: Whenever defending against ransomware, one of the most important mitigation steps than can ever be taken is to regularly backup data and store those backups offline, which ensure the integrity of the backups. The FBI also suggest the following:
• Make sure all installed software and operating systems are kept updated. This helps to prevent vulnerabilities from being exploited by the attackers.
• Enable two-factor authentication and strong passwords to block phishing attacks, stolen credentials, or other login compromises.
• As publicly exposed remote desktop servers are a common way for attackers to first gain access to a network, businesses should audit logs for all remote connection protocols.
• Audit the creation of new accounts.
• Scan for open or listening ports on the network and block them from being accessible.
• Disable SMBv1 as numerous vulnerabilities and weaknesses exist in the protocol.
• Monitor the organization’s Active Directory and administrator group changes for unauthorized users.
• Use the most up-to-date PowerShell and uninstall any older versions.
• Enable PowerShell logging and monitor for unusual commands, especially execution of Base64 encoded PowerShell.
It is important to note that this notice was originally released as TLP:Amber. TLP:Amber means that disclosure of the information is to be limited. This means that those who are sent TLP:Amber information from the FBI may share it within their own organization or with clients/customers who may be vulnerable as well. Bleeping Computer should not have shared this information publicly as they did. Anytime that specifics of exactly how a threat actor operates are shared too publicly, it can have a negative effect on the organization’s ability to detect that threat actor in the future. By publicly advising on what tool the operators behind LockerGoga and MegaCortex are using, it now encourages the attackers to change their tools to avoid detection. Cobalt Strike has a number of options when it comes to tools that it can use, if the attackers choose to change from utilizing wmic to winrm it would make detection much more difficult when the group moves laterally within a victim’s network. More information on what has been made public from this TLP:Amber report can be found at: https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/