IT

Recovering from a LockBit ransomware attack 

Sponsored

In the first part of this three-part series, I went over what happens when your security posture is broken. In my job at Acronis, I regularly analyze ransomware, and its destructive behavior. Using the example of LockBit 2.0 ransomware, our computer may have been able to keep running, but once the attack got in, the ransomware didn’t stop encrypting documents and other sensitive files until it was done. Even restarting the computer wasn’t enough to stop the attack. Here’s the thing with relying on being insignificant enough to not be an obvious target: it doesn’t matter. You are still a target if you are vulnerable, and the chances of coming out of the situation without any data loss are minuscule. Of course, you can do things with a partial protection solution, even though you may not be able to stop the attack or save all of your files. These options include tools that range from built-in or free tools to paid solutions that will at least minimize the impact of an attack on your computers. 

Stop in the name of the Task Manager 

The great thing about Task Manager is that it is a part of Windows by default. MacOS and most Linux distributions also have their own versions of this, and they all work similarly. For this example, let’s just assume that you happen to notice something going on with your system. Maybe it’s running slower, the fans kick in when they normally wouldn’t, or you even happen to catch the file extensions beginning to change. Great, you have an opportunity to stop the ransomware before you have lost everything. It’s easy, just right-click on the taskbar, and open the Task Manager. If you click on the More details link at the bottom of the window, you can see the Lockbit22.exe – or whatever the name is that the file is given by the attacker – in the Task Manager window, so it’s a quick right-click, and you can stop the ransomware before it does any more damage. 

There are a couple of problems with this scenario. One is that you need to be familiar enough with Windows to recognize any processes that are unusual, and the other is that it relies on the ransomware allowing the task manager to stop it, and not having already set up automation to restart the ransomware after it has been stopped. If this works, you may have just saved yourself the massive headache of having all of your important files encrypted. Maybe it doesn’t work, and you need something a little more powerful. 

Exploring your options 

A fairly common tool that is used by researchers is Process Explorer, which is part of the SysInternals Suite provided by Microsoft. This is not installed by default but is easy to find on Microsoft’s website. Process Explorer is like Task Manager on steroids, but it works very similarly. Again, you can right-click on the process, and stop it with either Kill Process or Kill Process Tree. Again, you have to be familiar with what you should expect to see running in order to identify something that is out of place. While it is more likely that the process will be stopped with this application, we still have to hope that the ransomware won’t automatically start up again. 

Starting over 

If you remember from my last article, I rebooted the computer, and the ransomware started up again after I stopped the process. I had used Process Explorer, but this only stopped the malware until the computer was restarted. The ransomware had updated registry settings and ensured that it would automatically start up again when Windows booted up. Of course, the ransomware isn’t listed in the Startup Apps – that would be too easy. We need to get into the registry and clean up what the ransomware has done there. Everything else has been fairly easy up until this point, so before a reboot, I should be able to clean up these changes, right? 

There is a tool called RegShot that lets you take two snapshots of the Windows registry, and compare them. I took a snapshot before running LockBit, and again after the ransomware finished running. This is where your heart sinks as you start seeing the number of changes to the registry. Over 20,000 keys were deleted. 

Almost another 82,000 keys were added in that same timeframe. 

You might be able to narrow it down some, maybe by searching for keywords like “lockbit” in the log. This isn’t an efficient way to ensure you have cleaned all traces of the changes made by the ransomware, because it is very likely that the ransomware did not use its own name in every change. Perhaps you try, and perhaps you get the computer back to normal operation, without risking the ransomware being started up again. At this point, the ransomware still exists on the system. From the Task Manager or Process Explorer, we have the file name, we can search in Explorer for this file, and will most likely be able to delete it. This ignores a common trick employed by ransomware, which is to drop additional files, which have a different name but are additional copies of the ransomware, or additional malware payloads. 

Since we’re now likely in the land of make-believe, let’s pretend that you deleted all of the copies of the ransomware and any other malware from your computer. You have also restored the registry to its former glory – a task that is only recommended for experienced professionals. By stopping the ransomware, you may have even saved some of your files. The thing is, you still have encrypted files. There are two options here, pay the ransom in the hopes that the attackers are nice enough to give you the decryption key, or maybe you’re lucky enough to have all of the affected files in a cloud storage service like Google Drive or Microsoft OneDrive. Most people don’t back up all of their files to these services, and most of the time don’t have enough storage available to do so. 

