CISA #StopRansomware Advisory: LockBit 3.0

LockBit has established itself as a prominent Ransomware-as-a-Service (RaaS) group with the latest iteration of its software, LockBit 3.0. The group has recently surpassed 1500 total victims, making it a significant threat to many organizations. LockBit targets a wide range of industries, including critical infrastructure organizations. In response to this threat, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) have released a joint cybersecurity advisory. The advisory provides details on the tactics, techniques, and procedures (TTPs) used by LockBit, which can help defenders to better secure their networks.

For initial access, LockBit runs through the gambit of options including exploiting public-facing applications, access through valid accounts or remote desktops (RDP), drive-by compromise, and phishing campaigns. LockBit affiliates commonly use a variety of tools for activities such as network reconnaissance, remote access, credential dumping, and file exfiltration. These tools often include PowerShell and Batch scripts, which are frequently used for system discovery, reconnaissance, password and credential hunting, and privilege escalation. Some open-source and freeware used by LockBit affiliates include FileZilla, WinSCP, Mimikatz, Rclone, MegaSync, PsExec, Ngrok, Plink, and others.

During malware execution, LockBit 3.0 ensures it has enumerated through system and network configurations, terminate security process that may hinder encryption, establish persistence in the affected account, escalate privileges needed for malware execution as well as delete any logs or backs up to inhibit system recovery. A language check is put in place to prevent the ransomware from encrypting hosts using languages such as "Romanian (Moldova), Arabic (Syria), and Tatar (Russia)." LockBit 3.0 comes with multiple configuration options that dictate its behavior during compilation. When the ransomware is executed within a victim's environment, it can also be customized with different arguments to further modify its behavior.