Ask almost any cybersecurity researcher and they will tell you that ransomware has become one of the most popular forms of cyberattacks over the last several years. In just the past few months, big names such as Accenture, Bangkok Air, Colonial Pipeline, and JBS meat have been hit by ransomware attacks that crippled their networks and, in some cases, resulted in large data breaches. Even in the last week, Howard University was forced to cancel classes on Tuesday, September 7th after they were hit by a ransomware attack. Unfortunately, when ransomware is raking in the profit for cyber criminals, there will be opportunistic malicious actors that want their own cut of the action; by writing the ransomware and selling the use of it to others who have the resources to disseminate it.
As noted by security researchers at Crowdstrike, ransomware for hire isn’t exactly a new phenomenon. Ransomware as a service (RaaS) operators have long existed on the black market, and they can choose to generate revenue in several ways, including monthly membership feeds, affiliate programs, one-time licensing fees, profit sharing models, and more. Malicious actors sign up for the service, pay their dues, and do what they do best in distributing the payload to their predetermined targets. With how much money is flowing into these operations, these ransomware providers are proving to be extra resilient; making them better able to retrofit their malicious software to continue to exploit new vulnerabilities when their earlier attack vectors are patched out of viability.
There are many examples of these kinds of services such as DarkSide, REvil, and Dharma, but today I want to talk about one that has been having a surge in popularity and market capitalization in the ransomware space; LockBit. Presumably Russian in origin, LockBit 2 has been in the news for its recent global proliferation as Trend Micro claims that it is one of the “fastest ransomware variants in the market today.” While the technical details of its methods can be found in the full Trend Micro report, the gist of it is that once on a target system, the program uses a network scanner to search for the networks’ Domain Controller before it then attempts to infiltrate the Domain Controller to push out group policies to disable security programs on network devices. LockBit then encrypts important files on any machine it can touch and places a “Restore-My-Files.txt” file in every affected directory with instructions on how to pay the ransom and decrypt the files. Trend Micro concludes that the best way to secure against this kind of attack is to perform periodic vulnerability assessments, enforce data backup policies, perform sandbox analysis on suspicious emails and attachments, and to employ updated security solutions on all layers of organizational systems. Other researchers suggest that application whitelisting is a significant mitigation mechanism against ransomware, in addition to stopping other forms of malicious software.
Ransomware is everywhere in the news, and all it can take is one point of infection and a slightly outdated software deployment on organizational infrastructure to spell untold disaster and financial ruin on an organization. It’s wise to think ahead and prepare a strategy to both prevent a ransomware infection from taking hold in your organization and on how to respond if it does. With modern tools like CnSight, it’s easier than ever to continuously monitor your organizations’ cybersecurity preparedness and to ensure that when it’s time for action, your team is ready to respond. Bolster your cybersecurity resilience by deploying CnSight to help manage risk, manage your cybersecurity performance, and align your day-to-day cybersecurity performance with your strategic goals.