We are no strangers to cyber crime especially not as cybercrime has seen a subsequent increase in the past few years. Scams are more of a daily nuisance over a once-in-a-blue-moon occurrence. Corporate companies however face a different kind of “scan” purely after their money, consumer details or sometimes even both on a much larger scale. Recently, the FBI, the Cybersecurity and Information Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) came together to issue an advisory this week addressing the LockBit 3.0 ransomware operation.
LockBit has thrived on the ransomware-as-a-service (RaaS) model since January 2020, targeting a wide range of corporations and critical infrastructure institutions and employing a variety of tactics, strategies, and procedures (TTPs). LockBit 3.0, also known as LockBit Black, has a more modular architecture than prior variants and accepts a multitude of arguments that vary its behaviour after deployment.
LockBit 3.0 installers are encrypted and can only be activated if a password is supplied, as stated by a joint advisory from the FBI, CISA, and MS-ISAC. The malware also enables lateral movement arguments, can reboot systems in Safe Mode and does a language check at runtime to avoid infecting systems with specific language settings, such as Arabic (Syria), Romanian (Moldova), Tatar (Russia), and others.
Initial access is gained in LockBit 3.0 cyberattacks by remote desktop protocol (RDP) penetration, drive-by attacks, phishing, hijacked credentials, and the exploitation of flaws in public-facing programmes. After that, the spyware strives to escalate privileges, collects system information, terminates certain processes and services, executes orders, enables automatic logon for resilience, and deletes logs, recycled files, and system volume data copies.
The ransomware spreads laterally via the network using a hardcoded set of credentials, and it can also replicate using Group Policy Objects and PsExec over the Server Message Block (SMB) protocol. LockBit 3.0 then encrypts all files on both the local and remote devices, displays a ransom message, and modifies the desktop and icons to match its branding. Following the completion of the operation, the malware may erase itself from the PC.
The controllers of LockBit 3.0 used a bespoke feature called Stealbit, an open-source command-line interface cloud-based manager, and public file-sharing platforms to exfiltrate confidential data as part of the reported attacks. Numerous freeware and open-source programmes for network surveillance, remote access, theft of information, and credential dumping may potentially be used in attacks. PowerShell and batch scripts, as well as Metasploit and Cobalt Strike implants, have been detected.
Multinationals are advised to use the best security measures to prevent the risks associated with ransomware, such as adopting a management plan, using secure passwords for all credentials, establishing phishing-resistant tri authentication, keeping all software and hardware updated, implementing network segmentation, evaluating suspicious behaviour on their networking, creating backups of all data, disconnecting unneeded ports and services, inspecting online accounts, and so on.
For more such updates, keep reading techinnews
