Asking the relevant personnel to share any more details available for better understanding, the FBI reiterated that it would never encourage paying ransoms and asked any victim to report the incident to their nearest FBI cyber crime department.
Technical Details of LockBit Ransomware
Starting in 2019, the LockBit ransomware has grown to be one of the nastiest threat actors in the underworld. It started the work as Ransomware-as-a-service, where it hires hackers to hit targets and shares the ransom profits earned from it with them. And when it was banned from advertising in cybercrime groups, LockBit group in June 2021 came up with a LockBit 2.0 version, that added capabilities like automatic encryption of devices across Windows domains via Active Directory group policies. Also, it redesigned its Tor sites and even started cutting the middlemen (hired hackers), and hiring directly the target company insiders, who can give direct access through Virtual Private Network (VPN) and Remote Desktop Protocol (RDP). As the malicious group added one more major capability – Linux encryptor targeting VMware ESXi servers last month, FBI has now shared a report detailing its IOCs, detection, and also the tips on how to safeguard from LockBit attacks. Here are they;
Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords Require multi-factor authentication for all services to the extent possible Keep all operating systems and software up to date Remove unnecessary access to administrative shares Use a host-based firewall to only allow connections to administrative shares via server message block (SMB) from a limited set of administrator machines Enable protected files in the Windows Operating System to prevent unauthorized changes to critical files.
And for system admins, here are the tips to safeguard their networks;
Segment networks to prevent the spread of ransomware Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool Implement time-based access for accounts set at the admin level and higher Disable command-line and scripting activities and permissions Maintain offline backups of data, and regularly maintain backup and restoration Ensure all backup data is encrypted, immutable, and covers the entire organization’s data infrastructure
FBI asked all the security experts and researchers to share any additional information they have, to make the advisory more effective. Also, it discouraged victims from paying the ransom and wants them to report any security incident to the nearest FBI cyber crime department for help.