FBI Cautions About LockBit 2.0

Since its inception as a ransomware-as-a-service in September 2019, the LockBit ransomware organization has been particularly active (RaaS). After malware perpetrators were prohibited from participating on cybercrime sites, LockBit revealed the LockBit 2.0 RaaS on their data leak site two years later, in June 2021.

In a notice published on Friday, the Federal Bureau of Investigation (FBI) disclosed technical data and signs of breach linked with LockBit ransomware assaults. They stated that upon infiltrating a targeted system, LockBit 2.0 attackers increase access using publicly available tools like Mimikatz.

How To Remedy

On the FBI website, they state to lessen the danger of LockBit 2.0 ransomware penetration, the FBI advises users to utilize these preventive measures:

  • Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access. Note: Devices with local administrative accounts should implement a password policy that requires strong, unique passwords for each individual administrative account.
  •  Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
  •  Keep all operating systems and software up to date. Prioritize patching knownexploited vulnerabilities. Timely patching is one of the most efficient and cost-effectivesteps an organization can take to minimize its exposure to cybersecurity threats.
  •  Remove unnecessary access to administrative shares, especially ADMIN$ and C$. IfADMIN$ and C$ are deemed operationally necessary, restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity.
  •  Use a host-based firewall to only allow connections to administrative shares via server message block (SMB) from a limited set of administrator machines.
  •  Enable protected files in the Windows Operating System to prevent unauthorized changes to critical files.Adversaries use system and network discovery techniques for network and system visibility and mapping. To limit an adversary from learning the organization’s enterprise environment, limit common system and network discovery techniques by taking the following actions:
  •  Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
  •  Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
  •  Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the AD level when the account is not in direct need. When the account is needed, individual users submit their requests through an automated process that enables access to a system, but only for a set timeframe to support task completion.
  •  Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities that run from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
  •  Maintain offline backups of data, and regularly maintain backup and restoration. This practice will ensure the organization will not be severely interrupted, have irretrievable data.
  •  Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted) and covers the entire organization’s data infrastructure.

If you’re needing help with computer problems, call us at 1-800-620-5285.  Karls Technology is a nationwide computer service company with offices in many major cities. This blog post was brought to you by our staff at the Boulder Computer Repair Service. If you need computer repair in Boulder, CO please call or text the local office at (720) 441-6460.

Leave a Reply