Full Report
Co-authored by Marc RiveroLopez. In collaboration with Northwave As we highlighted previously across two blogs, targeted ransomware attacks have increased... The post Tales From the Trenches; a Lockbit Ransomware Story appeared first on McAfee Blog.
Analysis Summary
# Incident Report: LockBit Ransomware Attack Targeting VPN Infrastructure
## Executive Summary
This targeted ransomware incident involved the LockBit group gaining initial access via a brute-force attack on an outdated external VPN service, compromising an 'Administrator' account. This high-level access allowed the attackers to immediately conduct reconnaissance, automate lateral movement using SMB and RDP/RAS, disable security tools, and swiftly deploy the LockBit ransomware across the network in a "hit and run" operation to maximize business disruption.
## Incident Details
- **Discovery Date:** Not explicitly specified, but implied to be during or immediately after deployment.
- **Incident Date:** Occurred sometime prior to the analysis in late April 2020 (LockBit spotted late 2019).
- **Affected Organization:** Undisclosed customer undergoing an Incident Response by Northwave.
- **Sector:** Not explicitly disclosed.
- **Geography:** Not explicitly disclosed, though telemetry was gathered globally.
## Timeline of Events
### Initial Access
- **Date/Time:** Over several days leading up to compromise.
- **Vector:** Brute force attack against an external-facing web server hosting an **outdated VPN service**.
- **Details:** Attackers successfully guessed the password for an account named **'Administrator'**, which belonged to the administrator group, immediately granting "keys to the kingdom" permissions.
### Lateral Movement
- **Date/Time:** Following initial access.
- **Vector:** Internal network reconnaissance (`SMB`) followed by using the **Internal Microsoft Remote Access Server (RAS)**.
- **Details:** Attackers used the compromised administrator account, and subsequently the highly privileged **LocalSystem account** on target machines, to gain full control, disable endpoint security products, and automate movement across the network.
### Data Exfiltration/Impact
- **Date/Time:** Immediately following lateral movement.
- **Vector:** Automated ransomware deployment.
- **Details:** The primary impact was the deployment of the LockBit ransomware across as many hosts as possible to effectively halt business processes, forcing a ransom payment.
### Detection & Response
- **Date/Time:** During the response engagement by Northwave.
- **Details:** Response actions involved a comprehensive incident response process against the LockBit ransomware, implying containment, eradication, and recovery efforts were undertaken.
## Attack Methodology
- **Initial Access:** Brute force attack against a publicly accessible system (Outdated VPN).
- **Persistence:** Not detailed, but implied by the success of the automated deployment following initial access via a privileged account.
- **Privilege Escalation:** **Skipped** due to initial compromise of the 'Administrator' account, which already held sufficient privileges.
- **Defense Evasion:** Achieved by leveraging the **LocalSystem account** post-lateral movement to **turn off endpoint security products**.
- **Credential Access:** Compromise of an existing credential via brute-forcing.
- **Discovery:** Performed network reconnaissance using **SMB** post-compromise.
- **Lateral Movement:** Used **SMB** for reconnaissance and the **Internal RAS** with highly privileged accounts (Administrator/LocalSystem).
- **Collection:** Not explicitly detailed, but standard for ransomware preparation.
- **Exfiltration:** Not explicitly detailed (focus was on encryption/disruption).
- **Impact:** Widespread encryption via automated ransomware deployment.
## Impact Assessment
- **Financial:** Not explicitly available, but significant cost associated with ransomware recovery is implied.
- **Data Breach:** Focus appears to be on operational disruption/encryption rather than data exfiltration (though data theft is common in LockBit attacks, it wasn't the focus of this described phase).
- **Operational:** Severe disruption expected due to mass ransomware deployment intended to halt business processes.
- **Reputational:** Not disclosed.
## Indicators of Compromise
*Note: Since the source provided no specific IoCs (only general attack descriptions), this section is populated based on the methods described.*
- **Network indicators:** Successful brute-force attempts against external VPN login pages. Network traffic associated with SMB reconnaissance and RAS connections from the compromised initial host.
- **File indicators:** LockBit ransomware executables/scripts (specific hashes not provided).
- **Behavioral indicators:** Disabling of endpoint security products. Automated execution of processes across multiple internal hosts via administrator/LocalSystem accounts.
## Response Actions
- **Containment:** Implied containment of the live LockBit deployment and isolation of affected segments.
- **Eradication:** Not detailed, but would involve cleaning up rogue administrative access and removing ransomware components.
- **Recovery:** Full recovery processes undertaken following the response engagement (implied).
## Lessons Learned
- **Key Takeaways:** Targeted ransomware actors are successfully leveraging inherent security policy weaknesses (e.g., weak/no MFA on external services) in high-privilege accounts. The "human factor" extends beyond end-users to policy adherence for system configuration.
- **What could have been done better:** Failure to implement Multi-Factor Authentication (MFA) on external-facing systems, especially VPNs, was the critical control failure.
## Recommendations
- **Prevention measures for similar incidents:**
1. Immediately enforce Multi-Factor Authentication (MFA) on all external-facing services, especially VPNs and remote access servers.
2. Implement robust password policies and monitor for sustained brute force login attempts against critical services.
3. Enforce the Principle of Least Privilege across the organization; even administrative accounts should not be used for routine network tasks.
4. Regularly patch and update all internet-facing infrastructure (VPN service was outdated).
5. Implement advanced endpoint detection and response capabilities capable of detecting and blocking automated lateral movement tools and security product disabling.