- 305/2023
- High
Referring to EG-FinCIRT report ID 36/2023 “LockBit V3.0 Ransomware”, Security researchers detected that LockBit V3.0 ransomware operation has increased its activity recently against Middle Eastern organizations.
LockBit v3.0 is a Windows ransomware program written in C programming language. It operates as a ransomware-as-a-service (RaaS) model, meaning it is available for use by different affiliates. The infection process involves a range of tactics and tools, with variations depending on the specific affiliates participating in the attack.
The Recent Tactics and Techniques of LockBit Ransomware:
- Initial Access:
LockBit ransomware involves sophisticated social engineering techniques, leveraging deceptive tactics in emails or other communication channels such as RDP and leaked credentials. - Impair Defenses: Disable or Modify Tools:
The LockBit gang uses legitimate tools such as “TDSSKILLER.exe” owned by Kaspersky to terminate antivirus or EDR solutions. Threat actors usually modify and/or disable security tools to avoid possible detection of their malware,
tools, and activities. - Discovery:
o Security researchers claim that the LockBit group uses the legitimate tool “netscan.exe” which is owned by SoftPerfect to make some reconnaissance activity about the desired network as threat actors may gather information about the victim’s networks that can be used during targeting.
o In recent incidents, threat actors have utilized the Neshta malware to perform activities such as file and directory discovery, querying registry, system information discovery, and checks for virtualization/sandbox evasion. - Collection:
Recently threat actors leveraged the use of Neshta malware to take screen captures of the desktop to gather information throughout the operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. - Impact:
In recent incidents, threat actors have utilized the Neshta malware to download the desired executable that was used to encrypt the data and ask for ransom.
It should be highlighted that threat actors are using legitimate tools like TDSSKiller.exe to evade detections. Therefore, EG-FinCIRT strongly encourages administrators to closely monitor the usage of the mentioned tool. If it does not exist in your environment, consider blocking the associated Indicators of Compromise (IOCs).
Indicators of Compromise
Indicators of compromise will be shared with EG-FinCIRT’s Constituents
Mitigations
- Search for existing signs of the indicated IOCs in your environment.
- Block IOCs at the organization’s security devices.
- Enable machine learning, active adversary mitigations, and behavioral detection in endpoint security.
- Administrators should adopt multi-factor authentication and use a separate administrative account from their normal operational account.
- Develop and implement a patching policy and baseline configuration standards for the operating system.
- Conduct cybersecurity awareness training for end-users.
- Ensure anti-virus software and associated files are up to date.
- Set up an alert on events when the AV agent loses the connection with the main panel.
- Implement application whitelisting, which only allows systems to execute programs known and permitted by the organization’s security policy.
- Backup your data using different backup destinations including Tape drives.
References
Egyptian Financial Computing Incident Response Team (EG-FinCIRT).