AdvisoriesCISAAA23-075AMarch 16, 2023
March 16, 2023
This joint cybersecurity advisory by the FBI, CISA, and the MS-ISAC aims to share information about the LockBit 3.0 ransomware, including indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) identified through FBI investigations as of March 2023. LockBit 3.0 operates as a Ransomware-as-a-Service (RaaS) model, building upon previous versions of the ransomware. Since January 2020, LockBit has been used by various affiliates, employing different TTPs and targeting a wide range of businesses and critical infrastructure organizations, spreading across many industries. This diversity of attacks makes defending against and mitigating the ransomware challenging.
March 16, 2023
There are many Ransomware-as-a-Service models in existence, LockBit being one of the more prevalent. All models use the same tactics: locate files to encrypt, create an encryption key, encrypt and/or exfiltrate the files, remove backups, notify the device user of the ransomware and provide a demand (usually money). Each model adjusts the levers on these tactics to fly under the radar of defensive agents. For example, LockBit is particularly interesting because it encrypts only the first 4,000 bytes of each file versus the entire file. However, it is untenable to protect against each variant of each model through one-off behavior matching. Instead, aim to continuously test the ransomware protection provided by your EDR by sending it various samples from different models. Ransomware is impossible to pull off (in the traditional sense) on “secure by design” operating systems, so wherever possible switch from workstations and servers to iPads, Chromebooks and containers.
Be immediately notified of new advisories and associated security tests
AdvisoryCISAAA24-207AJuly 25, 2024
