Member Article

LockBit, Law Enforcement, and building operational resiliency

Mickey Bresman, CEO, Semperis

Another day, another installment in the LockBit saga. The latest development in the never-ending story of cyber-criminal gangs versus law enforcement agencies is nearly worthy of its own TV series. But what does it mean for you—the person who must defend your organisation and maintain its ability to operate amidst all the chaos?

Related reading: Close AD security gaps

The gang behind the curtain

The recent exchange of public statements between LockBit and the UK’s National Crime Agency (NCA) and its partners—including the US Department of Justice and Federal Bureau of Investigations—appears to be something of a mind game. Still, this evolving situation gives us another peek behind the curtain of cyber-criminal activity.

Cyber criminals operate like any other organised operation. They have vendors and supply chains, like any typical company. And as in any business transaction, these relationships rely on a certain amount of trust. Of course, in the criminal world, trust is an expensive currency.

This warped sense of corporate pride is reflected in the statement from LockBitSupp, the person allegedly behind the LockBit operation.

Communication from LockBitSupp states; “The FBI states that my income is over 100 million dollars, this is true, I am very happy that I deleted chats with very large payouts, now I will delete more often and small payouts too. These numbers show that I am on the right track, that even if I make mistakes it doesn’t stop me and I correct my mistakes and keep making money. This shows that no hack from the FBI can stop a business from thriving, because what doesn’t kill me makes me stronger.

All FBI actions are aimed at destroying the reputation of my affiliate programme, my demoralization, they want me to leave and quit my job, they want to scare me because they can not find and eliminate me, I can not be stopped, you can not even hope, as long as I am alive I will continue to do pentest with postpaid.”

I find the emphasis interesting: “… I am on the right track,” LockBitSupp claims, and “…no hack … can stop a business from thriving.” The writer claims to be in the business of “pentest with postpaid,” which makes LockBit’s criminal ransomware endeavors sound almost legit.

This emphasises that cybercrime is a well-organised operation. As such, we need a well-organised defense to tackle it.

A never-ending battle

The fight between defenders and adversaries is an around-the-clock battle. As we’ve seen in previous cases, it was only a matter of time before the group resurfaced in its entirety with a new name or its members joined other ransomware groups. It’s just that few cybersecurity pundits thought they would reemerge so soon.

Make no mistake: The ransomware scourge of the past five years has captured the attention of CISA, NCA, Interpol, FBI, and other global law enforcement agencies. They fight daily to disrupt the unlawful actions of LockBit, BlackBasta, CLOP, ALPHV, and numerous other gangs continues in earnest.

Yet LockBit is proving to be a double-headed snake. Although last week’s global seizure of its assets was a major achievement by law enforcement, it didn’t take long for the group to resume operations. With more than $100M stolen (according to law enforcement), the group has the means and the motivation to “get back to business” as soon as possible. It certainly wasn’t going to quietly fade away after being embarrassed by a contingent of global law enforcement agencies.

As always, we remind our customers to maintain an “assume breach” mindset. Cybercriminal activity doesn’t stop, nor does it slow down. You can never let down your guard against threat actors. Building operational resiliency, including a backup and recovery plan that prioritises critical assets like the identity infrastructure, is vital to protecting your employees, customers, and partners.

So, what can you do?

Most organisations know that it doesn’t pay to pay ransoms. But to be able to make a choice, you need a plan that gives you other options. Building organisational and operational resiliency into your digital ecosystem enables you to fight back and removes the reward that criminal ransomware gangs depend on. Here’s what building resiliency looks like:

·       Immediately identify and assess your critical systems. Include infrastructure such as Active Directory (AD) and other identity repositories; 9 out of 10 cyberattacks target AD.

·       Operate with an “assume breach” mindset. If you find one compromised system or one malicious activity (such as password interception), assume there are others that you have not discovered.

·       Monitor for unauthorised changes in your identity infrastructure (for example, AD, Entra ID, Okta).

·       Maintain real-time visibility into any changes to elevated network accounts and groups.

·       Continuously back up your identity systems with a cyber-first approach in mind, enabling speedy, malware-free recovery.

·       Maintain a copy of any compromised environment so that you can perform a full forensics investigation.

The ransomware scourge needn’t cripple organisations. With proper planning and an organisational approach to securing critical assets, you can watch the drama unfold rather than get caught up in it.

 

This was posted in Bdaily's Members' News section by Semperis .