The end is near 

This is where I get overly honest. Everything I just outlined is an oversimplification of this scenario. I didn’t even mention possible changes to Group Policy or other tactics used by ransomware groups. The fact is, if you are caught unprotected, it is unlikely you will be able to fully recover. Ransomware gangs are getting more sophisticated, and often just scan the internet for vulnerable computers to attack without regard to who the target is. The only way to ensure you won’t become a victim is to be prepared ahead of time. This means a multi-layered solution to protect your computer from future attacks. 

We’ve seen what happens when your computer is attacked, and now we’ve seen how enough diligence, and probably research, can help us to largely get back to normal after the attack. In the third and final part of this series, we’ll dive into what it takes to make sure you don’t become a victim of LockBit in the first place. 

Topher Tebow is a cybersecurity researcher, focusing on community collaboration and threat analysis. Topher has been working with malware and other cyberthreats for more than a decade, beginning with web-based malware before moving into endpoint protection. Topher has written technical content for several companies, covering topics from security trends and best practices, to the analysis of malware and vulnerabilities. In addition to being published in industry publications like Cyber Defense Magazine and Security Boulevard, Topher has contributed to articles by several leading publications, and spoken at international cybersecurity events.

No user too small to target: A look at the new LockBit ransomware 

Sponsored

It is no secret that ransomware attacks are on the rise, and attackers are finding new ways to access our systems. While malicious emails remain a constant, we are seeing an increase in compromises of trusted software. This increase is coming as extortion gangs become more organized and learn from each other. A great example of the evolution of malware is LockBit, which had already taken on some of the traits of Maze, but with LockBit 2.0 now also showing similarities to Ryuk and Egregor. 

With the improvements in ransomware, and improved malicious access to our computers, what is the worst that can happen if an attack gets through? The problem is too many people ask this question as a way to justify inaction, rather than as a justification for implementing the cybersecurity measures that they should.  

There is an answer to the question, of course. The worst that could happen is being unprepared for an attack, allowing it to run rampant on your computers – stealing data, encrypting files, and enabling future attacks that take advantage of the information uncovered in the initial attack.  

With that in mind, let’s take a look at just how bad a broken security posture can be. 

It won’t happen to me 

The default security on my computer should be enough to keep me safe, right? After all, I’m just an individual, not a large multinational corporation – I’m too insignificant to be targeted. 

Thinking like that allows attackers into our computers. The fact is that extortion schemes are constantly changing, and the criminal use of automation means attackers can target individuals and small businesses as easily as they can a global corporation. As a result, we have seen ransomware hit large corporations, individuals, and everything in between. When these attacks happen, we could lose everything on any computer connected to our home networks.  

With LockBit now rising to the top of the heap as a leading extortion gang, their ransomware is a great example of what happens when you are inevitably attacked. Let’s assume that the attack begins with a vulnerability in a trusted piece of software: a browser, a game, or maybe even Windows. 

Oh, it’s happening 

LockBit 2.0 is a very efficient piece of ransomware, and you may not even notice it running on your computer. It follows what has become a typical practice of being selective in the files that are encrypted. This approach helps to ensure that the computer continues operating as expected, while all of your important documents, pictures, and other files you may not want to lose are being encrypted. 

As you can see in these screenshots, common documents and other select files have .lockbit added to the end of the file name, while applications and less common file types have been left untouched. This tactic buys time for the ransomware to complete its job while you are browsing the internet, watching movies, or whatever else you may use your computer for. Once you try to open a picture or document, you’ll find that it no longer opens.  

If you are like most people, you might not even see these file extension changes, since this requires a change from the default settings. What you will notice is that the icons change to the blank page icon. By now, it’s too late. You can try changing the file extension back to the default for the file, but the file has been encrypted, and can no longer be opened by the computer. 

Once the files have been encrypted, a ransom note is dropped in any directory with encrypted files. In the case of LockBit, this file is named Restore-My-Files.txt. Once all relevant files are done being encrypted, LockBit 2.0 changes your desktop background to alert you to read this file, then shuts itself down. 

