High alert! LockBit 3.0 ransomware operations

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) have released joint CSA to disseminate known LockBit 3.0 ransomware IOCs and TTPs identified through FBI investigations.

“The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit.”

The #FBI, @CISAgov and @CISecurity issued a joint #CybersecurityAdvisory on Lockbit 3.0 ransomware, which has attacked critical infrastructure sectors. Information on the variant and recommended actions to reduce the risk of compromise can be found here: https://t.co/qg1tS1cFqn pic.twitter.com/7py90yfaPG

— FBI (@FBI) March 16, 2023

Evasive capabilities to be aware of 

LockBit 3.0, also known as “LockBit Black,” is more modular and evasive than its previous versions and shares similarities with Blackmatter and Blackcat ransomware.

• rebooting into safe modes
• hinders malware detection
• the cryptographic key used for encryption
• remote desktop protocol (RDP) 
• exploitation [T1133], drive-by compromise [T1189], 
• phishing campaigns [T1566], 
• abuse of valid accounts [T1078], and 
• The exploitation of public-facing applications is some of the evasive features of LockBit 3. 0.

Use of free wares and Open source by the intruders

Some Freeware and Open-Source Tools Used by LockBit 3.0 affiliates are mentioned in the table below:

Mitigation

The mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. 

Lockbit ransomware group has ransomed a 3rd party parts manufacturer for SpaceX – they claim to possess over 3,000 proprietary schematics for SpaceX.

In the ransom announcement Lockbit issued a message to El*n M*sk and SpaceX employees, taunting them.

Information via @AlvieriD pic.twitter.com/4is6PRp2Oh

— vx-underground (@vxunderground) March 13, 2023

CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful TTPs.

• Require phishing-resistant multi-factor authentication
• Keep all operating systems, software, and firmware up to date. 
• Segment networks to prevent the spread of ransomware. 
• Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. 
• Install, regularly update, and enable real-time detection for antivirus software on all hosts. 
• Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts. 
• Audit user accounts with administrative privileges and configures access controls according to the principle of least privilege
• Disable unused ports.

“The FBI, CISA, and the MS-ISAC recommend continually testing your security program at scale and in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.”

Wrapping up

The FBI, CISA, and MS-ISAC do not encourage paying the ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, or fund illicit activities.

Therefore, be vigilant and report to the FBI w