LockBit ransomware – Don’t be the next victim!!
Recently, many organizations have been targeted by a LockBit ransomware attack. The ransomware breached their network via a hacked device and was able to spread widely to the rest of their systems rendering all their company data inaccessible and disrupting all their services. The company received a message stating that their servers had been compromised, including virtual servers and backup servers. The hackers then demanded a huge ransom for the decryption of the data. This caused two months of disruption to the company’s services and immeasurable damage to their business.
This is a terrifying situation for any company or individual, but it could have been avoided. Read on to find out how.
First of all, what is LockBit ransomware and how does it work?
LockBit ransomware is part of the “LockerGoga & MegaCortex” malware family. Ransomware is essentially malicious software designed to block access to computer systems and enable hackers to extort large ransom payments. LockBit searches for vulnerable targets and encrypts all accessible computer systems on that network. LockBit has made headlines by targeting and threatening some rather large organizations across the globe. The impact of such an attack can be catastrophic causing major disruption to business, data theft and the threat of illegal publication of private data. LockBit is particularly dangerous because of its ability to self-propagate and spread on its own across a network.
How to protect against LockBit ransomware
Firstly, it should be noted that there are some simple measures that can be taken on your part. You may already be implementing these measures. However, it’s advised that you regularly check if these measures are in place and working as expected.
Strong passwords and multi-factor authentication – Breaches can sometimes occur simply due to low password strength. We recommend you use an online password manager, like Lastpass or Bitwarden. We also recommend you activate 2-factor authentication. This is simple to do after you log in to your V2 Cloud account and will provide a second line of defense when logging into your account.
Delete unused user accounts – You may have accounts sitting idle that belonged to former employees. These accounts have most likely not had their passwords updated in some time and should be closed.
Review your own security procedures – It is essential that you review your own security procedures and make sure that your organization conducts a regular assessment of these procedures to ensure that you are protected against any new cyber threats.
Backup your data – This should go without saying, but it is worth reminding you that the best safeguard against permanent data loss is to implement a robust backup strategy. Therefore, it is advised to keep multiple rotating backups so if one backup point is infected with malware you are able to roll back to a clean backup point.
Additional third-party security solutions – You may want to employ the use of an enterprise-grade cyber security protection software. This may be able to catch and infected file before it has the chance to spread across the entire network. However, it should be noted that LockBit can hide the executable encrypting file by disguising it as a common .PNG image file format.
How does V2 Cloud keep you safe?
V2 Cloud delivers a high standard of security and privacy for customers across the various aspects of their computing. V2 Cloud has attained the international auditable standards of ISO 27001, 27017 and 27018 by setting best practices for data privacy, security, and information governance that are applied to processes, IT systems and people, by establishing and maintaining a company wide Information Security Management System (ISMS). We list below just a few of mechanisms we employ to keep your servers safe.
Root Access & Operating System Security – Customers retain full sole access to their data at the file system level; the V2 Cloud system does not have access inside VMs or drives. All customer data is handled automatically by our system. This includes activities such as drive deletion and scheduled deletion (for deprecated accounts). The V2 cloud makes no copies of client drive data and therefore the sole copy resides in our cloud unless the customer chooses to clone the drive to another storage system or location.
Patching – A large selection of operating systems are provided in the drive library. We ensure security vulnerabilities are regularly patched enabling end users to deploy secure virus and vulnerability free operating systems for their VMs on first boot. Software upgrades and system patches at both the operating system and application layer are achieved without service disruption due to the redundant and clustered architecture of the solution.
Two-Factor Authentication – As already mentioned above, V2 Cloud customers are able to use two-step authentication in order to log onto their accounts. Two-step verification increases the security for access to their cloud platform account by providing a six to eight-digit unique password, which users must provide in addition to their username and password in order to log into the cloud platform UI.
Access Control Lists (ACLs) – Account administrators can use ACLs to allow or restrict access to different resources or a group of resources across the account. The account administrator delegates permissions to each account and lets each user log in to the web console with their own user credentials. ACLs enable a very granular control over the account’s permissions and budget, resulting in higher levels of transparency and security. For each module, it is possible to delegate either read-only or read-write permission.
