FBI, HHS Warn of LockBit 2.0 Ransomware Indicators of Compromise

February 08, 2022 - The Federal Bureau of Investigation (FBI) released a flash alert in early February to alert potential victims to indicators of compromise (IOCs) associated with LockBit 2.0 ransomware. HHS warned that the affiliate-based Ransomware-as-a-Service (RaaS) group could pose a significant cyber threat to the healthcare sector, despite the group’s claims about not attacking healthcare organizations.

The cybercriminal group released LockBit 2.0 in June 2021, after launching the original version in September 2019.

“The actor appears to have a contradictory code of ethics, portraying a strong disdain for those who attack healthcare entities, while displaying conflicting evidence about whether he targets them himself,” HC3 stated in a previous brief.

As the group evolves rapidly, healthcare organizations should remain vigilant. Many ransomware groups continually target the healthcare, education, and finance sectors regardless of supposed ethics.

“LockBit 2.0 ransomware compromises victim networks through a variety of techniques, including, but not limited to, purchased access, unpatched vulnerabilities, insider access, and zero-day exploits,” the FBI flash alert stated.

“After compromising a victim network, LockBit 2.0 actors use publicly available tools such as Mimikatz to escalate privileges. The threat actors then use both publicly available and custom tools to exfiltrate data followed by encryption using the LockBit malware. The actors always leave a ransom note in each affected directory within victim systems, which provides instructions on how to obtain the decryption software.”

In July 2021, LockBit 2.0 began abusing Active Directory group policies via an update to its program that allowed automatic encryption of devices across Windows domains. The group also created Linux-based malware to leverage VMWare ESXi virtual machine vulnerabilities.

“LockBit 2.0 is best described as a heavily obfuscated ransomware application leveraging bitwise operations to decode strings and load required modules to evade detection,” the flash alert continued.

“Upon launch, LockBit 2.0 decodes the necessary strings and code to import the required modules followed by determining if the process has administrative privileges. If privileges are not sufficient, it attempts to escalate to the required privileges.”

Next, LockBit 2.0 filters out user language settings and targets only those without Eastern European language settings. If the program detects Eastern European languages, it exits without infecting. LockBit 2.0 uses double extortion via StealBit malware and leverages group policy updates to encrypt networks.

The flash alert also included more technical descriptions of the various IOCs associated with LockBit 2.0 and a call to provide more information about the RaaS group as it arises.

“The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with the threat actors, Bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file,” the alert emphasized.

The FBI also noted that it strongly discourages paying ransoms in the event of a cyberattack. Paying a ransom does not guarantee the safe return of data and may incentivize bad actors to commit more crimes.

“However, the FBI understands that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees and customers,” the alert continued.

All organizations, regardless of sector, should use strong passwords, enable multi-factor authentication, and keep operating systems up to date. Network segmentation, firewalls, and offline backups are essential to preparing, responding, and recovering from a ransomware attack.