October 16, 2020

Ransomware Protection from lockbit ransomware


Lockbit ransomware on the loose

If security and business leaders did not already have enough to worry about in an unprecedented 2020, add cybercriminals’ upping the ante with double-extortion ransomware campaigns to the list. Ransomware protection for sensitive data is increasingly becoming a top priority for most enterprise information security teams. No longer content to just forcibly encrypt a victim’s files, sit back and wait for ransom payments before restoring access, operators of the Lockbit ransomware crew are setting up public “leak sites” to tease snippets of the files they have both encrypted and stolen. 

This is cybercrime’s version of a “belt-and-suspenders” approach to extortion: If a victim refuses or hesitates to pay to unlock their files and restore productivity, the fear of doxxing and leaking could compel them to pay faster, bigger ransoms. This becomes more likely when the nature of the data could lead to messy reputational, legal or regulatory crises for the victim, if the data is exposed.

It is hard to imagine criminals honoring a pledge to actually destroy stolen files – their leverage – if you pay them to do so. Yet, there are wider accounts of payments premised on this which are both alarming and unsettling. After all, much like giving a schoolyard bully your lunch money – what is to keep an obviously unscrupulous attacker from taking the bitcoin, deciding not to delete your files and simply extorting you again?

Deadlines, data leaks and other pressure tactics also help ransomware operators stay ahead of digital forensics and incident response investigations. Often a thorough DFIR tear-down is necessary to ensure an intruder has been conclusively expelled from your environment. Attackers realize this, so forcing a faster payment in the short term is their calculated bet on coercing a payout before incident responders have enough time on the playing field. Ideally, for the adversary, a victim pays and it is “case closed” for a time, while the attacker quietly persists on the inside and reserves the option of launching an attack all over again.

As a security practitioner in financial services and other industries before joining VERA sales engineering , I have been fighting evolving ransomware in the wild for years. In 2012, these attacks had not been dubbed “ransomware” yet and were usually missed by anti-malware tools. Back then, my teams caught them in the act when we looked for anomalous processes being executed on, for example, Microsoft Word files at scale. Hunting threats in this manner is a good reminder of the need to know exactly where your assets are, and keep this map updated faster than adversaries can.


Follow and ransomware protect your data – before your attackers do 


There is plenty of debate on ransomware’s “To Pay Or Not to Pay” dilemma – but how do we avoid that wrenching decision in the first place? What keeps an organization from reaching the tipping point where paying feels like the only way out? Boil everything down, and it is all about who holds the high ground of file control – what we specialize in delivering at VERA

Our file-focused security platform is an ideal defense for keeping critical files safe from ransomware’s effects, particularly for organizations that cannot realistically pull back from sharing data to collaborate across departments and third-parties, each with different workflows, devices and security . 


Ransomware protection of your files when ransomware arrives


First, when you create and manage files in VERA’s platform, they look and feel like normal files to you and teammates. However, our technology architecture applies an HTML wrapper to files, making your sensitive data appear as HTML files to malicious code detonating on a network. This aspect of our platform adds an automatic measure of immunity and resilience, because many ransomware variants are not designed to hunt down HTML files in the first place, prioritizing traditional document, spreadsheet and operating system file extensions, instead. 

Second, VERA also flexibly supports the widest range of files possible, from confidential slide decks showing forecasts in financial services to complex design blueprints containing the intellectual property powering networked and robotics-driven manufacturing of apparel, semiconductors or machinery. If you currently rely on different, piecemeal collaboration and file management platforms to handle these files, you could be inviting needless risk because ransomware operators are out to hit the most valuable (complex and near irreplaceable) files and their back-up paths, first. Losing an entire production line, HR systems or a near-completed film project – because of one exposed file – is unthinkable for our customers, which is why they choose VERA as the centralized foundation of their creativity, collaboration and resilience strategies.

Cybercriminals always bet on the complexity of connectivity and chaos the moment something bad happens, whether an attacker’s goal is simply to collect a ransom – or do something else nefarious behind a loud “Ransomware!” smokescreen. Game planning for every attack scenario becomes exhausting. No organization can predict every tomorrow, but as criminals relentlessly push the extortion envelope, those of us protecting assets have to invest in defense at every scheme’s common thread – getting control of files, in time. Contact us to learn how VERA can help your with ransomware protection against Lockbit ransomware and other variants