In a bid to bolster cybersecurity measures across the nation, CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued a comprehensive advisory regarding the persistent threat of the LockBit 3.0 ransomware. This coordinated effort, announced on March 17, 2023, sheds light on the tactics, techniques, and procedures (TTPs) associated with this disruptive ransomware variant, as well as indicators of compromise (IOCs) that organizations should watch for.
The advisory highlights how LockBit has successfully infiltrated various sectors, gaining notoriety for its high-profile attacks. "LockBit has claimed credit for high-profile attacks, such as those against the U.K.’s Royal Mail and a Canadian hospital (it reportedly apologized for the latter)," stated the advisory. In the United States, the implications are particularly concerning, as LockBit is believed to have targeted several local and state government agencies, with notable incidents affecting two agencies in Pierce County, Washington, California’s Department of Finance, and the Housing Authority of the City of Los Angeles.
CISA and its partners explain that since January 2020, the operational model of LockBit has involved affiliates—malicious actors who implement the ransomware without developing it themselves. This strategic framework complicates effective defenses against the attacks. “Affiliates deploying the LockBit RaaS use many varying TTPs and attack a wide range of businesses and critical infrastructure organizations, which can make effective computer network defense and mitigation challenging,” the advisory highlights.
The core focus of the advisory is LockBit 3.0, also referred to as LockBit Black. This iteration is described as “more modular and evasive than ... previous versions.” The report draws parallels to previously established ransomware, stating, “LockBit 3.0 shares similarities with BlackMatter and BlackCat ransomware.” Such insights are vital for organizations looking to fortify their defenses against the ever-evolving threat landscape.
To help mitigate risks associated with LockBit 3.0, the advisory recommends several strategies focused on backup procedures and access control. Organizations are urged to practice restoring from backups and ensure that backup data is both encrypted and immutable. Furthermore, maintaining multiple copies of important data spread across physically separate and secure locations is crucial for effective recovery.
In terms of access control, the advisory advises that access privileges be time-sensitive, enabling higher-level access only for the duration needed to complete specific tasks. This precaution aims to minimize the window of vulnerability during which potential threats could infiltrate systems. Organizations should routinely check for unrecognized or new accounts across all components, including domain controllers, servers, workstations, and active directories. Regular audits of accounts possessing admin privileges complete the recommended safety measures.
Impact and Legacy
The need for such proactive protocols has never been more evident, given the recent uptick in ransomware attacks. As organizations prepare to implement the specified recommendations, authorities stress the importance of staying informed about evolving cyber threats and the tactics of malicious actors. “Improving overall cyber defenses is essential in minimizing the impact of ransomware attacks,” the advisory concludes, underscoring a collective responsibility to uphold security measures against threats like LockBit 3.0.
Looking Ahead
As cybersecurity threats continue to evolve, organizations must stay vigilant and adaptive in their strategies. The collective partnership between CISA, the FBI, and MS-ISAC reflects a broader commitment to safeguarding digital landscapes, echoing the sentiment that defensive strategies and awareness will remain at the forefront of combating ransomware challenges in the future.
