FBI releases Lockbit 2.0 ransomware-as-a-service IoCs

The Federal Bureau of Investigation (FBI) has released new Indicators of Compromise (IoC) details on Lockbit ransomware-as-a-service (RaaS).

According to the FBI, LockBit 2.0 operates as a RaaS and poses a “significant challenge for defense
and mitigation.”

“After compromising a victim network, LockBit 2.0 actors use publicly available tools such as
Mimikatz to escalate privileges. The threat actors then use both publicly available and custom
tools to exfiltrate data followed by encryption using the Lockbit malware. The actors always
leave a ransom note in each affected directory within victim systems, which provides
instructions on how to obtain the decryption software. The ransom note also threatens to leak
exfiltrated victim data on the LockBit 2.0 leak site and demands a ransom to avoid these
actions,” the FBI stated in an a Flash Alert February 4, 2022.

Last July, LockBit 2.0 added a feature to automatically encrypt Windows domain-joined devices by abusing Active Directory group policies. LockBit 2.0 also developed Linux-based malware used to target vulnerable VMWare ESXi virtual machines.

Readers may recall earlier this month when another RaaS dubbed “BlackCat” (also known as ALPHV) was discovered actively recruiting affiliates from other ransomware groups to target organizations around the globe.

Varonis Threat Labs discovered the RaaS service had been on the attack since late 2021 and had been recruiting other ransomware groups, such as ex-REvilBlackMatter, and DarkSide,

A full list of Indicators of Compromise (IoC) with details on LockBit 2.0 and related Stealbit malware were included in the FBI report.