In a fresh flash notice published on Friday, the Federal Bureau of Investigation (FBI) disclosed technical data and signs of breach linked with LockBit ransomware attacks. It also included advice to assist enterprises in thwarting this adversary’s attempts to infiltrate their networks and a request that victims report such instances to their local FBI Cyber Squad as soon as possible.
Since its inception as a ransomware-as-a-service (RaaS) in September 2019, the LockBit ransomware gang has been particularly active, with gang members marketing the operation, offering support on Russian-language hacker forums, and recruiting threat actors to infiltrate and encrypt networks. After ransomware perpetrators were barred from posting on cybercrime sites, LockBit revealed the LockBit 2.0 RaaS on their data leak site two years later, in June 2021.
Among the technical facts on how LockBit ransomware works, the FBI discovered that the malware includes a secret debug window triggered using the SHIFT + F1 keyboard shortcut during the infection process. Once it appears, it can be used to track the status of user data deletion and get real-time information about the encryption process.
While the FBI did not specify what sparked the flash warning, it did invite administrators and cybersecurity specialists to provide information on LockBit attacks that targeted their organizations’ networks.
“The FBI is seeking any information that can be shared, [including] boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with the threat actors, Bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file,” the federal agency said.
The FBI also released mitigations to assist defenders in protecting their networks against LockBit ransomware attacks:
- Require strong and unique passwords for all accounts with password logins (e.g., admin accounts, service accounts, and domain admin accounts).
- Keep all software and operating systems updated to the recent versions.
- Require multi-factor authentication for all services to the extent possible.
- Remove any access to administrative shares that isn’t absolutely essential.
- Enable secured files in the Windows Operating System to avoid unauthorized modification to critical data.
- Only allow connections to administrative shares through server message block (SMB) from a small number of administrator computers using a host-based firewall.
Admins can also block ransomware operators’ attempts to discover their networks by adopting the following steps:
- Segment networks to stop ransomware from spreading.
- Using a networking monitoring tool, identify, detect, and examine unusual activities and possible ransomware traversal.
- Implement time-based access for accounts configured at the admin level and higher.
- Ensure that all backup data is secured, immutable, and covers the complete data architecture of the firm.
- Maintain data backups offline and backup & restore procedures regularly.
- Disable command-line and scripting permissions and activities.