I can stop this! 

Maybe you happen to notice your files being encrypted early in the process. No problem, just restart the computer to stop the ransomware from running, right? It’s a nice thought, but by the point files are being encrypted, LockBit has already updated the settings to automatically start it when the computer restarts. The encryption process will begin immediately on startup, and will continue until everything relevant has been encrypted.  

This type of persistence is common in ransomware, because the attackers want to ensure that they steal and encrypt as much of your data as they can. 

What’s the point then? 

If ransomware is used on any target that the attackers can find, and it’s nearly impossible to stop once it’s found its way in, what is the point of worrying about it? Again, the answer is simple, because you can take steps to stop it before it starts.  

Now is the time to look into options for securing your computers, rather than waiting until after all of your data is lost. Make sure that you have a multi-layered solution like Acronis that protects against ransomware, and other types of malware, and even provides a protected backup solution to be able to restore files if something does happen to get past the other measures you have in place.  

With attackers constantly looking for new ways to get in and infect your computer, it is more important than ever to plan for any potential attacks, and implement a solution that will minimize any damage or inconvenience this may cause. 

[In the next part of this three-part series, we’ll look at how to counter the LockBit infection.] 

Topher Tebow is a cybersecurity researcher, focusing on community collaboration and threat analysis. Topher has been working with malware and other cyberthreats for more than a decade, beginning with web-based malware before moving into endpoint protection. Topher has written technical content for several companies, covering topics from security trends and best practices, to the analysis of malware and vulnerabilities. In addition to being published in industry publications like Cyber Defense Magazine and Security Boulevard, Topher has contributed to articles by several leading publications, and spoken at international cybersecurity events.

How to Update Your iPhone or iPad without Wi-Fi (over Cellular)

A new exploit has been patched by Apple for iOS devices – the iOS 14.8 update fixes the vulnerability that the ‘Pegusus‘ spyware uses.

Updating your iOS device is easy if you have Wi-Fi, but if you only have cellular, you’ll see a message saying ‘This update requires a Wi-Fi network connection to download’.

If you have access to another device, you can hotspot your iOS device to that and run the update. If you don’t, there’s another trick you can do to allow downloading the update over cellular:

How to update iOS over cellular

  1. Go to Settings
  2. Go to General
  3. Go to Software Update
  4. The screen should say you need to be connected to Wi-Fi and the ‘Download and Install’ option greyed o
  5. Go back to General
  6. Go to Date & Time
  7. Turn off Automatic Time
  8. Set Month three months ahead (right now that would be from October to December)
  9. Go back to General
  10. Go to Software Update
  11. Press ‘Download and Install’
  12. While that runs, Go to General
  13. Go to Date & Time
  14. Turn on Automatic Time

Applies To: iOS

It’s worth noting that I tested going a year ahead, and the update wouldn’t download, but 3 months ahead did work.

I believe this is design by Apple to avoid people downloading large amounts of data over their mobile plan, but the updates get to an age where Apple deem them critical, and it’s then better to get the update over cellular than not at all.

I hope Apple address this properly and have a toggle on the screen to just choose to download the update over cellular, with a warning about high data usage (iOS 14.8 is almost 1GB).

EA Play Chat Support

Had to share this one. I had finished setting up my new gaming PC and wanted to try a game – so thought Battlefield V would do the trick, which is ‘free’ under my Xbox Game Pass Ultimate subscription, which gives access to EA Play. Except, it doesn’t work, and doesn’t say why:

Anyway, I decided to use EA’s online chat support. Unsurprisingly, it’s not a fun experience – because online chat support rarely is. I’d already spoken to them once where their suggestion was to uninstall and reinstall the EA Desktop app, and I was coming back the next day on the same case to tell them it hadn’t worked. Read on…

