2022-07-13

Lockbit Ransomware Attacked Industrial and Retail Organizations

Level: 
Tactical
  |  Source: 
Cybereason
Retail
Share:
Lockbit Ransomware Attacked Industrial and Retail Organizations

Cybereason investigated two Lockbit ransomware attacks against an industrial organization in the fourth quarter of 2021, and a retail organization in the second quarter of 2022. The two attacks demonstrated TTPs Lockbit operators, however only the attack against the retail organization provided details of a potential timeline spanning over a week. In the attack against the retail organization, the threat actors were quick to establish persistence in the environment, adding a new user account, creating a tunnel with Ngrok, and gathering credentials by dumping lsass.exe. The campaign then slowed to conduct system reconnaissance, and exfiltrate files with Rclone, MegaSync, and Filezilla. Lockbit ransomware deployed once security products were disabled, and system recovery was inhibited. The attack against the industrial organization saw a slightly different attack path, as the operators gathered system information and credentials immediately after obtaining a foothold in the environment. The attack uniquely exploited the SpoolFool vulnerability (CVE-2022-21999) for privilege escalation. However, as with the retail attack campaign, the attackers launched ransomware on the industrial organization once security defenses were hindered. Additional commonalities observed in both campaigns were the use of Mimikatz, and Task Manager to dump credentials, clearing windows event logs, and the use of PsExec for execution and lateral movement.

     

Get trending threats published weekly by the Anvilogic team.

Sign Up Now