FBI, CISA Issue LockBit 3.0 Ransomware Security Advisory

The FBI and two other US government agencies recently released a security advisory analyzing LockBit 3.0’s infamous ransomware operation as part of an ongoing #StopRansomware campaign.

The FBI jointly released the advisory with the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

It includes tactics, techniques and procedures (TTPs), indicators of compromise (IOCs), details of the ransomware’s capabilities, mitigation advice, and tips on sharing valuable information with the authorities.

“The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit,” reads the detailed report. “Since January 2020, LockBit has functioned as an affiliate-based ransomware variant; affiliates deploying the LockBit RaaS use many varying TTPs and attack a wide range of businesses and critical infrastructure organizations, which can make effective computer network defense and mitigation challenging.”

After providing background on the group’s malicious operations, the report delves into technical details, outlining the nature of the ransomware, the way it spreads, and how it achieves persistence.

The document describes LockBit’s third iteration of its ransomware-as-a-service (RaaS) as “more modular and evasive than its previous versions,” and says it shares certain features with Blackcat and Blackmatter ransomware.

LockBit 3.0’s elusive design helps it avoid detection by removing itself from the disk after infection and relaying encrypted host- and bot-related data to its command and control (C2) servers.

Furthermore, its operators seem to have an agenda, as the malware avoids infecting machines that use specific language settings, including Arabic (Syria), Romanian (Moldova), and Tatar (Russia).

To avoid falling prey to vicious ransomware campaigns such as LockBit 3.0, you should take the following precautions:

• Enforce strong password policies such as avoiding password recycling, adding password user “salts,” and locking accounts upon detecting multiple failed login attempts
• Enable phishing-resistant multi-factor authentication (MFA)
• Segment networks to prevent lateral malware movement
• Disable unused ports
• Disable privileges for command-line and scripting operations
• Keep cold (offline) backups, encrypt them and maintain them regularly

Specialized software such as Bitdefender Ultimate Security can help you deter ransomware attacks thanks to its comprehensive list of features, including:

• Multi-layer ransomware protection that keeps your documents, photos, videos, and music safe from ransomware attacks
• All-around, continuous monitoring and protection from ransomware, viruses, Trojans, worms, spyware, rootkits, and zero-day exploits
• Network threat prevention module that detects and blocks suspicious network-level activities, including brute forcing, botnet-related URLs, and sophisticated exploits
• Behavioral detection technology that closely monitors active apps and takes instant action upon detecting suspicious activity