Mamta (9/9/2021, 8:58:55 PM): Thank you for contacting EA HELP, my name is Mamta, may I start with your first name please?
Adam (9/9/2021, 8:59:11 PM): Adam
Mamta (9/9/2021, 8:59:48 PM): Hello Adam, nice to meet you! Hope you’re doing fine.
Adam (9/9/2021, 9:00:10 PM): Thanks you too
Mamta (9/9/2021, 9:00:27 PM): So, how may I help you today Adam?
Adam (9/9/2021, 9:01:07 PM): Case #89886608
Adam (9/9/2021, 9:01:16 PM): returning back after doing what I was told, hasn’t changed anything
Adam (9/9/2021, 9:01:27 PM): There also seems to be other seeing the same issue as me https://answers.ea.com/t5/EA-General-Questions/not-currently-playable/m-p/10710162#M373028
Mamta (9/9/2021, 9:01:57 PM): Okay! Let me see the case first and I’ll try to help you in the best way possible.
Mamta (9/9/2021, 9:03:45 PM): So as per the details provided by you, you’re unable to launch any game using X box game pass.
Adam (9/9/2021, 9:04:35 PM): yes
Adam (9/9/2021, 9:04:44 PM): my ea play account shows ‘play’ next to my name
Adam (9/9/2021, 9:05:13 PM): and logging onto my ea account it says EA Play with Xbox Game Pass
Mamta (9/9/2021, 9:06:19 PM): I am sorry you have had to deal with this, Let me just go through the account first and pull out certain details.
Adam (9/9/2021, 9:07:51 PM): ok
Mamta (9/9/2021, 9:08:25 PM): So, before moving a head could you please help me with your resisted email account with EA?
Adam (9/9/2021, 9:09:19 PM): xyz@xyzc.com
Mamta (9/9/2021, 9:09:34 PM): Thank you! I am sending you a six-digit verification code to the email linked to your account so that I can verify your account from my end.
Adam (9/9/2021, 9:10:44 PM): 701367
Mamta (9/9/2021, 9:12:07 PM): Thank you for the verification Adam! Now could you please explain what type of error are you getting while starting the game.
Adam (9/9/2021, 9:13:10 PM): i cant start the game – the error is what I logged for this case “Not currently playable Unavailable This item can’t be purchased or played at this tim‎e”
Mamta (9/9/2021, 9:14:37 PM): I can see why you would be upset, Please allow some moments to work on your issue.
Adam (9/9/2021, 9:14:41 PM): all play games I havent played before seem to be like this
Mamta (9/9/2021, 9:15:30 PM): Okay! Let me see what I can do from my end.
Mamta (9/9/2021, 9:18:48 PM): So Adam what all troubleshooting steps you have attempted till now? This information would help us to not repeat any troubleshooting step.
Adam (9/9/2021, 9:19:07 PM): uninstalled and reinstalled the client
Mamta (9/9/2021, 9:22:08 PM): Okay, thanks for the information. Now we’ll move further. Allow me few moments.
Adam (9/9/2021, 9:23:07 PM): also tried on another computer and I see the same problem
Mamta (9/9/2021, 9:23:16 PM): Adam which Xbox are you using to play the game?
Adam (9/9/2021, 9:23:34 PM): its on PC not Xbox
Mamta (9/9/2021, 9:24:32 PM): I apologize for that, let me go through the details of your account.
Mamta (9/9/2021, 9:26:42 PM): Adam could you please confirm whether the network you’re using is a wired or wireless connection.
Adam (9/9/2021, 9:27:04 PM): wired
Mamta (9/9/2021, 9:27:55 PM): Thank you for confirming that! Going ahead with your issue, please stay connected.
Mamta (9/9/2021, 9:29:23 PM): Adam could you confirm the EA Desktop or Origin you’re using is up to date.
Adam (9/9/2021, 9:30:01 PM): yes it is
Mamta (9/9/2021, 9:30:24 PM): That’s great! Hold on a moment Adam.
Mamta (9/9/2021, 9:34:00 PM): Also Adam, I hope you’re running your game as an Administrator please confirm.
Adam (9/9/2021, 9:35:32 PM): yes i am
Mamta (9/9/2021, 9:36:31 PM): Great! Still working on the issue, stay connected!
Mamta (9/9/2021, 9:42:04 PM): Adam it’s taking a bit long then usual. Please stay connectd.
Adam (9/9/2021, 9:46:02 PM): its been 45 minutes so far and we haven’t really done anything
Mamta (9/9/2021, 9:48:51 PM): Adam could you please help me with your Gamer Tag.
Adam (9/9/2021, 9:49:59 PM): gamertag
Mamta (9/9/2021, 9:50:49 PM): Thanks for the information, I’m checking the details. Please allow me few moments.
Mamta (9/9/2021, 9:55:20 PM): Thank you Adam for being connected, as I can see here your you haven’t linked your game pass with your EA account I would request to please kindly contact for the same.
Adam (9/9/2021, 9:56:44 PM): how do I do that, my profile says I already have
Mamta (9/9/2021, 9:59:49 PM): Let me see, if I could help you in this.\
Mamta (9/9/2021, 10:02:11 PM): I apologies there was some technical glitch, as I’m able to see your Game Pass now. However I wouldn’t able to assist you in this matter and request you to contact Twitch for more information.
Adam (9/9/2021, 10:02:34 PM): What has Twitch got to do with this?
Mamta (9/9/2021, 10:04:09 PM): I’m sorry I mean to say “Microsoft”.
Adam (9/9/2021, 10:04:40 PM): I logged this with them first and they said it was an EA problem?
Mamta (9/9/2021, 10:09:41 PM): I really apologize for such a long wait Adam.
Mamta (9/9/2021, 10:11:45 PM): As I have double checked this is a known issue from our end, we have seen that more players are encountering the same issue our team is working to fir this.
Adam (9/9/2021, 10:12:44 PM): so if it’s a problem your end why did you tell me to talk to Microsoft?
Adam (9/9/2021, 10:14:14 PM): How will I find out when this is resolved?
Mamta (9/9/2021, 10:15:14 PM): I really apologize for the miss-information, however when I have checked your account and error provided by you I saw that this is a known issue and many players are facing the same.
Mamta (9/9/2021, 10:16:56 PM): Sadly. As of now we don’t have any update regarding this but we’re still working on this issue.
Adam (9/9/2021, 10:18:31 PM): So will I get contacted when it’s resolved?
Mamta (9/9/2021, 10:21:14 PM): Let me check it for you. Please allow me few moments.
Mamta (9/9/2021, 10:26:05 PM): Thanks for waiting patiently for this issue you can check our official forums whether this issue is resolved or not and yes you will connected when this issue gets resolved.

