How to Contain LockBit Ransomware Attacks with Illumio
The risk of ransomware is top of mind for many organizations.
With new attacks constantly in the headlines, it is impossible to avoid. At this point, most organizations operate under the assumption that at some point they will be breached. The best way to prevent a cyber disaster is to plan for this and protect your organization accordingly.
Illumio helps organizations prevent cyber disasters by stopping the east-west lateral spread. With Illumio, when that breach occurs, it will quickly be contained. Illumio prohibits the attack's ability to progress past the first workload it hijacks and prevents valuable data loss.
Today, we'll walk you through a real use case with LockBit to illustrate the following:
- What is Lockbit?
- What does this look like in the real world?
- Step-by-step how you can solve for this with Illumio
Breaches are scary, but Illumio can help you be prepared.
Learn more about Illumio Zero Trust Segmentation.
What is Lockbit?
LockBit is a group running ransomware-as-a-service since 2019 that's been making headlines. While commonly known as ABCD ransomware, LockBit has now grown into a major threat, accounting for 48% of known attacks in 2022.
LockBit is malicious software that targets organizations through email attachments and cascading file system infections. Unlike other types of ransomware which focus on businesses and individuals, LockBit mainly affects businesses and government organizations.
Once infected, Lockbit spreads through other devices on the network via SMB and PowerShell. The focus of these attacks is on Windows and Linux devices.
Let's look at a real example of this organization in action.
A real world example: Lockbit ransomware attack
This is impacting businesses and agencies throughout the world. As recently as last summer, a large multinational organization who employs more than 150,000 people was hit with ransomware. LockBit has claimed responsibility for this attack and that they were able to steal data.
The organization was able to maintain control of their IT systems and took defensive measures to restore the full integrity of its IT systems. They began working with a third party to investigate the incident. As of late fall, they were still investigating the issue.
When these situations arise, it can be incredibly costly and time consuming to resolve. Over three months later, and the investigation was ongoing. This is a common reality for organizations hit with all types of attacks.
Illumio aids organizations in rapidly responding to these situations to limit the impact of an inevitable breach. This can save time and money on a costly investigation.
How to approach this ransomware scenario with Illumio
Visibility is key
I am alerted about a risk that Lockbit may have gotten into one of our Windows 10 machines. The first critical step in this situation is to get an understanding of how many potential devices could be impacted.
Using Illumio's Illumination Plus, I can group my traffic based on OS (operating system):
This gives me a clear view of my devices by OS. I can see if there is any active traffic between Windows 10 devices and others throughout my organization to make informed decisions about what to do next. A key thing to note is that this traffic is visible in real time, no need to wait or worry if this is an old version. I know I have access to the most current information within my organization.
Now that I understand there is currently traffic between my Windows 10 devices and other devices throughout my organization, I need to rapidly formulate a plan to shut down the traffic between these devices. I know LockBit commonly uses SMB and PowerShell to move throughout a network, so I will start by doing some threat analysis.
Next, I will move impacted devices to quarantine and shut down SMB and PowerShell anywhere I know it isn't needed.
Rapidly build deny rules to prevent spread
To do this, I will need to create a deny rule within Illumio. These are referred to in the product as Enforcement Boundaries. First, I will create a new rule with a name such as, Block SMB and PowerShell.
When I click save, Illumio immediately guides me to a page where I can see all potentially blocked connections by this new rule. This is a great way to check out where the impact is and understand what could be affected before I put the rule in place.
After reviewing which traffic will be impacted, I click provision to apply the new policy. If there are instances where I need this traffic to continue, say, for example, allowing Windows Workstations to still access a specified File Server over SMB, I can make exceptions with allow rules.
Protection now
With the click of a button, Illumio immediately applies the changes to all impacted workloads. This gives my organization rapid protection in a business-critical situation.
Now that I have quarantined impacted devices and put a rule in place to limit communication with the rest of the network, I have eliminated the risk of further spread. At this point, I can begin the task of reviewing the quarantined devices.
Read the Bishop Fox report that proves Illumio stops ransomware in less than 10 minutes compared to endpoint detection and response (EDR) solutions.
Be proactive against ransomware spread with Illumio
Having a solution like Illumio in place allows organizations to be proactive about controlling the spread of any unwanted traffic between devices. Illumio limits east-west lateral movement of an attack, giving detection and response tools the time they need to identify threats.
Illumio works alongside the traditional security tools, such as EDR, NDR, XDR, and perimeter firewalls, to improve cyber resilience.
Contact Illumio today to see rapid breach containment like never before.