Statistics reveal that ransomware will attack a business, a consumer, or a device every 2 seconds by 2031. And it will cost its victims $265 billion annually.
In the last five years, ransomware attacks have risen by 13% and in the first half of 2022 alone, there were around 236.7 million attacks globally.
These are very distressing numbers. Ransomware is one of the most real and present threats that organizations are facing today.
Ransomware is a type of malware used by threat actors for financial gain. It takes over the victim’s files or systems, and the attacker demands a ransom be paid in exchange for a decryption key, which organization can only hope that will return the files to their original state.
Recently, threat actors have begun to exfiltrate data during a ransomware attack resorting to “double extortion” – to blackmail victim organizations into paying the ransom to avoid having their information posted on leak sites or put up for sale.
LockBit is the world’s fastest and the most stable ransomware since 2019-2020. The LockBit 3.0 ransomware, also known as LockBit Black, operates as Ransomware-as-a-Service (RaaS). It is an improved version of its previous LockBit 2.0 and other versions.
How does ransomware work?
Threat actors infiltrate the victim organization’s network and find its way onto a device. They then encrypt the files and folders on it.
Threat actors don’t stop there. They execute enumeration activities to spread their reach laterally on to the network and can spread the ransomware from device to device, affecting all computers in a network.
How do threat actors infiltrate?
- Email links or attachments: The user is sent a phishing email with a malicious link or attachment, which leads to either credential harvesting or the downloading of the ransomware from the file they attach on email.
- Remote Desk Protocol (RDP): Threat actors exploit publicly available or weak credentials and brute-force or password spray via the RDP protocol to gain access.
- Virtual Private Network (VPN): Threat actors identify and exploit unsecured and unpatched remote access VPN servers – by exploiting publicly available or weak credentials and brute-force or password spray – to gain access to a network, then distribute malware.
Recommendations to protect your data against ransomware
Identity & Authorization
- Enforce long and complex passwords.
- Passwords must be set to avoid dictionary words, patterns, or commonly used passwords.
- Implement Password Change Cycle and avoid accounts with the option of setting passwords that will never expires.
- Enforce Multi Factor Authentication (MFA) at every logon attempt.
- Consider Phishing Resistant MFA.
- Integrate MFA for all remote access, internet accessible and business email accounts.
- Periodically audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
- Periodically identify unused accounts and delete them.
- Geo Fence network perimeter – Whitelist the Geo where you operate from. Blacklist the rest.
- House critical infrastructure on to DMZ
- Segment networks and disable unused ports.
- Disable inter VLAN communication or restrict to necessary communication only.
- Disable any direct external RDP access.
Data Backup & Restoration
- Maintain offline backups of data.
- Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted).
General Safety Measures
- Keep all operating systems, software, and firmware up to date.
- Identify, detect, and investigate abnormal activities and potential lateral movements with an appropriate EDR / XDR tool.
- Periodically review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
- Consider adding an email banner to emails received from external organizations or domains.
- Disable hyperlinks in received emails.