Freely subscribe to our NEWSLETTER

LockBit is proving to be a double-headed snake and while last week’s global seizure of its assets and infrastructure appears short-lived, it isn’t surprising. Afterall, this cybercrime group has stolen more than $100 million in ransom payments in the last year alone. They weren’t going to go quietly in the wind after being embarrassed by a contingent of global law enforcement agencies.
Overall, the fight between defenders and adversaries is an around-the-clock battle and it was only a matter of time before the group resurfaced in its entirety or its members joined other ransomware groups. Make no mistake that the ransomware scourge of the past five years has gotten the attention of NCSC, Interpol, FBI and other global law enforcement agencies. They fight on a daily basis to disrupt the unlawful actions of LockBit, BlackBasta, CLOP, ALPHV and numerous other gangs.
I was cautioning Semperis’ customers and partners last week not to lose sight of the fact that LockBit would resurface and to always have an assumed breach mindset. You can never let your guard down against threat actors and building operational resiliency, including a backup and recovery plan is vital to protecting critical assets of your employees, customers and partners.
And overall, it doesn’t pay-to-pay ransoms, ever, unless your organisation is in a life and death situation. No organisation has ever paid its way out of ransomware. But organisations can fight back and make it so difficult for ransomware gangs to breach them, that the bad actors will look for softer targets. Building organisational and operational resiliency includes the following:
1. Immediately assess what their critical systems are, including infrastructure such as Active Directory (AD), because nine out of 10 cyberattacks target it.
2. Operate with an assume breach mindset. IF you find one compromised environment or one malicious malware (such as password interception) assume that there are others that you have not discovered.
3. Monitor for unauthorised changes occurring in their AD infrastructure and have real-time visibility to changes to elevated network accounts and groups,
4. Backup your systems and then perform a clean recovery of your environment and have a fast means of performing a clean recovery so they can get back on their feet as soon as possible.
5. Make sure to save the compromised environment to perform a full forensics investigation.