The Federal Bureau of Investigation (FBI), CISA, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) has released a joint Cyber Security advisory (CSA) called #StopRansomware: LockBit 3.0
The advisory details Indicators of Compromise (IoC) and tactics, techniques and procedures (TTP) correlated by the FBI in the recent months.
Amongst the most relevant information, extracted directly from the advisory, we can find:
- "It Will only infect machines that do not have languages settings matching a defined exclusion list. However, whether a system language is checked at runtime is determined by a configuration flag originally set at compilation time." If any of these languages is detected, LockBit3.0 will stop execution, without infecting the system.
The languages include, but are not limited to:
Signature based detection may not work because the "executable's encrypted portion will vary based on the cryptographic key used for encryption while also generating a unique hash"
After the initial access, execution and infection processes, in the exfiltration phase, the advisory indicates that "LockBit3.0 affiliates often useother publicly available file sharing services to exfiltrate data as well. The URLs are as follow:
NOTE: We highly recommend checking the IoC's list shared in this advisory and adding the relevant rules to detect the behaviours of the Malware.
The advisory also recommends mitigations to improve the Cyber Security posture on LockBit 3.0, specifically.
Some of the most relevant mitigations indicated in the advisory are:
Implement a recovery plan
Add password user "salts" to shared login credentials.
Keep all operating systems, software, and firmware up to date.
Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.
Configure access controls according to the principle of least privilege.
Disable command-line and scripting activities and permissions.
All this approaches and other mentioned in the advisory are critical for hindering a possible infection, detect it, and avoid the spreading into other systems on your network.
Here at Ceramet Services, we can help you reach this objectives, and make your systems and network, more secure. Feel free to contact us at any time.