FBI Publishes Indicators of Compromise for LockBit 2.0 Ransomware

The FBI today issued a flash bulletin that details the specific indicators of compromise (IoCs) associated with LockBit 2.0, whose operators offer the ransomware variant via a ransomware-as-a-service model.

LockBit 2.0 moves quickly, mainly because it can automatically encrypt devices in a Windows domain using Active Directory (AD) group policies. The ransomware attackers using LockBit often also threaten to leak stolen victim data on their doxxing site if the victim doesn’t pony up with their ransom demands. According to the FBI, LockBit 2.0 is “a heavily obfuscated ransomware application leveraging bitwise operations to decode strings and load required modules to evade detection.”

The FBI bulletin also includes specific steps organizations can take to minimize their vulnerability to an attack by the ransomware, including the usual key defenses, such as employing multifactor and strong authentication, updating software, using network segmentation, restricting user privileges to admin accounts, running a host-based firewall that limits connects to admin shares, ensuring offline data backups, and other best practices.