Published: August 15, 2021

A new version of the LockBit 2.0 ransomware has been identified that automates the encryption of a Windows domain using Active Directory group policies. LockBit threat actors are actively exploiting existing vulnerabilities in the Fortinet FortiOS and FortiProxy products, identified as CVE-2018-13379, in order to gain initial access to specific victim networks. If these components are in use, please review the mitigation guidance.

The LockBit variant exploits vulnerable Fortinet components to gain access. Once the threat actor gets into the network and gains control of the domain controller, they distribute the payload through group policies - disabling Microsoft Defender's real-time protection (LockBit ransomware now encrypts Windows domains using group policies).

Detection with Netsurion’s EventTracker

  1. If your endpoints use Windows Defender, the alert, “Microsoft Defender's real-time protection disabled”, will be generated when the threat actor tries to disable Microsoft Defender’s real-time protection.

    Knowledge Objects

    • Microsoft Defender for Endpoint

    Alerts

    • Microsoft Defender for Endpoint: Action taken on malware failed.
    • Microsoft Defender for Endpoint: Deletion of malware from quarantine failed.
    • Microsoft Defender for Endpoint: Malware detected.
    • Microsoft Defender for Endpoint: Real-time protection disabled.
    • Microsoft Defender for Endpoint: Suspicious behavior detected.
  2. The EventTracker alert, ”Possible Emotet Detected,” will be triggered if connections to the remote host "Lockbitks2tvnmwk.onion" are observed at the sensor.
  3. If domain auditing is enabled to monitor group policies, the SOC will track the group policy creation events through reports.
  4. The following matching criteria is used by our Threat Hunting team when searching PowerShell running suspicious commands:
     
    The ransomware will then run the following command to push the group policy update to all of the machines in the Windows domain.
    powershell.exe  -Command  "Get-ADComputer  -filter  *  -Searchbase  '%s'  |  foreach{
    Invoke-GPUpdate  -computer  $_.name  -force  -RandomDeayInMinutes  0}"

Prevention with Netsurion’s EventTracker

  1. The EventTracker Threat Center has been updated with available IOCs for LockBit. The EventTracker Windows sensor will terminate any known bad processes that are observed on managed systems at launch.
IOC Type Value
MD5 5761ee98b1c2fea31b5408516a8929ea
889328e2cf5f5d74531b9b0a25c1871c
1fbef2a9007eb0e32fb586e0fca3f0e7
5f504bb22471157aafeb887b4412b5de
265d02e0a563bbdbdb2883add41ff4bb
c0cacc5bf97b854b6028fe0973dc076f
1f4f6abfced4c347ba951a04c8d86982
9fe9f4ee717bae3a5c9fdf1d380e015d
d5c5558214a0859227e380071925ee58
207718c939673a5f674ce51f402cfc06
9630654d22356e5ac56bd8ec8c7b690
c9fc0fac4df3c2f60ec4bfc61e78feb0
ec273b5841eadfc43b1908c9905e95a3
103c3d96ab53b7c710e5f27d803e468c
0376cd9f233f0cb22d603bcb574885be
1f4581b36253f0f5d63e68347d1744a7
49250b4aa060299f0c8f67349c942d1c
b65198ea45621e29ba3b4fbf250ff686
4bfc92bc80045b031e7c14070143e1d3
51f2fd0288eeb902e7b6d3f0011e7e73
553d21ec9c4e8a08d072e50f3ae0afe1
d2e3b3cbdfd40e549c281b285c7fe9bd
f6b17af3156b38ff730868c85f7cb3dd
83b0fca1bd3190c5badcea4d507b8c95
94d7e268d4a1bc11f50b7e493a76d7a0
123511227718f17b3dec5431d5ae87f3
612a58fd67717e45d091ed3c353c3263
0859a78bb06a77e7c6758276eafbefd9
85da55389b4c848dc34b38b4d7318c0
5cc28691fdaa505b8f453e3500e3d690
9a246bf39f3fab9c2d45f1003bdc6b45
a04a99d946fb08b2f65ba664ad7faebd
75c039742afda956785f94fcc6fc7017

References