The FBI has published a TLP:WHITE FLASH providing indicators of compromise associated with LockBit 2.0 ransomware. The FLASH indicates LockBit 2.0 threat actors operate as an affiliate run Ransomware-as-a-Service (RaaS) and employ a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. Some techniques these threat actors include, but are not limited to, purchased access, unpatched vulnerabilities, insider access, and zero day exploits.

According to the FBI, “After compromising a victim network, LockBit 2.0 actors use publicly available tools such as Mimikatz to escalate privileges. The threat actors then use both publicly available and custom tools to exfiltrate data followed by encryption using the Lockbit malware.” The FLASH includes further technical details regarding this activity and lists recommended mitigations. It also encourages partners to report suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 CyberWatch (CyWatch) at (855)292-3937 or CyWatch@fbi.gov.