Unexpected FBI alert brings attention back to LockBit ransomware

FBI shares tips and tricks on how to prevent security breaches

Most issues with data breaches come from ransomware attacks. FBI lists tips for avoidance

The Federal Bureau of Investigation (FBI) shared some insight information on LockBit ransomware and its hazards to individuals and organizations alike. The shared information is revealed with the hope to alert users on how to spot serious attacks and breaches, and avoid more high-level incidents. The recent alert could be tied up with the Australian Cyber Security Centre (ACSC) warning of an increase of LockBit 2.0 ransomware attacks back in summer 2021.^[1]

With the FBI Cyber Division and its issued flash alert, organizations and individuals should be able to easily spot the LockBit ransomware tactics. The alert enlists the public’s help for information, requesting boundary logs showing communications with foreign IP addresses, sample ransom notes, communications with threat actors, Bitcoin wallet information, decryptor files, and samples of encrypted files.

The alert made several serious points as the FBI warns about LockBit 2.0 actors and their potential. Seemingly, nowadays they use a variety of techniques to compromise networks and the ransomware is updated enough to be able to determine if the targeted system uses an Eastern European language and deletes itself without infection if it matches a set list of languages.^[2]

More caution and alertness are strongly advised

FBI went full-on details on how exactly LockBit 2.0 ransomware works. It is revealed that malware comes with a hidden debug window that can be activated during the infection process using the SHIFT + F1 keyboard shortcut. It later could reveal the encryption process and trach the status of user data destruction. However, more important information is shared within the tips on how to protect yourself against ransomware moves.

FBI strongly recommends users start using strong and unique passwords on all accounts. Multi-factor authentication should be used as much as possible too. Also, it is important to keep all systems and software up to date, use a host-based firewall and enable protected files in the Windows Operating System to prevent unauthorized changes to critical files and any personal data within the device.

Admins should be segmenting networks and implementing time-based access to accounts. Moreover, any suspicious activities should be analyzed with a networking monitoring tool. In all situations, backups of data should be regularly maintained and encrypted.^[3] FBI also reminds that paying ransoms is not advisable as even after payment is made, threat actors could still leak sensitive data.

New Linux and VMware ESXi variants could cause even further damage

LockBit ransomware^[4] is malicious software designed to block user access to computer systems in exchange for a ransom payment.^[5] It usually automatically vets for valuable targets, spreads the infection, and encrypts all accessible computer systems on a network. In recent times, LockBit attackers have made a mark by threatening organizations globally and now LockBit has a reputation as one of the most sneaky forms of ransomware.

Quite recently LockBit came out with the Linux and VMware ESXi variants. That means that the ransomware could potentially spread itself even further, encrypting a wider variety of servers and files.^[6] Other ransomware groups like REvil or DarkSide went on and came out with Linux malicious software variants so LockBit's move is no huge surprise. However, it could cause serious hazardous situations.

An ESXi server typically hosts multiple VMs, which in turn hold important data or services for an organization. At the same time, the Linux variant features a note from the attackers that attempts to lure people into handing over corporate account details to further spread ransomware. Experts even believe that this ransomware is harder to detect on Linux and the only available option for safety is following all of the security guidelines.