I. Targeted Entities
Enterprises and Government Organizations
II. Introduction
LockBit ransomware operators have deployed a new AV-bypass tool named “Warp AVKiller” in their latest campaigns, as identified by a trusted third party. This advanced tool, derived from the Go-based Warp Stealer malware, is engineered to evade detection by security products. The attack methodology includes creating new user accounts through Windows Management Instrumentation (WMI), integrating them into a Local Group, and configuring them in the Windows Autologon registry entry. This setup ensures that the new user accounts automatically log in upon system restart, initiating the execution of LockBit ransomware. The Cybersecurity and Infrastructure Security Agency (CISA) and The US Department of Homeland Security (DHS) urges immediate review and reinforcement of security protocols to counter this threat.
III. Additional Background Information
LockBit is a ransomware-as-a-service business that allows less technical users to purchase ready-made ransomware toolkits to launch their own cyberattacks. LockBit creates malware and licenses the code in exchange for a percentage of the ransoms paid.
Several sources, including CISA, say that LockBit was the most deployed ransomware variant across the world. LockBit ransomware is responsible for numerous cyberattacks worldwide. Initially detected in 2019, it has evolved through multiple versions, with LockBit 3.0 being the latest. This ransomware gains initial access via purchased credentials, unpatched vulnerabilities, or insider threats. It employs a double extortion tactic, encrypting data and threatening to release it unless the ransom is paid. LockBit targets mid-sized organizations, leveraging its Ransomware-as-a-Service model for widespread distribution.
In recent news, The Lockbit ransomware group claimed to have breached the US Federal Reserve, stating that they exfiltrating 33 TB of sensitive data, such as Americans’ banking secrets. They added the Federal Reserve to their Tor data leak site and threatened to leak the stolen data on June 25, 2024. Lockbit did exfiltrate 33 TB of sensitive data, but it was not the Federal Reserve. LockBit targeted Evolve Bank & Trust, a US banking company. Evolve confirmed the breach, stating that the stolen data originated from this incident.
IV. Recommendations
- Hash Blacklisting and Detection Updates:
Maintain an updated blacklist of known malicious file hashes associated with LockBit and other ransomware variants. Utilize threat intelligence feeds and security vendors’ databases to identify and block known malicious files at the network perimeter and endpoint levels. Additionally, ensure that antivirus and anti-malware solutions are configured to receive regular updates for detecting new ransomware variants and their associated hashes. Promptly apply these updates to enhance your organization’s ability to detect and prevent ransomware infections.
- Regular Backup and Disaster Recovery Planning:
Maintain regular backups of critical data and systems, and store them securely, preferably off-site or in a cloud environment with strong encryption. Develop and periodically test a comprehensive disaster recovery plan that includes procedures for restoring data and services in a cyberattack.
- Implement Advanced Threat Intelligence and Information Sharing:
Subscribe to and actively monitor threat intelligence feeds for the latest information on vulnerabilities and threats. Participate in industry and government cybersecurity information-sharing programs to stay informed about emerging threats and best practices.
- Enhance Incident Response and Forensic Capabilities:
Develop and maintain a robust incident response plan that includes procedures for containment, eradication, and recovery. Ensure that forensic capabilities are available to investigate and understand the nature and scope of any breach, to improve defenses and prevent future incidents.
- Manage Default Accounts on Enterprise Assets and Software:
Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
V. IOCs (Indicators of Compromise)
CVE-2024-1709
| Type | Indicator |
|---|---|
| SHA-256 Hash |
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA-256 Hash | 15e41cdf319e6af83ea333ce11d1974100975174b3311c78fd9eaff126f2f166 |
VI. References
(1) Sophia, Fox-Sowell “FBI obtains 7,000 lockbit ransomware decryption keys” StateScoop, June 6, 2024 https://statescoop.com/fbi-obtains-7000-lockbit-ransomware-decryption-keys/#:~:text=LockBit%20creates%20malware%20and%20licenses,across%20the%20world%20in%202022
(2) “What Is LockBit Ransomware?” Blackberry, 2021 https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/lockbit
(3) “Lockbit ransomware – what you need to know” Kaspersky, 2020 https://usa.kaspersky.com/resource-center/threats/lockbit-ransomware
(4) Paganini, P, “Fox-Sowell “Lockbit claims the hack of the US Federal Reserve.” Security Affairs, June 24, 2024 https://statescoop.com/fbi-obtains-7000-lockbit-ransomware-decryption-keys/#:~:text=LockBit%20creates%20malware%20and%20licenses,across%20the%20world%20in%202022
Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Yousef Blassy and Nahyan Jamil.