MCP Insights

Cybersecurity Threat Advisory: New LockBit Ransomware Threat

Posted on November 30, 2022 by Mike Beagles

A new critical security alert requires the mission-critical community’s immediate attention, and this one is regarding LockBit ransomware, which has become the prominent ransomware group based on its high volume of attacks in recent months.

Advisory Overview

An increase in LockBit ransomware tactics, techniques, and procedures is being monitored. LockBit ransomware is malicious software designed to block user access to computer systems in exchange for a ransom payment. The ransomware automatically will scan for valuable targets, spread the infection, and encrypt all accessible computer systems on a network. This ransomware is used for highly targeted attacks against enterprises and other organizations.

What Is the Threat?

Initial access sourcing from Remote Desktop Protocol (RDP) has been observed due to the protocol being exposed to the internet. After using RDP to connect to the server, LockBit has been seen dropping its toolset into the compromised users’ music folder.

This toolset included the following:

  • [1-9].exe (example, 1.exe) 
  • exe 
  • YDArk-master.exe 
  • exe 
  • exe 
  • Luciroot new.exe 
  • exe 

This threat could relate to the recent leak of the LockBit 3.0 builder via Twitter on September 21, 2022. With this leak, the group may adopt other tools and tactics. 

What Are the Recommendations?

MCP’s cybersecurity team recommends the following steps:

  • Ensure that RDP ports are not exposed to the internet; instead, implement a virtual private network (VPN) appliance with multifactor authentication (MFA). 
  • Ensure that “least privilege” is adopted for both domain and local users.
  • Audit current users to ensure that administrative rights are not given to users that do not require them. 
  • Block the listed filenames in your organization’s antivirus and endpoint detection and response solutions. 
  • Do not rely on nonstandard ports for proper mitigation of RDP manipulation. 

Also, hunting for indicators of compromise is highly recommended. This can be done by querying local users’ music folders on devices that utilize RDP to expose suspicious binaries. 

If you are looking for guidance, please don't hesitate to reach out. MCP offers a comprehensive cybersecurity solutions suite for critical infrastructure organizations to help them determine their network, data, and application vulnerabilities. We can help you develop a complete cyberattack prevention strategy. Contact us today to learn more.

Related Posts

Cybersecurity Threat Advisory Update: LockBit Ransomware Threat (July 2022)

Cybersecurity Threat Advisory Update: LockBit Ransomware Threat (August 2021)

Topics: Cybersecurity

    Subscribe to Newsletter

    Icon

    Let's Talk

    How can we support your mission? From design and procurement to building and management, our national team of experts is here to help…because the mission matters.

    Get In Touch

    Mission Critical Partners

    A: 690 Grays Woods Blvd., Port Matilda, PA 16870
    P: 888.862.7911

    twitter-x-footer facebook_icon linkedin_icon

    Newsletter

    Click the button below to sign up for our newsletter.

    SIGN UP
    Navigation

    ©2024 All Rights Reserved

    NENA 911   APCO International   iCERT

    Privacy Policy  |  Terms & Conditions