In coordination with the Department of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA), the FBI has issued a flash alert to warn organizations about LockBit 2.0, a rising ransomware threat.
LockBit 2.0 functions as an affiliate-based Ransomware-as-a-Service (RaaS), making it extremely difficult to combat. Adding to that challenge, the hackers behind LockBit 2.0 can compromise your network using several techniques, including purchased access, unpatched vulnerabilities, insider access, and zero-day exploits, among others. According to the Sophos 2022 Threat Report, nearly 60 percent of the ransomware attacks were perpetrated by ransomware-as-service groups over the 18 months the study covered. That’s a frightening trend.
LockBit Malware Lets Hackers Escalates Privileges
After compromising a victim network with LockBit 2.0, the FBI alert notes that the hackers use publicly available tools like Mimikatz to escalate privileges. The hackers then use publicly available and custom tools to exfiltrate your data, which is encrypted by the LockBit malware. The hackers always leave a ransom note in each affected directory within the victim’s systems. The note includes instructions on decrypting the data and a threat that the stolen data will be posted on the LockBit 2.0 leak site if the ransom isn’t paid.
LockBit Updates Expand Targets
In its alert, the FBI also described how LockBit 2.0, released in July 2021, featured an update that automatically encrypts devices across Windows domains by abusing Active Directory group policies. Even more frightening, the following month, LockBit 2.0 started advertising to find insiders to give them initial access into potential target networks, promising to share part of the proceeds if the attack is successful. LockBit 2.0 also added Linux-based malware that puts vulnerabilities within VMware and ESXi virtual machines (VMs) at risk. You can find technical details and indicators that you’ve been compromised by LockBit 2.0 in the FBI alert.
Keys to Ransomware Prevention and Data Protection
IT pros everywhere continue to face growing ransomware threats, not just from LockBit 2.0. With that in mind, here are some essential components you need to have in place to protect your data.
Require Strong Passwords
Every account with a password login—admin accounts and domain accounts, for example—should be required to use strong, unique passwords. And passwords should never be used across multiple accounts or stored on the system where an attacker could potentially access them.
Implement Multi-Factor Authentication
Wherever possible, use multi-factor authentication (MFA) for all services like webmail and VPNs, as well as any accounts that access critical systems.
Keep Everything Up To Date
Make sure that all your operating systems and software are up to date, prioritizing patches that block known exploited vulnerabilities. This is one of the most efficient and cost-effective ways you can prevent cybersecurity threats.
Minimize Admin Access
Restrict privileges—especially for Admin$ and C$, a special administrative share created during installation on machines running Windows—only to those for whom access is absolutely necessary.
Deploy a Host-Based Firewall
Choose a hosted firewall that only allows connections to administrative shares via server message block (SMB) from a limited set of admin machines.
Limit System and Network Discovery
Hackers use systems and network discovery to gain visibility and map your infrastructure. Here are some tips to limit the impacts that these techniques can bring.
Segment Your Networks
Network segmentation prevents the spread of ransomware by limiting traffic between and access to subnetworks.
Add Ransomware Detection Tools
Network monitoring can help you identify, detect, and investigate any unusual activities. The tools you choose should log and report all network traffic, including lateral movement activity on a network. Endpoint protection starts with detection and response, and it’s worth considering cutting-edge endpoint protections that use artificial intelligence, like Arcserve 9000 appliances.
Use Time-Based Access for Admin Accounts
Time-based access—an added layer of security for admin-level and above accounts—includes just-in-time access (JIT), which provisions privileged access when needed and supports enforcement of the principle of least privilege and zero-trust models, among other solution opt.
Disable Command-Line and Scripting
By disabling command-line and scripting activities and permissions you can limit privilege escalation and lateral movement across your networks, which typically depends on software utilities that run from the command line.
Back Up Your Data
A sound backup and disaster recovery strategy is critical to recovery. We recommend that you follow the new 3-2-1-1 backup rule: Make three copies of your data (primary and two backups), with two copies stored locally on two formats (network-attached storage (NAS), tape or local drive), and one copy stored offsite in the cloud or secure storage.
Make Sure Your Backups Are Encrypted and Immutable
The extra “1” in 3-2-1-1 refers to immutability. Immutable backups of your data can’t be altered or deleted, so you can be sure your data is safe from ransomware and can be recovered if disaster strikes. And your data should always be encrypted—in transit and at rest—so it can’t be easily compromised.
Learn More
This post will be updated as more news about LockBit 2.0 comes to light. Meanwhile, if you have questions about how you can best protect your data from ransomware, contact us to talk to an Arcserve data protection expert.
