Op-Ed: LockBit’s persistence in Australia and the region is a wake-up call for least privilege

As a threat, LockBit has been the subject of a series of government warnings over the years, coinciding with the evolution of the malware, which is now on its third iteration.

The operators have consistently succeeded in targeting large organisations, both in Australia and regionally, with one of Japan’s major shipping ports in Nagoya among LockBit’s most recent victims.

The most recent statistics for Australia, collected by the Australian Cyber Security Centre (ACSC), show that LockBit “made up 18 per cent of total reported Australian ransomware incidents” in the 12 months to 31 March this year. This included attacks using all variants of the ransomware, not just the latest 3.0 version. From a global perspective, this is broadly on par with other geographies, where LockBit is typically responsible for somewhere around one in every five ransomware incidents.

The most recent reported encounter in Australia was on 21 April, a mere three weeks prior to the ACSC’s statistics being published – which highlights the active threat that LockBit poses.

LockBit’s “success” has, in part, been driven by its use of innovative techniques.

The group often makes use of a “double extortion” technique, where data is stolen as well as encrypted on the victim’s systems. This allows LockBit to threaten to publish the data on its data leak site if the ransom is not paid. In addition, the malware is shopped on an as-a-service basis to networks of criminal affiliates, who both pay a deposit to use LockBit and agree to share any ransom payments. LockBit reportedly allows some operators to keep as much as 75 per cent of the ransom payments, which provides a huge incentive to work with them.

One of the challenges of this model, made clear in an advisory issued by the US Cybersecurity and Infrastructure Security Agency (CISA), is that each affiliate will have its own preferred tactics, techniques, and procedures (TTPs).

While all affiliates are using LockBit ransomware in the final stages of the attack, the techniques they used to get to that point will vary wildly. This makes it hard to issue clear guidance on how exactly to prevent LockBit attacks.

VIEW ALL

That being said, many of the TTPs exploit user privileges, weak security around remote access, and application controls.

As a result, being able to control privileges and application execution using endpoint privilege management solutions combined with a secure remote access tool, such as Privileged Remote Access, are highly effective mitigations against the techniques used by LockBit and other threat actors to gain an initial foothold in environments.

In addition to this, most of the later stages of the attack also exploit environments with excessive privilege, broad access, and lack of application control because these are the environments where they can inflict the most damage.

Controlling privileges and access

The continuing threat posed by LockBit should act as a global wake-up call to review access controls, permissions and privilege management, with a view to enabling least privilege on all IT environments.

Six years ago, G. Mark Hardy, president of National Security Corporation, declared privilege management “an underrated secret weapon against ransomware”.

“Ransomware is not magic,” he opined. “It can only run with the privileges of the user or the application that launches it. Ransomware cannot ‘cheat’ and bypass system privileges. In many cases, it doesn’t have to – enterprises leave far too many rights turned on either as a matter of culture (‘Don’t you trust me?’), laziness (takes too much work), or ignorance of tool sets that can manage access control at scale.”

Controlling privileges and access remain two of the core components of a robust anti-ransomware defence-in-depth strategy. Put simply, the less privilege and access an attacker has in an organisation, the less damage they can do and the more likely they are to move on to an easier target.

Organisations are advised to ensure least privilege at all times using endpoint privilege management technology that can remove local admin rights without impacting the user experience and which can ensure only the processes (or, at worst, the application) get elevated – never the user. A privilege access management solution can be put to work to discover and bring administrator accounts under management, automatically rotate passwords and control access based on policy.

Other effective mitigations include moving towards zero-trust architectures where the focus is on giving users just the access they need in a way that is controlled and auditable. This limits the ability of attackers to encounter users with credentials that offer overly broad access to systems, which they can use either as an initial entry point or to escalate an infection.

The use of multifactor authentication (MFA) is also highly recommended, but it should not be used in isolation. Many organisations have fallen victim to MFA fatigue or token hijack attacks, where attackers were able to leverage this to gain broad access to networks and systems.

Finally, application control, in combination with privilege management, is a powerful defence against a range of security threats. While it seems like a daunting task when combined with privilege management, it can become very achievable.

Scott Hesford is the director of solutions engineering for Asia-Pacific and Japan at BeyondTrust.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.