It was at that stage, almost 1 and a half hours into it, that I closed the browser.

Microsoft Viva replaced MyAnalytics emails

Today I noticed for the first time, that the MyAnalytics emails that were coming through weekly, showing where your time was being spent, emails you may need to respond to etc had been replaced by Microsoft Viva. There’s also a post in TechCommunity covering this in detail.

The previous MyAnalytics emails would come in weekly, and be broken up into different editions – Wellbeing, Focus, Collaboration or Network edition. This new monthly digest indicates Microsoft Viva is the way forward. Note that this still works the same way as MyAnalytics where the contents of the email are private to you, and do not come as a normal email that would be trackable (more details in my MyAnalytics article)

The new emails still (for now) link back to the https://myanalytics.microsoft.com/ domain which again for now, shows the message that it’s becoming Microsoft Viva:

That ‘Learn more’ link takes you here: https://www.microsoft.com/en-au/microsoft-viva/insights/?s=mya with some details around Microsoft Viva. One of the main links there takes you to Viva Insights on Teams, which is the Insights addin option that’ll show up on the left menu and take you to the Viva Insights Home page.

The Stay Connected tab is worth checking out, as it will highlight email conversations it thinks are things you need to do, or highlight people (team members for me) that you don’t have a 1 on 1 meeting scheduled for the next twk weeks.

Going back to the web page for Microsoft Viva, there’s a lot more content then when I looked when it first launched. One section I thought was notable was under Network, you can see your Top Collaborators and their read percent and response time of emails.

My point on all this, is that there’s a lot going on here. People may find it and have questions around it, especially when these emails are generated to all staff by default. Someone may have stumbled across the ‘Delay Delivery enabled’ option and turned it on, then forgotten about it later, complaining about emails being slow to get to customers or clients:

What we’re seeing above with Microsoft Viva and MyAnalytics (now Viva Insights) is only a part of the full Microsoft Viva solution too – there’s also Viva Connections, Viva Topics and Viva Learning:

Viva Connections and Viva Insights are generally covered under an existing license, but Viva Topics and Viva Learning are at an extra cost.