Ransomware Containment

How to Contain LockBit Ransomware with Illumio

The risk of ransomware is top of mind for many organizations.

With new attacks constantly in the headlines, it is impossible to avoid. At this point, most organizations operate under the assumption that at some point they will be breached. The best way to prevent a cyber disaster is to plan for this and protect your organization accordingly.

Illumio helps organizations prevent cyber disasters by stopping the east-west lateral spread. With Illumio, when that breach occurs, it will quickly be contained. Illumio prohibits the attack's ability to progress past the first workload it hijacks and prevents valuable data loss.

Today, we'll walk you through a real use case with LockBit to illustrate the following:

  • What is Lockbit?
  • What does this look like in the real world?
  • Step-by-step how you can solve for this with Illumio

Breaches are scary, but Illumio can help you be prepared.

Learn more about Illumio Zero Trust Segmentation here.

What is Lockbit?

LockBit is a group running ransomware-as-a-service since 2019 that's been making headlines. While commonly known as ABCD ransomware, LockBit has now grown into a major threat, accounting for 48% of known attacks in 2022.

LockBit is malicious software that targets organizations through email attachments and cascading file system infections. Unlike other types of ransomware which focus on businesses and individuals, LockBit mainly affects businesses and government organizations.

Once infected, Lockbit spreads through other devices on the network via SMB and PowerShell. The focus of these attacks is on Windows and Linux devices.

Let's look at a real example of this organization in action.

A real world example: Lockbit ransomware attack

This is impacting businesses and agencies throughout the world. As recently as last summer, a large multinational organization who employs more than 150,000 people was hit with ransomware. LockBit has claimed responsibility for this attack and that they were able to steal data.

The organization was able to maintain control of their IT systems and took defensive measures to restore the full integrity of its IT systems. They began working with a third party to investigate the incident. As of late fall, they were still investigating the issue.

When these situations arise, it can be incredibly costly and time consuming to resolve. Over three months later, and the investigation was ongoing. This is a common reality for organizations hit with all types of attacks.

Illumio aids organizations in rapidly responding to these situations to limit the impact of an inevitable breach. This can save time and money on a costly investigation.

How to approach this ransomware scenario with Illumio

Visibility is key

I am alerted about a risk that Lockbit may have gotten into one of our Windows 10 machines. The first critical step in this situation is to get an understanding of how many potential devices could be impacted.

Using Illumio's Illumination Plus, I can group my traffic based on OS (operating system):


This gives me a clear view of my devices by OS. I can see if there is any active traffic between Windows 10 devices and others throughout my organization to make informed decisions about what to do next. A key thing to note is that this traffic is visible in real time, no need to wait or worry if this is an old version. I know I have access to the most current information within my organization.


Now that I understand there is currently traffic between my Windows 10 devices and other devices throughout my organization, I need to rapidly formulate a plan to shut down the traffic between these devices. I know LockBit commonly uses SMB and PowerShell to move throughout a network, so I will start by doing some threat analysis.

Next, I will move impacted devices to quarantine and shut down SMB and PowerShell anywhere I know it isn't needed.

Rapidly build deny rules to prevent spread

To do this, I will need to create a deny rule within Illumio. These are referred to in the product as Enforcement Boundaries. First, I will create a new rule with a name such as, Block SMB and PowerShell.

When I click save, Illumio immediately guides me to a page where I can see all potentially blocked connections by this new rule. This is a great way to check out where the impact is and understand what could be affected before I put the rule in place.


After reviewing which traffic will be impacted, I click provision to apply the new policy. If there are instances where I need this traffic to continue, say, for example, allowing Windows Workstations to still access a specified File Server over SMB, I can make exceptions with allow rules.

Protection now

With the click of a button, Illumio immediately applies the changes to all impacted workloads. This gives my organization rapid protection in a business-critical situation.

Now that I have quarantined impacted devices and put a rule in place to limit communication with the rest of the network, I have eliminated the risk of further spread. At this point, I can begin the task of reviewing the quarantined devices.

Read the Bishop Fox report that proves Illumio stops ransomware in less than 10 minutes compared to endpoint detection and response (EDR) solutions.

Be proactive against ransomware spread with Illumio

Having a solution like Illumio in place allows organizations to be proactive about controlling the spread of any unwanted traffic between devices. Illumio limits east-west lateral movement of an attack, giving detection and response tools the time they need to identify threats.

Illumio works alongside the traditional security tools, such as EDR, NDR, XDR, and perimeter firewalls, to improve cyber resilience.

Contact Illumio today to see rapid breach containment like never before.

Related topics

Related articles

How to Contain LockBit Ransomware with Illumio
Ransomware Containment

How to Contain LockBit Ransomware with Illumio

Insights into a real use case of a LockBit ransomware attack contained by Illumio Zero Trust Segmentation.

Demystifying Ransomware Techniques Using .Net Assemblies: EXE vs. DLL Assemblies
Ransomware Containment

Demystifying Ransomware Techniques Using .Net Assemblies: EXE vs. DLL Assemblies

Learn the key differences between .Net assemblies (EXE vs. DLL) and how they are executed on an initial high-level code.

Defending Against Conti Ransomware: Why CISA Urgently Recommends Segmentation
Ransomware Containment

Defending Against Conti Ransomware: Why CISA Urgently Recommends Segmentation

How Brooks Uses Illumio to Stop Ransomware from Running Rampant
Ransomware Containment

How Brooks Uses Illumio to Stop Ransomware from Running Rampant

See why Brooks chose Illumio Zero Trust Segmentation to ensure reliability for their retail and ecommerce businesses.

Bishop Fox: Testing Zero Trust Segmentations Effectiveness Against Ransomware
Ransomware Containment

Bishop Fox: Testing Zero Trust Segmentations Effectiveness Against Ransomware

Learn how Bishop Fox created a ransomware attack emulation to test the effectiveness of Zero Trust Segmentation.

Get Reliable ROI with Illumio Zero Trust Segmentation
Zero Trust Segmentation

Get Reliable ROI with Illumio Zero Trust Segmentation

Today’s hybrid, hyper-connected networks have rendered prevention alone ineffective, Zero Trust containment delivers a better solutions call center ROI.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?