If I offer you a million dollars right now, would you betray your company and help me compromise their data? What if I told you that there is a ransomware group out there that is doing just that? Would you take the bait? Are you sure that others in your company won’t be motivated to take that deal?
LockBit is a Ransomware-as-a-Service (RaaS) platform that uses the double extortion model to put additional pressure on victims. Aside from just encrypting systems and data, the attackers first exfiltrate sensitive and confidential data and threaten to expose or sell it if the ransom is not paid.
As cybersecurity and the response to ransomware attacks improve, though, the threat constantly evolves. The latest twist is that the LockBit ransomware group appears to be expanding on the Ransomware-as-a-Service concept and is now openly soliciting your employees to help them launch ransomware attacks from the inside.
Images that have been circulating online show that the wallpaper image LockBit displays on encrypted systems now doubles as a recruiting poster for future attacks. It says:
"Would you like to earn millions of dollars? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc."
Pushing the Limits of Employee Loyalty
Every morning when I come to work, I am grateful for the Cybereason team. As CEO, I make sure we take care of our employees and ensure Cybereason is a company people want to work for. I believe most companies and CEOs strive for those same goals. But can you be sure that there is nobody in your company who might consider potentially making millions of dollars by helping to launch a ransomware attack?
Even if you are, confidence is no substitute for effective cybersecurity. The only way to deal with ransomware is to not allow your data to be encrypted in the first place. Whether it’s a traditional ransomware attack, a double extortion ransomware attack, or an insider ransomware attack executed by one of your own employees, the only good option is to ensure your data is not exfiltrated or encrypted.
You need to detect and stop all attacks--even if they come from the inside. Disgruntled employees might go to the “dark side” and help cybercriminals like the LockBit ransomware gang launch an attack from the inside, but that doesn’t mean you can’t prevent ransomware attacks.
One of the biggest challenges in the fight against ransomware is that most organizations are relying on ancient tools and outdated point solutions that were designed to prevent attacks a decade ago. Those solutions are not equipped to detect and stop more complex attacks like LockBit ransomware. Better technology does exist.
The ability to stop ransomware should not come down to relying on legacy tools that can’t handle the task. It also should not depend on having employees loyal enough to not be swayed by the promise of a 7-figure payout.
What if there was a way to see an entire malicious operation in play? Guess what - there is. Organizations need security with an operation-centric approach to ensure effective protection against ransomware no matter what the scenario is. The ability to view the entire malicious operation—or MalOp—and recognize indicators of behavior enables you to detect and block ransomware attacks more quickly and effectively and protect against threats like LockBit.
About the Author
Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.