Recently, the FBI issued a warning to be on the watch for LockBit ransomware 2.0, and gave some tips on how to protect your environment. Let’s take a closer look at what we know about LockBit ransomware, and what makes it so terrible.
How LockBit Operates
The first thing to understand is that LockBit is ransomware as as service. This means the barrier to entry is very low. Once a malicious actor is inside your network, the deploy ransomware and the LockBit group takes care of the rest. It is important to remember that many popular ransomware operations work this way. Whoever got into your network gets a nice payment, and LockBit handles the negotiation and payment.
What Makes LockBit Dangerous
Beyond the classic encryption and extortion, LockBit is especially dangerous because it is self spreading. It exploits SMB, ARP Tables and PowerShell to spread rapidly. In fact, DarkTrace blog took a closer look at LockBit, and observed that an environment was brought to a screeching halt by just a single compromised credential. Within three minutes of deployment, the ransomware was going to work.
What does LockBit Target
LockBit originally began as a Windows based threat, and has been very good and moving around in Windows environments. In October of 2021 a Linux variant emerged, with a special focus on VMware ESXi. This means there is nothing in the environment that is safe from LockBit. We also know that LockBit is known for its speed of deployment, a fact which is especially true with the ESXi based variants. Similar to its ability to execute PowerShell commands, the ESXi version can issue issue esxcli commands.
Protecting Against LockBit
It goes without saying that organizations should have already taken steps to protect themselves from ransomware. Unfortunately this is no easy feat, as there is no magic anti ransomware button IT administrators can hit.
The FBI gives some very helpful guidance, with some of the guidance being more pertnient to the LockBit threat, but nevertheless good tips for environments to implement.
My two favorite commendations are:
Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
Since we’ve seen evidence of how quickly LockBit can spread with even just one compromised account, MFA can go a long way to stop this ransomware in its tracks.
Keep all operating systems and software up to date. Prioritize patching known exploited vulnerabilities. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
We also know that patching can be critical in any environment, especially when exploits are in play. The fact is that patching is often overlooked due to numerous reasons in many enthronements. With patches being pulled recently by big players like Microsoft and VMware, you can’t really blame anyone who hesitates before rolling patches out to production.
Another item that the FBI guidance touches briefly on is EDR or endpoint detection and response tools. This is huge and often overlooked. While it is important to put things in place to protect against ransomware if it gets into the environment, another very important aspect is being able to find it quickly once it inside.
You can read the full document from the FBI on LockBit here.
As we continue to break down different variants of ransomware out there, we will begin to see some similarities between variants of ransomware, but we will also see some differences between them that make them unique. At the end of the day, good information security practices can help protect against all of these variants, however everyone should be prepared for an eventual attack.