It is worth noting that LockBit refrains from targeting healthcare and educational institutions, social services, and charities, as they prioritize the development and safety of human beings.

UltraViolet Cyber's Recommendations & Best Practices

Considering LockBit 2.0's capabilities, ongoing developments, and recruitment efforts, organizations must proactively prepare for future upgrades and heightened threats. Here are some recommendations to help prevent and mitigate the impact of LockBit attacks:

• Monitor endpoints: LockBit actively exploits public-facing applications, particularly targeting corporate VPNs (especially Citrix/FortiNET) and externally exposed Remote Desktop Protocols (RDPs). Regular monitoring of these endpoints is crucial.
• Patch management: LockBit frequently explores recent Common Vulnerabilities and Exposures (CVEs), including vulnerabilities such as ProxyLogon and Microsoft Exchange. It is imperative to apply patches promptly and conduct regular vulnerability assessments.
• Security training and assessments: Conduct periodic security skills assessments and provide regular training to all personnel. Engage in red-team exercises and penetration tests to identify and rectify weaknesses.
• Network segmentation: LockBit prioritizes network reconnaissance to steal sensitive data. Implementing segregated network segments, access hierarchies, and additional security measures for active directory, domain admin, and local domains can significantly impede their operations.
• Multifactor authentication (MFA): Protect employee accounts by implementing MFA to prevent actors from obtaining account credentials, which can be used to escalate privileges and move laterally within the network.
• Regular backups: Perform daily backups and store them offline to avoid data loss in case of an attack.
• Log auditing and monitoring: Regularly audit and monitor all event and incident logs to identify unusual patterns or behaviors that could indicate a compromise.

By adhering to these recommendations and best practices, organizations can fortify their defenses, mitigate the risk of LockBit attacks, and maintain robust data security and regulatory compliance. UltraViolet Cyber stands ready to support organizations in their security endeavors and safeguard their valuable assets.

Frequently Asked Questions