Lockbit Ransomware Attacked Industrial and Retail Organizations

  |  Source: 
Lockbit Ransomware Attacked Industrial and Retail Organizations
Industries: Industrial, Retail | Level: Tactical | Source: Cybereason

Cybereason investigated two Lockbit ransomware attacks against an industrial organization in the fourth quarter of 2021, and a retail organization in the second quarter of 2022. The two attacks demonstrated TTPs Lockbit operators, however only the attack against the retail organization provided details of a potential timeline spanning over a week. In the attack against the retail organization, the threat actors were quick to establish persistence in the environment, adding a new user account, creating a tunnel with Ngrok, and gathering credentials by dumping lsass.exe. The campaign then slowed to conduct system reconnaissance, and exfiltrate files with Rclone, MegaSync, and Filezilla. Lockbit ransomware deployed once security products were disabled, and system recovery was inhibited. The attack against the industrial organization saw a slightly different attack path, as the operators gathered system information and credentials immediately after obtaining a foothold in the environment. The attack uniquely exploited the SpoolFool vulnerability (CVE-2022-21999) for privilege escalation. However, as with the retail attack campaign, the attackers launched ransomware on the industrial organization once security defenses were hindered. Additional commonalities observed in both campaigns were the use of Mimikatz, and Task Manager to dump credentials, clearing windows event logs, and the use of PsExec for execution and lateral movement.

Anvilogic Scenario:

  • Lockbit - Attack Life Cycle - v1
  • Lockbit - Attack Life Cycle - v2

Anvilogic Use Cases:

  • Mimikatz
  • Task Manager lsass Dump
  • Remote Admin Tools
  • MSTSC Execution
  • Rare dll called by Spoolsv.exe
  • Clear Windows Event Logs

Get trending threats published weekly by the Anvilogic team.

Sign Up Now