Ransomware attacks have been a growing threat to the Pakistani business and industry for a number of years — and recent research has shown they are increasing in prevalence during the COVID-19 pandemic. According to reports, more than 100 Pakistani businesses experienced a ransomware attack in the past 12 months with the figure rising among medium and large organisations respectively. While 58% of these SMEs are reported to pay ransoms.

With remote communication now the norm rather than the exception, phishing emails have emerged as one of the most popular exploits for delivering ransomware payloads to users. However, phishing emails are far from the totality of threats facing users and the reasons why Ransomware attacks in Pakistan are rising are multifaceted. In this blog post, we are going to look at the DNA of ransomware variant LockBit 3.0, and how to mitigate it.

A wide perimeter is an attacker’s dream

Traditionally when targeting mid-sized businesses, ransomware attacks are motivated by profit. After encrypting the target’s files (or filesystem), attackers hold the documents for ransom until it is paid, typically by cryptocurrency which allows the attackers to remain anonymous and evade prosecution. 

For attackers, targeting centralised resources – like major on-premise systems – made the most sense as targeting the most valuable information could warrant the highest ransom payment. The potential payback from one successful breach could be massive, although equally cybersecurity defence teams had relatively few entry points into the network to focus on securing. The stakes, for both parties, were higher.

Today, with more workers than ever before operating remotely the security perimeter has shifted from the office to every worker’s home network. While company-supplied devices such as laptops can be secured, unlike the office environment, cybersecurity teams typically have no control over firewalls or application security controls on the devices in the remote worker’s network, particularly if they are using personal devices for work. Thus, the attack surface and vulnerability has increased at both the application and network layers. 

The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit. Since January 2020, LockBit has functioned as an affiliate-based ransomware variant; affiliates deploying the LockBit RaaS use many varying TTPs and attack a wide range of businesses and critical infrastructure organizations, which can make effective computer network defense and mitigation challenging.

LockBit 3.0, also known as “LockBit Black,” is more modular and evasive than its previous versions and shares similarities with Blackmatter and Blackcat ransomware.

LockBit 3.0 is configured upon compilation with many different options that determine the behavior of the ransomware. Upon the actual execution of the ransomware within a victim environment, various arguments can be supplied to further modify the behavior of the ransomware. For example, LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode (see LockBit Command Line parameters under Indicators of Compromise).

If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then a password argument is mandatory during the execution of the ransomware. LockBit 3.0 affiliates failing to enter the correct password will be unable to execute the ransomware. The password is a cryptographic key which decodes the LockBit 3.0 executable. By protecting the code in such a manner, LockBit 3.0 hinders malware detection and analysis with the code being unexecutable and unreadable in its encrypted form. Signature-based detections may fail to detect the LockBit 3.0 executable as the executable’s encrypted potion will vary based on the cryptographic key used for encryption while also generating a unique hash. When provided the correct password, LockBit 3.0 will decrypt the main component, continue to decrypt or decompress its code, and execute the ransomware.

INITIAL ACCESS

Affiliates deploying LockBit 3.0 ransomware gain initial access to victim networks via remote desktop protocol (RDP) exploitation, drive-by compromise, phishing campaigns, abuse of valid accounts, and exploitation of public-facing applications.

EXECUTION AND INFECTION PROCESS

During the malware routine, if privileges are not sufficient, LockBit 3.0 attempts to escalate to the required privileges. LockBit 3.0 performs functions such as:

• Enumerating system information such as hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices
• Terminating processes and services
• Launching commands
• Enabling automatic logon for persistence and privilege escalation
• Deleting log files, files in the recycle bin folder, and shadow copies residing on disk

LockBit 3.0 attempts to spread across a victim network by using a preconfigured list of credentials hardcoded at compilation time or a compromised local account with elevated privileges. When compiled, LockBit 3.0 may also enable options for spreading via Group Policy Objects and PsExec using the Server Message Block (SMB) protocol. LockBit 3.0 attempts to encrypt data saved to any local or remote device, but skips files associated with core system functions.

MITIGATIONS

• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud).
• Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with National Institute for Standards and Technology (NIST) standards for developing and managing password policies.
• Use longer passwords consisting of at least 8 characters and no more than 64 characters in length.
• Store passwords in hashed format using industry-recognized password managers
• Add password user “salts” to shared login credentials
• Avoid reusing passwords
• Implement multiple failed login attempt account lockouts.
• Disable password “hints”
• Refrain from requiring password changes more frequently than once per year. Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
• Require administrator credentials to install software
• Require phishing-resistant multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
• Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
• Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
• Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
• Install, regularly update, and enable real time detection for antivirus software on all hosts.
• Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
• Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
• Disable unused ports.
• Consider adding an email banner to emails received from outside your organization.
• Disable hyperlinks in received emails.
• Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
• Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
• Maintain offline backups of data, and regularly maintain backup and restoration. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.
• Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.

Don’t Deal With Hackers

Most people have never dealt with a cyber criminal and we would never recommend doing so without professional help. Negotiating with them directly can often make situations worse and also compromise your security.  Bitcoins are required to pay the ransoms and can be difficult to obtain. Should paying the ransom be the last resort, please seek an experienced ransomware removal expert and consultant in Pakistan to deal with the cyber attacker and recover your data on your behalf.

Knowledge is key

Staying one step ahead in today’s multifaceted threat landscape requires an awareness of emerging attack strategies and attackers’ “best practices.” Threat intelligence, in particular, can provide cyber security and IT managers with the advance knowledge of which company systems might be targeted by attackers and which vulnerabilities need to be patched before it is too late.  

Additionally, vulnerability scanning and penetration testing can help businesses audit the safety of their existing systems and detect potential malicious code or files that have already been injected onto systems. Once identified they can be safely quarantined. 

Both these elements (threat intelligence and retrospective knowledge) can help IT administrators to set down more effective guidelines designed to help remote users keep critical business systems safe, and should be part of a baseline set of security practices rolled out throughout the business. 

Note : The Tier3 does not encourage paying ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.

To discuss your cyber security provision in detail contact one of our Tier 3 Cyber Security Consultants by contacting us.