LockBit is recruiting employees to breach corporate networks

The ransomware arms race continues to thrive as LockBit gangs recruit corporate insiders to help them breach and encrypt networks, offering employees hefty payouts in exchange for their help.

LockBit recently made news when they hit the UK’s Merseyrail this past April. In the last few days, the Australian Cyber Security Centre (ACSC) announced that LockBit 2.0 has infected multiple organizations across various industry sectors.

Let’s take a look at the ransomware gang’s latest moves.

Arriving on the cybersecurity scene in September 2019, LockBit is a unique, self-spreading ransomware-as-a-service that does not require the attacker to be live in a network to be effective. While it does not get big headlines like other groups, LockBit is effective. The ransoms tend to be lower and partnering with insiders is easy because they share 70-80% of the ransomware payment with their recruited affiliates.

For businesses of all sizes, this recruiting strategy is alarming because from time to time, every business has a disgruntled employee that may be receptive to making this kind of money, albeit their participation in this kind of activity is a felony. And with the proliferation of remote work, data accessibility is on the rise, making it more widely available and increasing the risk that employees may inadvertently or intentionally leak sensitive, confidential information to unauthorized parties outside the organization.

LockBit has introduced some interesting new features in their 2.0 release. One feature that stands out is LockBit’s automated ransomware distribution: it automates the encryption of a Windows domain using Active Directory group policies. LockBit escalates privileges and then creates new group policies on the domain controller, which are then pushed out to every device on the network, disabling defenses and spreading ransomware.

This new feature is an example of what we can expect to see from other ransomware developers as they are now automating and incorporating artificial intelligence (AI)-based algorithms into their malicious software.

LockBit also added another new feature by taking a page from Egregor’s “print bomb” playbook. Once hacked, network printers continually print ransom notes, making sure the world knows that your organization has suffered a ransomware attack.

While concerning, LockBit’s recruiting strategy and these latest features can be easily stopped using modern cybersecurity software.

Data loss prevention (DLP), also known as data leakage prevention or data loss protection, is a technique that protects sensitive corporate data from leaving the company due to user negligence, mishandling of data, or malicious intent. DLP technologies enforce data handling policies by allowing or blocking data access and transfer operations based on a set of predefined security rules.

Data can leave the company through two main groups of channels — local channels (e.g., peripheral devices, such as printers, and USB drives) and network-based channels (e.g., emails, web, and social media). Although some DLP solutions monitor only network communication, it is best to monitor both local and network channels to ensure efficient data loss prevention.

Acronis DeviceLock DLP is an endpoint data loss prevention solution that significantly reduces the risk of insider-related data leaks. It enforces fine-grained contextual controls (based on user authentication, security group memberships, data types, device types or network protocol, data flow direction, state of media or SSL encryption, date and time, and other factors) in combination with content analysis and filtering to block or allow data access and transfer operations.

With Acronis DeviceLock DLP, you can:

• Minimize insider threats. Prevent data leakage due to employee negligence or malicious insiders by blocking any unauthorized attempt to access or transfer data.
• Gain visibility into data protection. Reduce the complexity of data protection by using a single solution for thorough visibility over data flows and user behavior. Cut reporting times with powerful built-in reporting tools.
• Enforce process compliance. Reduce information security risks and comply with IT security standards and regulations by enforcing data use and handling policies that users cannot avoid.

Acronis DeviceLock DLP stops data leaks at the source and strengthens compliance with a solution that is easy to learn, deploy, and manage.

Acronis Cyber Protect recognizes ransomware’s malicious behaviors and stops them from wreaking havoc on your entire network. Integrated into Acronis’ cyber protection solutions, Acronis Cyber Protect’s machine-intelligence (MI)-powered anti-malware technology detects and stops ransomware and cryptomining malware attacks in real-time.

Acronis Cyber Protect uses machine intelligence to analyze massive volumes of computer processes that are known to be either safe or malicious in nature. From this analysis, Acronis creates machine intelligence models that can predict the value of a target process. When combined with behavioral heuristics, this model allows Acronis to detect and stop ransomware. As a result, Acronis’ solutions can deal with the most dangerous and sophisticated modern threats.

Completely compatible with the most common anti-malware solutions, Acronis Cyber Protect secures and protects all the data on your systems, including documents, media files, programs – even the backup files you create with Acronis. It also includes self-defense measures to keep malware from targeting Acronis backup software, ensuring your data, applications, and systems are safe.

Managed service partners (MSPs) can also deliver comprehensive cyber protection services to their clients, protecting them from ransomware attacks, including LockBit. Acronis Cyber Protect Cloud, the only MI-based solution for service providers that natively integrates cybersecurity, data protection, and management, allows MSPs to protect their clients better while keeping costs down.

In 2020, more than 1,300 victims of ransomware had their data publicly leaked, and in the first half of 2021, more than 1,100 data leaks have already been published. At this rate, we expect a 70% increase for the year. This means ransomware continues to be the number one threat to large and medium-sized businesses, including government, healthcare, and organizations in other critical industries. Attacks on remote workers have continued to grow and there are more attacks on data, including threats from insiders.

Last year, Forrester predicted that insider data breaches would rise 8% in 2021 and that a third of all incidents would be from internal causes. The latest research from the Verizon 2021 Data Breach Investigations Report confirms this prediction – suggesting that insiders are responsible for around 22% of security incidents. As people continue to work from home while accessing confidential company data, the number of insider cases will only grow.

While ransomware gangs are always adding new tools to their arsenal and developing new distribution strategies, Acronis DeviceLock DLP and Acronis Cyber Protect easily recognize and stop these behaviors, keeping your systems and data safe.