The FBI issued a flash alert to help organizations block the cyberattacks by the LockBit group or at least restrict its action wherever and whenever spotted in a victim’s network.
Highlights from the flash alert
The agency provided indicators of compromise and technical details and IOCs related to the group’s attacks.
It noted that LockBit 2.0 is a heavily obfuscated ransomware application and decodes the necessary strings only after gaining administrative privileges. If the privilege isn’t enough, it simply escalates to the required one.
LockBit 2.0 actor deletes log files and shadow copies on the disks and deletes itself from the disk only after creating persistence at start-up.
The alert provide information on how LockBit ransomware works and disclosed that the ransomware comes with a hidden debug window activated during the infection process using the keyboard shortcut of SHIFT + F1.
When the debug window shows up, it provides real-time details on the encryption process and data destruction status.
The alert further asks security admins to share details on LockBit attacks targeting their firm’s networks to collectively fight against the threat. Meanwhile, authorities haven’t specified the exact reason behind issuing the alert.
LockBit 2.0 becomes a prominent threat
LockBit 2.0, which operates as ransomware-as-a-service (RaaS), has been active since September 2019.
The ransomware group has announced LockBit Linux-ESXi Locker version 1.0 at the underground forum known as RAMP. This version uses a combination of AES and ECC algorithms.
Recently, the LockBit 2.0 ransomware group claimed to have breached the French justice ministry and stolen data. The group threatened to leak stolen data if demands are not met.
Conclusion
The recent flash alert from the FBI may help organizations to protect themselves from the ongoing LockBit attacks. Additionally, sharing threat details may help the organization in better detection of the threat. Moreover, the flash alert provided defense tips to stay protected.