Published: August 15, 2021
A new version of the LockBit 2.0 ransomware has been identified that automates the encryption of a Windows domain using Active Directory group policies. LockBit threat actors are actively exploiting existing vulnerabilities in the Fortinet FortiOS and FortiProxy products, identified as CVE-2018-13379, in order to gain initial access to specific victim networks. If these components are in use, please review the mitigation guidance.
The LockBit variant exploits vulnerable Fortinet components to gain access. Once the threat actor gets into the network and gains control of the domain controller, they distribute the payload through group policies – disabling Microsoft Defender’s real-time protection (LockBit ransomware now encrypts Windows domains using group policies).
Detection with Netsurion
- If your endpoints use Windows Defender, the alert, “Microsoft Defender’s real-time protection disabled”, will be generated when the threat actor tries to disable Microsoft Defender’s real-time protection. Knowledge Objects
- Microsoft Defender for Endpoint
- Microsoft Defender for Endpoint: Action taken on malware failed.
- Microsoft Defender for Endpoint: Deletion of malware from quarantine failed.
- Microsoft Defender for Endpoint: Malware detected.
- Microsoft Defender for Endpoint: Real-time protection disabled.
- Microsoft Defender for Endpoint: Suspicious behavior detected.
- The Netsurion Managed Open XDR alert, ”Possible Emotet Detected,” will be triggered if connections to the remote host “Lockbitks2tvnmwk.onion” are observed at the sensor.
- If domain auditing is enabled to monitor group policies, the SOC will track the group policy creation events through reports.
- The following matching criteria is used by our Threat Hunting team when searching PowerShell running suspicious commands:
The ransomware will then run the following command to push the group policy update to all of the machines in the Windows domain.powershell.exe -Command “Get-ADComputer -filter * -Searchbase ‘%s’ | foreach{
Invoke-GPUpdate -computer $_.name -force -RandomDeayInMinutes 0}”
Prevention with Netsurion
- The Netsurion Threat Center has been updated with available IOCs for LockBit. The Netsurion Windows sensor will terminate any known bad processes that are observed on managed systems at launch.
IOC Type | Value |
---|---|
MD5 | 5761ee98b1c2fea31b5408516a8929ea |
889328e2cf5f5d74531b9b0a25c1871c | |
1fbef2a9007eb0e32fb586e0fca3f0e7 | |
5f504bb22471157aafeb887b4412b5de | |
265d02e0a563bbdbdb2883add41ff4bb | |
c0cacc5bf97b854b6028fe0973dc076f | |
1f4f6abfced4c347ba951a04c8d86982 | |
9fe9f4ee717bae3a5c9fdf1d380e015d | |
d5c5558214a0859227e380071925ee58 | |
207718c939673a5f674ce51f402cfc06 | |
9630654d22356e5ac56bd8ec8c7b690 | |
c9fc0fac4df3c2f60ec4bfc61e78feb0 | |
ec273b5841eadfc43b1908c9905e95a3 | |
103c3d96ab53b7c710e5f27d803e468c | |
0376cd9f233f0cb22d603bcb574885be | |
1f4581b36253f0f5d63e68347d1744a7 | |
49250b4aa060299f0c8f67349c942d1c | |
b65198ea45621e29ba3b4fbf250ff686 | |
4bfc92bc80045b031e7c14070143e1d3 | |
51f2fd0288eeb902e7b6d3f0011e7e73 | |
553d21ec9c4e8a08d072e50f3ae0afe1 | |
d2e3b3cbdfd40e549c281b285c7fe9bd | |
f6b17af3156b38ff730868c85f7cb3dd | |
83b0fca1bd3190c5badcea4d507b8c95 | |
94d7e268d4a1bc11f50b7e493a76d7a0 | |
123511227718f17b3dec5431d5ae87f3 | |
612a58fd67717e45d091ed3c353c3263 | |
0859a78bb06a77e7c6758276eafbefd9 | |
85da55389b4c848dc34b38b4d7318c0 | |
5cc28691fdaa505b8f453e3500e3d690 | |
9a246bf39f3fab9c2d45f1003bdc6b45 | |
a04a99d946fb08b2f65ba664ad7faebd | |
75c039742afda956785f94fcc6fc7017 |
References
- https://www.darktrace.com/en/blog/lock-bit-ransomware-analysis-rapid-detonation-using-a-single-compromised-credential/
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/
- https://socradar.io/the-story-of-lockbit-ransomware/
- https://www.davosnetworks.com/lockbit-ransomware-prevent-it-with-cynet
- https://www.cyber.gov.au/acsc/view-all-content/advisories/2021-006-acsc-ransomware-profile-lockbit-20
- https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
- https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/