Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime
HHS Warns Health Sector About LockBit 2.0 Threats - AgainAdvisory Comes on Heels of FBI LockBit 2.0 Alert, CISA Ransomware Global Trends Report
Federal authorities are again warning healthcare and public health sector entities about potential threats posed by the ransomware-as-a-service group LockBit 2.0, despite the cybercrime gang's claim that it does not target healthcare organizations.
The warning on Monday from the U.S. Department of Health and Human Services Health Sector Cybersecurity Coordination Center comes on the heels of an FBI "flash alert" issued on Feb. 4 advising organization across all sectors of the latest LockBit 2.0 activities and indicators of compromise.
Meanwhile, a report issued on Wednesday by the Cybersecurity and Infrastructure Security Agency about 2021 global ransomware trends reminded the healthcare and public health sectors in the U.S., the U.K. and Australia that they continue to be among top sectors targeted by ransomware actors, overall.
LockBit 2.0 Threats
Although the LockBit 2.0 cybercrime gang claims to not attack healthcare organizations, "all ransomware continues to act as a major cyber threat against the U.S. healthcare and public health sector," the HC3 warns in its advisory.
LockBit 2.0 operates as an affiliate-based ransomware-as-a-service and employs a wide variety of tactics, techniques and procedures, creating significant challenges for defense and mitigation, it says.
While the HC3 issued a warning in October about potential LockBit threats facing the healthcare and public health sector, the new advisory says that the FBI's latest flash alert contains the most current indicators of compromise and malware characteristics derived from field analysis (see: HHS Warns Healthcare Sector About LockBit 2.0 Threats).
"Reducing your organization’s attack surface to the greatest extent possible is the primary goal, and this [FBI] FLASH provides several ways to do that," the HC3 says.
"It is extremely important to both know and apply" the information included in the FBI's Feb. 4 advisory, it adds.
The HC3 says entities should use the FBI's list of updated LockBit 2.0 IOCs in their threat hunting and detection programs.
It also says the use of multifactor authentication and strong passwords is critical, along with establishing a robust data backup program, the advisory says.
Latest FBI Warning
LockBit 2.0 ransomware compromises victim networks through a variety of techniques, including - but not limited to - purchased access, unpatched vulnerabilities, insider access and zero-day exploits, the FBI says.
"After compromising a victim network, LockBit 2.0 actors use publicly available tools such as Mimikatz to escalate privileges. The threat actors then use both publicly available and custom tools to exfiltrate data followed by encryption using the LockBit malware," the advisory says.
LockBit 2.0 actors always leave a ransom note in each affected directory within victim systems, which provides instructions on how to obtain the decryption software, the FBI says. "The ransom note also threatens to leak exfiltrated victim data on the LockBit 2.0 leak site and demands a ransom to avoid these actions."
LockBit 2.0 released an update in July 2021 which featured the automatic encryption of devices across Windows domains by abusing Active Directory group policies, the FBI says.
"In August 2021, LockBit 2.0 began to advertise for insiders to establish initial access into potential victim networks, while promising a portion of the proceeds from a successful attack. LockBit 2.0 also developed a Linux-based malware which takes advantage of vulnerabilities within VMWare ESXi virtual machines."
LockBit 2.0 is a "heavily obfuscated ransomware application" leveraging bitwise operations to decode strings and load required modules to evade detection, the FBI says.
Upon launch, LockBit 2.0 decodes the necessary strings and code to import the required modules followed by determining if the process has administrative privileges. "If privileges are not sufficient, it attempts to escalate to the required privileges."
LockBit 2.0 then determines the system and user language settings. If an Eastern European language is detected, the program exits without infection, the FBI says.
As infection begins, LockBit 2.0 deletes log files and shadow copies residing on disk and enumerates system information. It attempts to encrypt any data saved to any local or remote device but skips files associated with core system functions, according to the FBI.
Once completed, LockBit 2.0 deletes itself from disk and creates persistence at startup, according to the FBI. Prior to encryption, LockBit affiliates primarily use the StealBit application obtained directly from the LockBit panel to exfiltrate specific file types, the FBI says.
"The desired file types can be configured by the affiliate to tailor the attack to the victim. The affiliate configures the application to target a desired file path and, upon execution, the tool copies the files to an attacker-controlled server using http."
Some affiliate attackers use other commercially available tools such as rclone and MEGAsync to achieve the same results. LockBit 2.0 actors often use publicly available file sharing services including, privatlab[.]net, anonfiles[.]com, sendspace[.]com, fex[.]net, transfer[.]sh, and send.exploit[.]in, the FBI says.
The FBI alert lists a variety of IOCs, including language check codes, command line activity during execution, recorded commands, registry keys, files created, group policy updates for Windows defender disablement, PowerShell command, and an array of other details.
No Sure Bets
While the HC3 says in its advisory that to date, LockBit 2.0 claims it is not attacking healthcare organizations, some experts predict it is only a matter of time before a healthcare or public health sector entity is hit by the group or its affiliates.
"If you run your enterprise as a RaaS operation, then it is far more likely than not you will see a LockBit attack against a healthcare entity for sure," says retired supervisory special agent Jason G. Weiss, an attorney at law firm Faegre Drinker Biddle & Reath LLP.
"It is hard to imagine the LockBit 2.0 gang telling the cyberthreat actors who pay for their tools who they can and can't use these tools against. It is of course possible that this has already happened," he says.
Former Department of Defense threat analyst Paul Prudhomme, a researcher and analyst with cybersecurity threat intelligence firm IntSights, a Rapid7 company, notes that various other ransomware operators have also claimed that they refrain from targeting healthcare organizations.
"The potential harm to human lives and welfare that could result from ransomware incidents in a healthcare setting and the negative publicity associated with the targeting of such a sensitive industry have led some ransomware operators to claim that they do not target healthcare organizations," he says, and adds, "Some of these claims may be true."
Brett Callow, a threat analyst at security firm Emsisoft, offers a similar assessment" "REvil, LockBit [and others] typically don’t carry out attacks. They just supply the ransomware and the infrastructure. Some RaaS say their ransomware can't be used for attacks on healthcare, etc. Affiliates sometimes abide by that, and sometimes don't.
"And some RaaS seem not to care whether they do or they don’t. But it’s very much a case of so what? I mean, if A doesn’t want you to use their ransomware in attacks on healthcare, you can just use B's ransomware instead," Callow says.
Regardless of the claims by LockBit 2.0, all healthcare organizations should make threat intelligence on ransomware a high priority requirement, Prudhomme says.
"Even if LockBit 2.0 does live up to its claim of not targeting health care organizations, most ransomware groups and attacks are similar enough to each other that any lessons learned from LockBit 2.0 attacks would also be applicable to attacks by other ransomware operators."
LockBit 2.0 poses a serious potential threat to the healthcare and public health sector in part because "it has been very successful as both a stand-alone cyber gang and now as an entrepreneur in the RaaS industry," Weiss says.
"They make a product that works and that has been successfully used against many targets in many different industries. Also, they have also been able to avoid American and international law enforcement, so they obviously have put some serious thought into operational security and anonymity."
Also, critical vulnerabilities, such as those in certain versions of Apache's Log4j software library, provide cyberthreat actors such as LockBit - and many others - with new, easy means of entry into a victim’s IT or operation technology network in order to launch ransomware attacks or steal data for ransom, Weiss says.
"There is little doubt among most industry experts that these types of large-scale vulnerabilities, especially after SolarWinds, open the door for the threat of greater cyberattacks. Worst-case scenario: This sure didn’t help."