Mandiant's Tracks Ransomware Group Lockbit

Industry: N/A | Level: Tactical | Source: Mandiant

Mandiant's tracking of activity cluster UNC2165, has identified the group having Evil Corp origins, and in efforts to evade sanctions has become affiliated with Lockbit ransomware. The sanction was imposed by the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) in December 2019. Without the need to maintain the Evil Corp's Hades ransomware, the cybercrime group could save on code maintenance costs and dedicate the time spent on development for ransomware operations. It is observed the UNC1543 threat group, "almost exclusively" provides UNC2165 with initial access. UNC1543's campaign designated as "FakeUpdates," lures victims with malicious browser updates to deliver malware such as Dridex. The post-compromise TTPs have identified the use of Mimikatz and Kerberoasting attacks to obtain credentials from the registry. Native windows utilities and open-source tools such as Advanced Port Scanner have been used to initiate reconnaissance. Lateral movement is conducted with SSH, RDP and PsExec. Persistence is achieved with a scheduled task and the creation of a user account. System defenses are tampered through disabling Windows Defender, cleaning systems logs, stopping services, and modifying registry values to help facilitate ransomware deployment.

Anvilogic Use Cases:

• Mimikatz
• Credentials in Registry
• Suspicious Executable by CMD.exe
• Invoke-Expression Command
• Common Reconnaissance Commands
• Create/Add Local/Domain User
• Cobalt Strike Beacon
• RDP Connection
• RDP Logon/Logoff Event
• Executable Create Script Process
• Rclone Execution
• Modify Windows Defender
• WinRM Tools
• Registry key added with reg.exe
• Remote Admin Tools
• Service Stop Commands
• Clear Windows Event Logs