Opinion

MARKUS SPISK-UNSPLASH

By Scott Hesford

RECENTLY, the Department of Information and Communications Technology announced that the Philippine Health Insurance Corp. (PhilHealth) and the Department of Science and Technology suffered cyberattacks, which were confirmed as ransomware attacks. Faced with an increasing number of sophisticated cyberattacks, government agencies in the Philippines are racing to strengthen their security measures to protect their core systems and data.

Many of the cybercriminals behind these attacks are using leaked ransomware builders. Their goal appears to be to cause disruption of core government services and, in turn, problems for citizens.

There are a range of ransomware builders in use, including Vice Society, Clop, AlphV, and LockBit. Interestingly, the notes received by victims of many of the ransomware attacks appear to have been copied from the original LockBit template and do not include contact details.

This indicates that cybercriminals have little interest in actually extracting ransom payments, but are instead focused purely on causing disruption and losses. In many cases, attackers are also posting details of their successes on discussion boards and social media sites in an effort to gain notoriety.

Outside the Philippines, LockBit is also proving to be a popular option for cybercriminals. During the past 12 months alone, notable victims have included The Royal Mail (UK), Hospital for Sick Children (Canada), Managed Care of North America (US), and Center Hospital Sud Francilien (France).

THE ORIGINS OF LOCKBIT
Since first being discovered in 2019, LockBit has grown to become one of the most successful cybercrime operations in the world. In 2022, it was estimated to account for 44% of all ransomware campaigns.

LockBit operates as a ransomware-as-a-service operator. This means it focuses on delivering ransomware attack capabilities for a fee to criminals who lack the technical knowledge to undertake attacks alone.

LockBit attacks also regularly use a “double extortion” technique, where data is stolen before it is encrypted on a victim’s systems. This allows the attacker to threaten to publish the data on the Internet if the ransom is not paid.

TACTICS AND TECHNIQUES
Ransomware attacks make use of a range of different tactics to successfully penetrate a victim’s IT infrastructure. These include:

• Privilege escalation: This approach often makes use of local administrator privileges to abuse elevation control mechanisms. LockBit is regularly observed performing user account control bypass techniques.

• Defensive evasion: To evade detection, LockBit regularly disables security tools and clears Windows Event logs. These actions require the attacker to have at least local administrator privileges on the endpoint and the ability to execute code.

• Credential access: LockBit attackers sometimes use OS Credential Dumping tools, such as ExtPassword and LostMyPassword, to access the credentials of other users accessing an endpoint device. This allows them to capture the credentials of potentially privileged domain users and escalate their access.

• Lateral movement: LockBit attackers sometimes use administrator accounts and SMB (Server Message Block) to achieve lateral movement within an IT infrastructure.

DEFENDING AGAINST LOCKBIT ATTACKS
To avoid falling victim to a LockBit-powered ransomware attack, organizations need to focus on a number of security fundamentals. Together, they can significantly enhance existing protective measures. They include:

• Keep software patched: Keeping operating systems and application software up to date is vital, particularly for public-facing systems. Known software vulnerabilities often provide attackers a way to execute code on a victim’s systems.

• Enforce a policy of least privilege: Ransomware attackers rely on gaining access to accounts with admin access rights. By using an endpoint privilege management tool, local admin rights can be removed without affecting user experience.

• Apply controlled access: It’s important to move towards zero trust architectures and away from VPN and RDP solutions that provide attackers with broad access to an organization’s network. Focus on giving users only the access they need in a way that is controlled and auditable. Multifactor authentication is also highly recommended.

• Control execution: Application control is a well-established defense against a significant number of threats. While it may appear to be a daunting task when combined with privilege management, it can be very achievable.

AN ONGOING THREAT
Ransomware attacks based on LockBit present an alarming threat to many other organizations in the Philippines. The criminal group’s innovative approach to ransomware combined with a small army of technically skilled affiliates makes it dangerous.

For this reason, it is vital to ensure that the security measures organizations have in place can withstand such attacks. Threats need to be quickly identified and prevented from progressing through an IT infrastructure.

LockBit is going to remain a feature of the cybersecurity landscape in the Philippines for an extended period. Taking the necessary protection steps now will reduce the chances of falling victim to these kinds of cyberattacks in the future.

 

Scott Hesford is the director of Solutions Engineering for Asia-Pacific and Japan at BeyondTrust.