Lockbit Ransomware

By Ashwin Venugopal -

 






What is Lockbit Ransomware?

It is a dangerous software designed to block user access to computer systems. Formerly known as "ABCD" ransomware, Lockbit is a subclass of 'crypto virus' mostly interested in government organizations and enterprises rather than individuals. Its past targets includes India, USA, China, Indonesia, Ukraine, France, UK, and Germany. Presumably, it avoids attacking systems local to Russia or other countries within the Commonwealth of Independent States. This might be done to avoid prosecution in those areas. 

Lockbit also works as a ransomware-as-a-service (RaaS), where willing parties pay for hire attacks and profits under an affiliate framework. 

How Does Lockbit works?

Lockbit ransomware is considered to be a part of the "LockerGoga & MegaCortex" malware family because it shares some attributes of this malware group. Firstly, Lockbit exploits the weakness of a network via phishing email or brute force attack to get inside a network. Once inside, the ransomware gets ready to release its encrypted payload across every device. 

It infiltrate deeper into the network to complete the attack setup. At this point, the ransomware takes all the preparatory measures before deploying the encrypted portion. it includes disabling the security programs and any other infrastructure meant for system recovery. Their main goal is to make the unassisted recovery impossible or very slow. 

Once everything is done in favor of Lockbit, the ransomware starts to multiply itself within the network. The encryption portion will place a "lock" on all the system files that can only be unlocked via a decryption key provided by the Lockbit group. During the entire process, a ransom note also flashes on the victim's screen with instructions to restore their system and threatening blackmails. 

Now, everything is left upon the victim. However, it not advisable to give in to their demands, as the ransomware group may not even complete their end of bargain.

Protection Against Lockbit

Following steps might help in protecting a system against such ransomware attacks:
  • Implement strong passwords.
  • Activate Multi-Factor Authentication (MFA).
  • Simple user account permissions. 
  • Clear unused and outdated user accounts.
  • System configurations to strictly follow all security procedures.
  • Always have system backup in a remote configuration.
  • Have updated cybersecurity solution in place. 

 Conclusion

Lockbit is a dangerous ransomware laced with advanced tactics and methods. Hence, strict protective measures should be taken against such ransomwares to avoid their successful targeted attacks.















































Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different groups of computers, re
Read more

Project Resourcing (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning of alert rule parameter
Read more

Design Planning (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Complex Organizational Structures SIEM can be an expensive security control, hence, it is common multiple businesses to contribute to the overall expense. Various organizational units may require a level of access to specific dashboards or sets of data. Microsoft Sentinel offers the ability to assign table-level permissions and limit the level of access to the minimum required to perform requisite job functions.  Role-based Access Control (RBAC) Requirements Microsoft Sentinel offers an extensive list of Azure built-in roles that can be used to provide granular access according to the job requirements and permitted level of access. Some of them are various Microsoft Sentinel dedicated roles: Microsoft Sentinel Contributor- Can perform all engineering-related configuration, such as creating alert rules, configuring data connectors, and additional similar tasks.  Microsoft Sentinel Reader- Can query the log data stor
Read more