The gang behind LockBit Ransomware-as-a-Service (RaaS) appears to have been quite busy lately, judging by their compromise of a top global consulting firm yesterday, reportedly taking encrypted data from the company and demanding $50 million in ransom not to publish it.
LockBit has gained huge popularity among threat actors since the first version of the ransomware family appeared in September 2019. It is distributed via various underground forums, and targets victims in the United States, Canada, Europe, Asia, and Latin America.
LockBit uses a double-extortion technique to force victims to pay the ransom as fast as possible, as data is both encrypted locally and exfiltrated to the malware operators before the ransom demand is made. If the victim refuses to cooperate with the threat actors, their data is published to LockBit’s leak site, titled "Leaked Data," which is currently located on the dark web at hxxp[:]//lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd[.]onion.
At the time of writing this blog, there were 61 victims listed on their TOR site. New victims are added to the list nearly every day.
BlackBerry Cyber Suite and BlackBerry Guard stop these attacks.
BlackBerry customers can feel confident that our AI-driven BlackBerry® Cyber Suite, as well as our Managed Detection & Response (MDR) solution BlackBerry® Guard, are all well-equipped to mitigate the risks posed by threat actors:
- BlackBerry® Protect provides automated malware prevention, application and script control, memory protection, and device policy enforcement.
- BlackBerry® Optics extends the threat prevention by using artificial intelligence (AI) to prevent security incidents. It provides true AI incident prevention, root cause analysis, smart threat hunting, and automated detection and response capabilities.
- BlackBerry recommends the following BlackBerry Optics rules be activated to provide additional telemetry from a LockBit malware attack:
- Win Boot Persist MITRE T1547
- Unsigned Application Network Beaconing
- Win command cmdc NonSYS MITRE T1059
- Win Inhibit System Recovery MITRE T1490
- Win BootRecoveryMeasure Deletion MITRE T1107
- Shadow File Deletion (MITRE)
- BlackBerry recommends the following BlackBerry Optics rules be activated to provide additional telemetry from a LockBit malware attack:
- The BlackBerry Mobile Threat Defense (MTD) solution prevents and detects advanced malicious threats at the device and application levels. It combines the mobile endpoint management capabilities of BlackBerry® Unified Endpoint Manager (UEM) with advanced AI-driven threat protection, to get in front of malicious cyberattacks in a Zero Trust environment.
- BlackBerry® Persona creates trust based on behavior analytics, app usage, and network and process invocation patterns. It uses adaptive risk scoring to provide continuous authentication.
- BlackBerry Guard customers are proactively protected from LockBit malware attacks. Our 24/7 MDR solution customers receive:
- Alerts monitored in real-time
- Corrective policies applied while discovering gaps in policy implementation
- Prioritized threat hunting
- The latest threat intelligence for fast-moving threats
Prevention First
At BlackBerry, we take a prevention-first and AI-driven approach to cybersecurity. Putting prevention first neutralizes malware before the exploitation stage of the kill-chain.
By stopping malware at this stage, BlackBerry® solutions help organizations increase their resilience. It also helps reduce infrastructure complexity and streamline security management to ensure your business, people, and endpoints are secure.
BlackBerry Assistance
The BlackBerry Incident Response team can work with organizations of any size and across any vertical, to evaluate and enhance their endpoint security posture and proactively maintain the security, integrity, and resilience of their network infrastructure.
For emergency assistance, please email us at DLIR@blackberry.com, or use our handraiser form.
Learn more about the latest cybersecurity threats and threat actors in the BlackBerry 2021 Annual Threat Report.