Mandiant's Tracks Ransomware Group Lockbit

Mandiant's tracking of activity cluster UNC2165, has identified the group having Evil Corp origins, and in efforts to evade sanctions has become affiliated with Lockbit ransomware. The sanction was imposed by the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) in December 2019. Without the need to maintain the Evil Corp's Hades ransomware, the cybercrime group could save on code maintenance costs and dedicate the time spent on development for ransomware operations. It is observed the UNC1543 threat group, "almost exclusively" provides UNC2165 with initial access. UNC1543's campaign designated as "FakeUpdates," lures victims with malicious browser updates to deliver malware such as Dridex. The post-compromise TTPs have identified the use of Mimikatz and Kerberoasting attacks to obtain credentials from the registry. Native windows utilities and open-source tools such as Advanced Port Scanner have been used to initiate reconnaissance. Lateral movement is conducted with SSH, RDP and PsExec. Persistence is achieved with a scheduled task and the creation of a user account. System defenses are tampered through disabling Windows Defender, cleaning systems logs, stopping services, and modifying registry values to help facilitate ransomware deployment.