Cybersecurity Threat Advisory: New LockBit Ransomware Threat
Posted on November 30, 2022 by Mike Beagles
A new critical security alert requires the mission-critical community’s immediate attention, and this one is regarding LockBit ransomware, which has become the prominent ransomware group based on its high volume of attacks in recent months.
An increase in LockBit ransomware tactics, techniques, and procedures is being monitored. LockBit ransomware is malicious software designed to block user access to computer systems in exchange for a ransom payment. The ransomware automatically will scan for valuable targets, spread the infection, and encrypt all accessible computer systems on a network. This ransomware is used for highly targeted attacks against enterprises and other organizations.
What Is the Threat?
Initial access sourcing from Remote Desktop Protocol (RDP) has been observed due to the protocol being exposed to the internet. After using RDP to connect to the server, LockBit has been seen dropping its toolset into the compromised users’ music folder.
This toolset included the following:
- [1-9].exe (example, 1.exe)
- Luciroot new.exe
This threat could relate to the recent leak of the LockBit 3.0 builder via Twitter on September 21, 2022. With this leak, the group may adopt other tools and tactics.
What Are the Recommendations?
MCP’s cybersecurity team recommends the following steps:
- Ensure that RDP ports are not exposed to the internet; instead, implement a virtual private network (VPN) appliance with multifactor authentication (MFA).
- Ensure that “least privilege” is adopted for both domain and local users.
- Audit current users to ensure that administrative rights are not given to users that do not require them.
- Block the listed filenames in your organization’s antivirus and endpoint detection and response solutions.
- Do not rely on nonstandard ports for proper mitigation of RDP manipulation.
Also, hunting for indicators of compromise is highly recommended. This can be done by querying local users’ music folders on devices that utilize RDP to expose suspicious binaries.
If you are looking for guidance, please don't hesitate to reach out. MCP offers a comprehensive cybersecurity solutions suite for critical infrastructure organizations to help them determine their network, data, and application vulnerabilities. We can help you develop a complete cyberattack prevention strategy. Contact us today to learn more.