Indicators of Compromise Associated with LockBit 2.0 Ransomware

Summary:

  LockBit 2.0 Ransomware acts as a Ransomware-as-a-Service (RaaS) affiliate. And use a variety of techniques and processes (TTPs). Creating challenges to police protection and mitigation. LockBit 2.0 ransomware integrates with the victim’s network through various techniques. Including access to purchases, non-negotiable vulnerabilities. Internal access includes zero-day exploitation. There is no record of them.

After compromising a victim network, LockBit 2.0 Ransomware actors use publicly available tools such as Mimikatz to elevate privileges. Threat actors then use publicly available and custom tools to exfiltrate the data and then encrypt it using the Lockbit malware. Actors always leave a ransom note in each affected directory within victimized systems, which provides instructions on how to obtain the decryption software. The ransom note also threatens to leak victim data exfiltrated on LockBit 2.0 leak site and demands ransom money to prevent such actions.

In July 2021, LockBit 2.0 released an update that introduced automatic device encryption on Windows domains by abusing Active Directory Group Policies. In August 2021, LockBit 2.0 began advertising for insiders to establish initial access to networks of potential victims, while promising a portion of the proceeds from a successful attack. LockBit 2.0 also developed a Linux-based malware that takes advantage of vulnerabilities in VMWare ESXi virtual machines.

Technical Details

Description of LockBit 2.0 took advantage of bitwise operations to decode strings. Is done as an enthusiastic obscure application. And search loads the necessary modules. Launch 0, Lockbit 2. Strings and decode required to import modules. These administrative privileges are not determined during this period. Privilege Self-esteem, it is a necessary privilege right. Lockbit 2.0 then determines the system and user language setting. And easily targets those that do not match the set of prehistoric languages. If an Eastern European language is detected, the program exits without infection. At the onset of infection, Lockbit 2.0 deletes disk-resident log files and shadow copies.

Lockbit 2.0 enumerates system information to include hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices. Lockbit 2.0 attempts to encrypt all data stored on any local or remote device, but ignores files associated with core system functions. Once complete, Lockbit 2.0 removes itself from disk and persists on startup.

Before encrypting, lockbit attachments mostly use specific files. Uses Stealbit applications derived directly from the Lockbit panel to excel types. The desired file types can be configured by the affiliate to adapt the attack to the victim. The attachment configures the application to target the desired file path. And when executed the tool copies files to the attacker-controlled server using HTTP. Due to the nature of the attached model, some attackers use commercially available tools like rclone and MEGAsync to achieve similar results. Lockbit 2.0 actors often use publicly available file-sharing services, including privatlab[.]net, anonfiles[.]com, sendspace[.]com, fex[.]net, transfer[.]sh, and send. exploit[.]in. Although some of these applications and services may support legitimate purposes. they may also be use by hackers to facilitate system compromise or business exploration.