The FBI is currently aware of an concerned regarding activity of a Ransomware-as-a-Service (RaaS) known as LockBit 2.0 which uses a variety fo tactics, techniques, and procedures to create a difficult to handle security threat that targets victims in various sectors. I'll give a brief technical breakdown, then go into mitigation strategies that are recommended.
LockBit 2.0 is a ransomware application that leverages bitwise operations to decode strings and load required modules to evade detection and protection technologies. Upon launch, LockBit 2.0 imports the required modules, then determines if the process has administrative privileges, and if they are not it attempts to use privilege escalation to reach the required privileges. Then it determines the system and user language settings, and only targets those not matching a set list of languages that are Eastern European. If Eastern European language codes are detected, the program exists without infection.
As infection beings, LockBit 2.0 deletes log files and shadow copies residing on disk, enumerates system information to include hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices. It then attempts to encrypt any data saved to any local or remote device, but skips files associated with core system functions. Once completed, it removes itself from disk and creates persistence at startup.
What is more unique about this attack is that it can be preconfigured to search or exfiltrate only specific file types - tailoring the attack to the individual business being targeted. This allows attackers to target files specific to applications the victim is using, and guarantee that all of the important information contained within that filetype is encrypted and unreachable, before it ransoms the victim and sets a timer on the destruction of the ransomed data.
Indicators of Compromise
Many of the Recommendations for this malware are specific to traditional Ransomware mitigation, but here is a general list
Some more specific recommendations, would be to use security processes that include the following, so ask yourself if you have these processes in place
London Security would be happy to discuss further on the phone, feel free to contact us directly for more information on this threat, among others.