Posted In: Cybersecurity & Data Privacy & Cybersecurity & Data Privacy
Corporate TIPS: Learning How to Defend Against Ransomware from Cybercriminals
By Craig S. Horbus & Jarman J. Smith on November 10, 2021
No one is completely safe from being hacked by cybercriminals, not even the cybercriminals themselves. This fact was revealed in a recent interview with the LockBit ransomware group responsible for deploying a new version of a Ransomware-as-a-Service (“RaaS”) platform called LockBit 2.0. This platform is now one of today’s largest RaaS platforms and poses an immense risk to businesses and organizations throughout the world.1 During the interview, the LockBit group shared insights into its operations and its views of the ransomware business in general.
In September of 2021, LockBit was— by a large margin— the most active ransomware group, accounting for approximately 34% of reported ransomware attacks.2 LockBit attributed its large share of the ransomware market to its “impeccable reputation” amongst its affiliate customers. Since more affiliates trust the LockBit brand, LockBit’s RaaS platform is used in a greater number of ransomware attacks. This formula has given LockBit the capacity to attack over 700 companies in just a 3-month span.3
Inside LockBit’s Criminal Organization
Although the LockBit ransomware group has only been around since late 2019, they have quickly established themselves as a major player on the ransomware landscape and a huge threat to organizations around the world.4 Their prominence in the cybercrime industry is due in part to the sudden retirement of rival operations Darkside, Avaddon, and REvil. However, the LockBit group distinguishes itself from its predecessors by claiming to maintain high-level moral and business standards. In other words, the LockBit group is branding itself as a more ‘trustworthy’ criminal organization that always provides decryption keys upon payment of demanded ransoms and that refuses to steal ransoms from affiliate criminals that utilize their RaaS platform. Moreover, LockBit claims that it does not target healthcare organizations like hospitals, dental offices and nursing homes.
One of the defining components of LockBit’s ransomware operation is its StealBit malware.5 StealBit allows criminals to steal information as quickly and as simply as possible, and LockBit uses StealBit to demand even more money from its victims. During a normal ransomware attack, cybercriminals encrypt their victims’ data and demand a ransom payment in exchange for the decryption key. However, in addition to encrypting its victims’ data, LockBit also uses StealBit to steal valuable information from companies followed by demands of additional payments for non-disclosure of the stolen data.
Weakness of Cybercriminals Exposed
Since no one is immune from hacking infrastructure—due largely in part to zero-day exploits—law enforcement agencies have begun exploring the process of hacking the hackers to destroy stolen data and retrieve decryption keys. Using NSA hardware backdoors it is possible to access any server on the planet, that means anyone can be hacked, including ransomware gangs. LockBit identified this process of ‘white hat hacking’ as “one of the most effective methods” to deal with cybercriminals.6 Although LockBit acknowledges this weakness in its operations, it has responded by backing up stolen company data on servers in various parts of the world and encrypting offline backups held by trusted parties who receive regular payments for safekeeping the stolen data. Therefore, businesses must maintain adequate levels of network security rather than solely relying on white hat hacking to do away with the threat of cybercrime.
Ransomware Prevention Best Practices
Although no organization or individual is completely safe from the threat of cyberattacks, certain steps can be taken to reduce the risk of falling victim to a ransomware attack. By applying the following best practices to the greatest extent possible, you can help manage the risk posed by ransomware and support your organizations coordinated and efficient response to a ransomware incident.
- Maintain Backups
- It is critical to maintain offline, encrypted backups of your organization’s data and to regularly test and update your backups. It is important that backups are maintained offline as many ransomware variants attempt to find and delete any accessible backups and there is no need to pay a ransom for data that is readily accessible to your organization.
- Establish Incident Response Plans
- Your organization should create, maintain, and exercise a basic cyber incident response plan and related communications policies that include response and notification procedures for a ransomware incident.
- Form a Team of Experienced Professionals
- Creating and maintaining a cybersecurity team can help your organization gain leverage in the war against cybercrime. Your team should be comprised of trusted advisors, including upper-level management, qualified information technology personnel, and legal counsel with knowledge of applicable data privacy regulations and your legal obligations in the event of a ransomware incident.
As confirmed by LockBit, no organization can eliminate all risks involving cyberattacks and data loss. However, certain policies, practices, and procedures can be implemented to significantly reduce your organization’s exposure to such risks. Brouse McDowell’s Cybersecurity and Data Privacy team can provide the guidance and tools you need to defend against cyberattacks and protect consumer information. Our cybersecurity team offers a variety of data privacy and cybersecurity services, including pre-breach and cybersecurity planning, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Please contact us for more information and to learn how we can partner with you.
1 The Record, An interview with LockBit: The risk of being hacked ourselves is always present, available at https://therecord.media/an-interview-with-lockbit-the-risk-of-being-hacked-ourselves-is-always-present/.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2023 Brouse McDowell. All rights reserved.