Thousands of organizations fall victim to hackers these days. The number of victims is growing very quickly. Ransomware is the main threat to small- and medium-sized businesses, as well as to government agencies and other organizations.
What Is Ransomware?
According to Forrester analysts, the number of data breaches due to insiders compromising their companies’ own systems will grow by 8 percent by the end of 2021. Moreover, a third of all incidents will have exclusively internal causes. And according to the Verizon 2021 Data Breach Investigations Report, insiders are responsible for 22 percent of security incidents.
Insider threats pose a serious problem as they are tough to detect. Unlike cybercriminals, insiders have direct access to data and systems and most security tools and policies cannot defend against such issues. Malicious insiders have different motives and methods. Actually, it can be anyone. Below is a short list of different types of recent insider threats:
One person leaked data after being fired.
Another worker stole trade secrets to start his own company.
A negligent employee exposed 250 million user records.
Work-from-home employees were tricked by a phishing attack.
LockBit and its Breakthrough Strategy: Bribery
LockBit was first spotted in September 2019. This is a unique type of ransomware offered as a service (RaaS) and can spread on its own on local networks very quickly. Cyber fraudsters distributing the LockBit ransomware began by looking for insiders in various corporations and striving to build “business relationships” with them. Targeted employees are then paid for their help in breaking through the corporate security perimeter. They demand less money from the victims compared to other ransomware gangs. The group shares part of the ransom (sometimes as much as 70-80 percent) with malicious insiders.
Although news about LockBit infections is not published on the front pages of top websites, this malware turns out to be really effective. The LockBit group recently successfully encrypted the information systems of the UK rail network Merseyrail. Cybersecurity experts report that LockBit breached plenty of organizations from a wide variety of industries.
This strategy of bribing potential pests is a dangerous sign for any business. After all, this approach does not depend on the size and profile of the company. Sooner or later, one of the employees will feel offended and will not be able to resist receiving a huge sum of money, even though such actions are considered a criminal offense in most countries.
New Features of LockBit
It is worth mentioning some of the new LockBit tricks introduced in the 2.0 release of this malware. One of them sets this ransomware apart from the rest. This ransomware automates Windows domain encryption using Active Directory Group Policies. LockBit enforces privileges and then creates a new Group Policy at the domain controller level. After that, the new rules apply to all devices on the network. This feature demonstrates what to expect from newer versions of other ransomware families. Malefactors increasingly use process automation and AI these days.
But for LockBit, that is not all. An additional feature of the updated ransomware is the use of Print Bomb. After successfully infecting the network, all printers start printing ransom messages. As a result, many people working for the company (as well as visitors) may learn about the attack. Not a good look.
How Ransomware Operators Get Their Money
There are many ways ransomware gangs push victims to pay faster.
If money does not come in time, hackers threaten to put stolen data online for everyone to see.
They also threaten to destroy data completely if a ransom negotiation firm steps in.
Hackers launch DDoS (dedicated denial of service) attacks that disrupt web traffic running to the victim’s sites and servers, making them temporarily or indefinitely unresponsive.
Malefactors launch advertising campaigns on Facebook and other social media sites informing people about the data breach and weak defenses of the attacked company.
How to Stay Safe
The growing ingenuity of malware developers has surprised experts on more than one occasion. In order to protect against ransomware and insider threat attacks, you need to build several security levels:
Run regular backups of critical system files and data.
Use security tools that can detect suspicious network behavior.
Deploy a data loss prevention system (DLP) in order to prevent a bribed insider from giving hackers access to an administrative account or other valuable information. DLP systems enable network admins to monitor all systems, devices, and data accessed, copied, deleted or shared by company users.
Screen new and existing employees using lie detectors and running background checks.
Introduce insider threat awareness training for all employees.
Monitor facilities with cameras (preferably with night vision and motion sensors.)
Enable session-capture technology on devices and servers accessed by privileged users.
Keep operating systems and all software up to date.
Use VPN services to encrypt all traffic coming to and from remote workers.
Instruct employees to avoid clicking suspicious links and email attachments.
Carefully control remote access from all devices. Restrict remote desktop connections (RDP), applying the least-privilege approach whenever possible.
Implement strict account management and password policies and practices.
