Ransomware is a pervasive and persistent threat. It comes in many different forms and guises and constantly evolves, making it very difficult for organizations to protect themselves. A current example of this can be found with the emergence of LockBit 3.0.
LockBit 3.0 is the latest version of LockBit ransomware and has a range of new features, including Zcash payments and a bounty program. It's a potentially dangerous refinement and one that has already disrupted many organizations around the world.
What fresh threat does this latest LockBit ransomware bring, and what can organizations do to ensure they are protected?
The ever-evolving threat of ransomware
Ransomware continues to evolve as a threat, with new strains emerging almost constantly. It's regarded as an effective way for cybercriminals to access an organization's networks and systems. Once they have that access, they can move freely around them, stealing data and issuing ransom demands.
Ransomware is taken so seriously that the newly appointed US National Cyber Director, John Inglis, warned of the threat it poses in a recent speech at the Regan Institute. But the impact of ransomware is felt globally, not just in the US.
A recent attack on US software firm Kaseya affected up to 1,500 organizations around the world. This included supermarkets in Sweden, schools in New Zealand, and businesses in five different continents. By targeting one of Kaseya’s software tools, attackers were able to target hundreds of the company’s customers at once.
The figures involved in ransomware are also on the rise. The Sophos’ State of Ransomware Report 2021 revealed that the average ransomware recovery costs for businesses have more than doubled, rising from $761,106 in 2020 to $1.85 million in 2021. This includes the ransom itself, plus downtime, people time, device cost, network cost, lost opportunity, and other associated costs.
The challenges of LockBit ransomware
The size of these numbers means that ransomware has almost become an industry of its own. Organizations have emerged with the sole purpose of exploiting companies' vulnerability to ransomware - organizations such as LockBit.
LockBit is one of the first examples of Ransomware-as-a-Service, a model in which criminals write the malware and then work with other gangs to help distribute it. It originated in September 2019 when it was known initially as the ‘.abcd virus’ , in reference to the file extension name when encrypting a target’s files. It mainly targets enterprises and government departments and demands a ransom for financial payment in exchange for decryption.
It was already a very effective form of ransomware, but 2021 has seen a new, more advanced strain – LockBit 2.0. This has a much faster and more efficient encryption method, targeting Active Directory (AD) group policies with automatic encryption of devices across Windows domains.
Defending against such speed is a challenge, and one made harder by the group behind LockBit 2.0 making an additional effort to recruit insiders from its target organizations. Armed with such a potentially devastating strain of ransomware, in harness with people on the inside, has served to make LockBit 2.0 perhaps the greatest ransomware threat of 2021.
Then in mid-2022, operators released LockBit 3.0 which evades anti-virus and EDR systems. The new bounty incentivizes the submission of security reports for large cash payouts.
Keeping protected against the latest LockBit ransomware
However, none of this means that an organization cannot protect itself against LockBit 3.0. Effective protection depends on three broad elements:
People – ensuring your employees aren’t tempted to work with LockBit 3.0 creators is a big undertaking. It relies on creating a workplace culture that rewards and respects employees, builds loyalty, and provides a good work/life balance. Employers should strive for this anyway, but perhaps the emergence of cybercriminals recruiting insiders will serve as an additional incentive.
Beyond this, training is essential. Like other forms of ransomware, LockBit 3.0 relies on people not recognizing threats when they arrive. Making sure people receive regular and updated training on the type of threats that might emerge is a substantial defensive measure against LockBit 3.0
Process – any training must also focus on what people should do in the event of a breach. Who should they contact? What action should they take? An organization must have a robust set of processes in place to minimize the impact of a ransomware attack, both from an individual and organizational perspective.
Technology – no organization can hope to be fully protected against LockBit 3.0 without cybersecurity tech. But with many options to choose from, how do they go about selecting the most effective solution?
Email security solutions should be a priority, as LockBit 3.0 primarily enters an organization via email. Clearswift’s email security is an award-winning solution that differs from traditional ‘stop and block’ solutions, which hamper the flow of information. It works by automatically detecting and removing malicious content found in emails, files, images, and any other attachments, so the threat is neutralized immediately.
Clearswift's Adaptive Data Loss Prevention (A-DLP) only stops content that breaks that organization’s cybersecurity policy to ensure that the flow of information and communication is uninterrupted.
LockBit 3.0 is a malicious and pervasive threat, and organizations need to be aware of how it differs from other forms of ransomware. But the principles of best-practice cybersecurity remain the same – a combination of people, process, and technology.