LockBit, a ransomware group is known to be a patronised Threat Actor from Russia and since its originally in September 2019, has been in the business of performing routine malicious attacks in the environment. The Group, had in the initial period performed, planned attacks dubbed as “.abcd virus”. The team, in reference to the file extension name was seen to be using them to encrypt victim’s files, as part of its operations. Notable past targets include, organizations in the United States, China, India, Indonesia, Ukraine, etc. Additionally, various countries throughout Europe (France, UK, Germany) have also been attacked in the past.
The LockBit Group, in the present campaign, namely “LockBit 3.0”, which is their newer version of Ransomware Attack, is aimed at large scale Extortion Endeavours. LockBit 3.0, is a subclass of ransomware known as a ‘crypto virus’ and is being used as a ransom requests around financial payment in exchange for decryption. It focuses mostly on enterprises and government organizations rather than individuals, in this new avatar.
The Recent Attack
In an attack reported on (or before) 31 January 2023, the group is said to have targeted the financial technology firm ION of United Kingdom. According to a statement posted on ION Market’s website, its ION Cleared Derivatives division “experienced a cybersecurity event” on 31 January 2023. The UK regulators has been reported to have initiated an investigating into the cyberattack, while the LockBit ransomware gang had threatened to publish the stolen data on 04 February 2023, if the software provider were not to pay up.
“LockBit” functions as Ransomware-as-a-Service (RaaS). Willing parties put a deposit down for the use of custom for-hire attacks, and profit under an affiliate framework. Ransom payments received are divided between the LockBit developer team and the attacking affiliates, who receive up to ¾ of the ransom funds.
The ION Attack
No additional details were readily available on the ION incident, while the ION security alert did not provide any additional details, but according to Reuters, the attack affected 42 of ION’s customers, which likely included ABN Amro Clearing and Intesa Sanpaolo, Italy’s biggest bank, and other financial enterprises among the group of Commonwealth of Independent States. The Futures Industry Association (FIA) of the UK, also reported that the issues at ION had affected the trading and clearing of exchange-traded financial derivatives, although there had been no reports of margin problems in financial markets.
The Attack on Italy
In a related incident the Italy’s National Cybersecurity Agency (ACN), on Sunday, 05 February 2023 also reported a targeted ransomware hacking attack on dozens of Italian organizations thereby compromising Servers, and also resulting in users of these services being locked out of their systems. ACN has also reported similar attacks on other European countries such as France and Finland as well as the United States and Canada. Telecom Italia customers has also reported internet problems earlier on Sunday, but the two issues were not believed to be related.
Investigation, by different agencies are underway as this form of attack is reported to be among the largest that have been noted in the recent past.
India, also cannot ignore the pattern noticed, as should also be concerned of such attacks, as the dependency on Digital Initiatives have increased multi-fold during the recent past.
How to protect against LockBit Ransomware
(Courtesy Kaspersky: Source- https://www.kaspersky.com/resource-center/threats/lockbit-ransomware)
Users may have to adhere to protective measures to ensure organization and individuals have a strategy of resilient against any ransomware or malicious attacks from the offset. Here are a few practices that can help one prepare for the same:
- Strong passwords should be implemented. Many account breaches occur due to easy-to-guess passwords, or those that are simple enough for an algorithm tool to discover within a few days of probing. Male sure you pick secure password, such as choosing longer ones with character variations, and using self-created rules to craft passphrases.
- Activate multi-factor authentication. Deter brute force attacks by adding layers atop your initial password-based logins. Include measures like biometrics or physical USB key authenticators on all your systems when possible.
- Reassess and simplify user account permissions. Limit permissions to more strict levels to limit potential threats from passing undeterred. Pay special attention to those accessed by endpoint users and IT accounts with admin-level permissions. Web domains, collaborative platforms, web meeting services, and enterprise databases should all be secured.
- Clean out outdated and unused user accounts. Some older systems may have accounts from past employees that were never deactivated and closed. Completing a check-up on your systems should include removing these potential weak points.
- Ensure system configurations are following all security procedures. This may take time, but revisiting existing setups may reveal new issues and outdated policies that put your organization at risk of attack. Standard operation procedures must be reassessed periodically to stay current against new cyber threats.
- Always have system-wide backups and clean local machine images prepared. Incidents will happen and the only true safeguard against permanent data loss is an offline copy. Periodically, your organization should be creating backups to keep up-to-date with any important changes to your systems. In case of a backup becoming tainted with a malware infection, consider having multiple rotating backup points for the option to select a clean period.
- Be sure to have a comprehensive enterprise cyber security solution in place. While LockBit can try to disable protections once in a unit, enterprise cyber security protection software would help you catch file downloads across the entire organization with real-time protection. Learn more about Kaspersky Security Solutions for Enterprise to help you protect your business and devices.