FBI Flash Report for LockBit 2.0

Industry: N/A | Level: Tactical | Source: IC3

The FBI released details associated with Ransomware-as-a-Service (RaaS) LockBit 2.0 that's been active since September 2019. The threat groups initial access vectors leverage paid access, exploiting vulnerabilities, insider threat, and zero-day exploits. The group has a large arsenal of private and public tools, with the usage of public tool Mimikatz to escalate privileges. Upon execution of the LockBit 2.0 ransomware, the malware conducts a system language check to ensure the target is not "Eastern European" if the system is, then the malware will exit the infection routine. The infection routine as documented begins with "Lockbit 2.0 deletes log files and shadow copies residing on disk. Lockbit 2.0 enumerates system information to include hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices. Lockbit 2.0 attempts to encrypt any data saved to any local or remote device, but skips files associated with core system functions. Once completed, Lockbit 2.0 deletes itself from disk and creates persistence at startup." For data exfiltration there are a variety of publicly available tools like Rclone, MEGAsync as well as public file-sharing services.

• Anvilogic Use Cases:
• Mimikatz
• New AutoRun Registry Key
• Rclone Execution