{"id":12062,"date":"2022-03-23T02:41:10","date_gmt":"2022-03-23T09:41:10","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=12062"},"modified":"2023-04-19T04:22:51","modified_gmt":"2023-04-19T11:22:51","slug":"all-about-lockbit-ransomware","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/all-about-lockbit-ransomware\/","title":{"rendered":"All About LockBit Ransomware"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t
Originally Published: Sept 29, 2022<\/h5>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

LockBit ransomware is one of the few ransomware groups employing self-spreading malware technology and double encryption. After its recent attacks on the <\/span><\/strong>Italian Revenue Agency<\/a> and digital security giant,<\/span><\/strong> Entrust<\/a>, LockBit has only gained momentum to hunt for its next victim. Read on to learn how to protect your network from LockBit attacks.<\/span><\/strong><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t

One of the most prolific ransomware groups in recent times, LockBit ransomware began its spree of attacks in September 2019. The group is financially motivated and does not shy away from going after bigger, high-profile enterprises and companies.<\/p>

LockBit is known for many of its unique characteristics: sophisticated technology, triple extortion, heavy marketing to affiliates, and high-severity cyberattacks. LockBit\u2019s attack presence is seen globally, with intermediate breaks during which their ransomware technology receives superior upgrades. Their recent attack strategy and frequency make LockBit a formidable predator and determined adversary in the cyber realm.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
<\/div>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t

In This Blog:<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

In this blog:<\/p>

  • LockBit Cheat Sheet<\/p>

    • CVEs<\/p><\/li>

    • Recent Attacks\u00a0<\/p><\/li>

    • New Variants<\/p><\/li><\/ul><\/li>

    • How Does LockBit Attack (MITRE ATT&CK – TTPs)?<\/p><\/li>

    • How Dangerous is LockBit?<\/p><\/li>

    • How Can You Detect LockBit in Your Environment (IOCs)?<\/p><\/li>

    • What Can Organizations Do to Prevent a LockBit Attack?<\/p><\/li><\/ul>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

      \n\t\t\t\t
      \n\t\t\t\t\t
      \n\t\t\t
      <\/div>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
      \n\t\t\t\t
      \n\t\t\t\t\t
      <\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
      \n\t\t\t\t
      \n\t\t\t

      LockBit: A Cheat Sheet<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
      \n\t\t\t\t
      \n\t\t\t\t\t\t\t

      LockBit is available as Ransomware-as-a-Service (RaaS); affiliates carry out attacks for hire and split the funds between the LockBit developer team and other affiliates.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

      \n\t\t\t\t
      \n\t\t\t\t\t
      \n\t\t\t
      <\/div>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
      \n\t\t\t\t
      \n\t\t\t\t\t
      <\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
      \n\t\t\t\t
      \n\t\t\t

      CVEs<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
      \n\t\t\t\t
      \n\t\t\t\t\t\t\t

      • The following CVEs are exploited by the LockBit ransomware gang:<\/p><\/li><\/ul>

        CVE-2018-13379 [WebApp Exploit]<\/strong><\/p>

        • CVE-2018-13379 is a vulnerability in FortiOS and is caused by a path traversal error. Several Advanced Persistent Threat (APT) groups have used this vulnerability to deploy the following ransomware: Pay2Key, Conti, LockBit, Apostle, and Cring.<\/p><\/li>

        • There are five known exploits for CVE-2018-13379 that can be used to exploit web applications. As it is an old CVE, more functional exploits are likely to be developed, allowing attackers to wage powerful attacks.<\/p><\/li><\/ul>

          CVE-2021-22986 [RCE\/PE, WebApp Exploit]<\/strong><\/p>

          • CVE-2021-22986 is a critical unauthenticated, remote command execution vulnerability in F5\u2019s BIG-IP.<\/p><\/li>

          • It is rated critical with a CVSS v3 severity score of 9.8.<\/p><\/li>

          • It is an RCE, PE, and web app vulnerability with three known exploits, which makes it very dangerous.<\/p><\/li>

          • TA505, the Russian threat actor group, also known as Hive0065, has been using the LockBit ransomware payload in its attacks.<\/p><\/li><\/ul>

            CVE-2021-36942\u00a0<\/strong><\/p>

            • CVE-2021-36942 is a medium-severity Microsoft Windows Server vulnerability.<\/p><\/li>

            • It has a CVSS V3 severity score of 5.30.<\/p><\/li>

            • This vulnerability is exploited by both the LockBit and LockFile ransomware groups.<\/p><\/li><\/ul>

              CVE-2020-0787 [RCE, PE, WebApp]<\/strong><\/p>

              • This is a Windows Background Intelligent Transfer Service (BITS) vulnerability.<\/p><\/li>

              • It is given a CVSS rating of 7.80 and is a high-severity vulnerability.<\/p><\/li>

              • It is classified as an RCE, PE, and web app exploit. Conti and LockBit ransomware groups use it to gain initial access.<\/p><\/li><\/ul>

                CVE-2022-36537<\/strong><\/p>

                • CVE-2022-36537 is a critical remote code execution (RCE) vulnerability that affects the Java \u201cZK\u201d Ajax web application framework.<\/p><\/li>

                • More than 5,000 exposed server manager backup instances are affected by this vulnerability, which could expose companies to supply chain risks.<\/p><\/li><\/ul>

                  CVE-2021-20028<\/strong><\/p>

                  • CVE-2021-20028 is a critical vulnerability affecting SonicWall products.<\/p><\/li>

                  • It is caused by CWE-89, an Improper Neutralization of Special Elements used in an SQL Command (SQL Injection).<\/li>
                  • It has a CVSS rating of 9.80.<\/li><\/ul>

                    CVE-2021-34473 [RCE, PE, WebApp, Other]<\/strong><\/p>

                    • This is a Microsoft Exchange Server remote code execution vulnerability.<\/p><\/li>

                    • It is exploited by ChamelGang, TR, Bronze Starlight, Tropical Scorpius, DEV-0270, OilRig, and LookBack APT groups.<\/p><\/li>

                    • Twelve ransomware groups also exploit this vulnerability.<\/p><\/li><\/ul>

                      CVE-2021-34523\u00a0 [RCE, PE, WebApp, Other]<\/strong><\/p>

                      • CVE-2021-34523 affects five Microsoft Exchange products.<\/p><\/li>

                      • It is a critical-severity vulnerability with a 9.8 CVSS rating.<\/p><\/li>

                      • The vulnerability is exploited by Conti, LockBit 2.0, Hive, BianLian, AvosLocker, BlackCat, LockFile, Cuba, Karma, LV, BlackByte, and Babuk ransomware groups.<\/p><\/li><\/ul>

                        CVE-2021-31207\u00a0 [RCE, PE, WebApp, Other]<\/strong><\/p>

                        • CVE-2021-31207 is Microsoft Exchange Server security feature bypass vulnerability.<\/p><\/li>

                        • It is also a part of the ProxyShell vulnerabilities (CVE-2021-34523, CVE-2021-34473, and CVE-2021-31207).<\/p><\/li>

                        • It is currently exploited by the Hive ransomware group.<\/p><\/li>

                        • CISA alerted organizations of this vulnerability in the #StopRansomware campaign.<\/li><\/ul><\/div>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                          \n\t\t\t\t
                          \n\t\t\t\t\t
                          \n\t\t\t
                          <\/div>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                          \n\t\t\t\t
                          \n\t\t\t\t\t\t\t