Keys Management – Secure access to end-user VMs is facilitated using SSH key pairs. This allows users to run commands on a machine’s command prompt without them being physically present near the machine. Essentially, this enables users to establish a secure channel over an insecure network.
Technical Audit – All customers of the V2 Cloud platform are entitled to perform security, operations and processes auditing in relation to the services that we provide. The audit can be performed by the customer or a third party authorized by the customer. Please contact our support to find out more.
Network Security & Traffic Separation (Data in Transit) – V2 Cloud’s leverages the open source KVM hypervisor to provide full separation of all traffic between client accounts below the virtual machine level. No end user can view traffic from any other end user. This is achieved through full packet inspection of all incoming and outgoing packets to VMs by Linux KVM. KVM implements a virtual switch for every networking interface of each VM. Acceptable traffic courses (i.e. other VMs in the user’s account) are instantiated on boot and updated as VMs are added and removed from various networks in (i.e. end user private networks in the cloud). In addition, end users can apply virtual firewalls at the hypervisor level that apply additional rules.
Storage Separation (Data at Rest) – Users can easily keep data private and secure by ensuring the operating system/file structure is fully encrypted using technologies such as KVM for Linux distributions or Truecrypt for Windows environment. While this approach doesn’t eliminate the potential for data leakage, it does render any leaked data completely unusable to others. However, this approach can be somewhat disruptive if for example an encrypted server crashes, as it will require manual procedures to enable access to encrypted data on reboot. Customers can apply encryption to the drive on creation. This does eliminate the possibility of data leakage and ensures the automatic encryption of any new data as it is written.
Intel-SGX – Intel Software Guard Extensions (Intel-SGX) helps protect data in use via application isolation technology. By protecting selected code and data from modification, developers can partition their application into hardened enclaves or trusted execution modules to help increase application security. With Intel-SGX application developers have the ability to protect select code and data from disclosure or modification. Enclaves are trusted execution environments (TEE) that utilize a separate portion of memory that is encrypted for TEE use. Customers are able to select Software Guard Extension when provisioning a server and allocate RAM to that server. Intel-SGX is an additional security measure that can be beneficial to companies working with sensitive and confidential data. Intel-SGX ensures the integrity and confidentiality of computations in such systems where privileged processes are deemed unreliable. The data in the enclave remain protected even if the cloud servers are compromised.
Data Encryption – The V2 cloud supports the encryption of partial or full (boot level) encryption of virtual drives. We recommend as a best practice that end users perform boot-level encryption of sensitive data and retain the keys outside our cloud. The cloud platform currently supports a number of customers running fully encrypted data storage in conjunction with their services in the cloud. End users can also connect to their VMs using encrypted protocols to ensure the integrity of login and other data they transmit to and from their servers.
Typical end user use cases where encryption would be used would be when a hosted processing provider is storing sensitive end user information or when a service provider themselves wishes to store proprietary data that they wish to be secured additionally. In these cases an encrypted partition can be created for that specific data or a separate virtual drive with full file system encryption used. In this way the end user providing the service can combine best performance from data not needing encryption with high security for the data that does.
V2 Cloud has extensive experience of encrypting drive data using numerous encryption approaches, such as Cryptsetup, dm-crypt, FDE, TrueCrypt (VeraCrypt), as well as lower-level block storage encryption via ZFS and is happy to work with end users to ensure the right encryption is implemented to reflect their requirements.
Although I haven’t covered everything in the post, I hope the information I’ve highlighted here offers some reassurance in regards to your security. You can see that with a proactive approach and the right infrastructure provider you can secure your servers against these kinds of ransomware attacks.
Khobar office (Headquarters)
Khobar Mall Office 318 Khobar, Eastern Province 31952, Saudi Arabia
Phone: +966 920008514
Fax: +966 13 887 7240
King Abdul Aziz Road, Spring District, opposite Kingdom Schools, next to Riyadh Bank, 2nd floor, Office 16, Riyadh, Saudi Arabia
Phone: +966 112251651
Fax: +966 13 887 7240