Well, it seems like it is that time of the week, again. Sigh…
Yet another ransomware group has (re)commenced operations. Their modus operandi is unchanged from every other group: steal whatever data they can get their hands on, encrypt it, and leave organizations holding the bill. Fail to pay that bill, and the actors will leak the data on their dedicated leak site (DLS). In the cyber security industry, this might as well be called a “tale as old as time.”
Background on LockBit
This week’s adversaries are the actors responsible for running the LockBit (formerly ABCD) ransomware-as-a-service (RaaS) and their “affiliates,” a rather banal term for the folks that do the dirty work for RaaS operators. The gang operating the RaaS has been active since at least January 2020. In mid 2021 Cyborg Security observed the LockBit gang advertising a new variant of their ransomware offering dubbed LockBit 2.0. This new version offered a variety of new features, including an “infostealing” capability. This, of course, telegraphed LockBit’s intention to get into the ‘doxware’ game as a means of driving revenue.
Who isn’t these days?
LockBit 2.0 – What’s New?
The original LockBit ransomware was remarkably unremarkable. However, the developers appear to have been hard at work improving their current offering. New features include:
- TOR-based administrator panel;
- TOR-based communication with the victim using a chat room capable of push notifications;
- Automatic test decryptions;
- Automatic decryptor detection;
- A built-in port scanner, capable of detecting DFS, SMB, and WedDAV shares on local subnets;
- Automatic distribution throughout a domain at run-time without any additional scripts;
- Termination of specific services and processes which may interfere with the encryption process;
- Automated file permissions changes to avoid attributed which may prevent encryption;
- Deletion of Shadow Copies;
- Creation of hidden partitions;
- Evidence removal, including clearing of logs;
- Capable of windows or hidden operation mode;
- Capable of turning on systems on the network that are Wake-on-LAN enabled;
- Print out of ransom requirements on network printers; and
- Supports “all versions of Windows OS.”
The malware is robust, and the feature set is comparable to many of the top tier RaaS offerings on the black market these days.
Who Is Being Targeted by LockBit?
The current campaign appears to be opportunistic in nature. The operator or affiliate responsible for carrying out the attack is primarily leveraging a three-year-old vulnerability in Fortinet’s FortiOS and FortiProxy (CVE-2018-13379) to gain initial access. It should be noted though that the LockBit operators have previously sought affiliates with experience in targeting open RDP and other VPN solutions in the past. So, while the current campaign appears to target only a single vulnerability, it would be trivial for the affiliate to pivot their TTPs, and organizations should remain vigilant around other possible ingress points.
Despite this opportunistic targeting and unsophisticated nature of the initial exploit, however, the actors appear to have amassed quite a list of victims. Most notably, the consulting firm Accenture has publicly disclosed that they have been affected – though they claim no material impact by the campaign. Additionally, various organizations globally in the financial services, professional services, and energy sector have been impacted, if the adversary’s DLS is to be believed. Sadly, that is a lot of success for a three-year-old vulnerability. This attack also underscores the need for organizations to engage in proactive hunting in an environment because, as this campaign demonstrates, the status quo of traditional security controls isn’t working.
What Else Do We Know About the LockBit Campaign?
The campaign itself seems to have been ripped straight from the pages of the standard “RaaS Affiliate” playbook. As mentioned, the actors appear to be relying heavily (but perhaps not exclusively) on exploiting a nearly 3-year-old vulnerability (CVE-2018-13379) in both Fortinet’s FortiOS and FortiProxy software to establish initial access. Once they have successfully gained access to legitimate accounts, they begin to move laterally, unnoticed thanks to the valid accounts they gained access to, until they find their target and deploy the LockBit 2.0 payload. All-in-all, a very much vanilla – if one can use that term – campaign, but one that has been very successful, nonetheless.
Hunting for LockBit 2.0
The LockBit 2.0 actors are using very conventional TTPs for RaaS operators and affiliates, but they are being delivered with devastating efficiency. As was noted, the victims are not simple “mom and pop” shops, and likely had capable and robust tools for detecting threats in their environment.
However, as actors mature, it can become trivial to circumnavigate these defenses. Therefore, proactive threat hunting in the environment for the actors’ behaviors – and not simple IOCs – is crucial at enabling early detection for organizations. Cyborg Security has developed and engineered a variety of hunt packages related to the LockBit 2.0 adversaries’ behaviors. These packages are free for the community and available exclusively in the HUNTER platform!