LockBit Ransomware: 4 Steps Every Financial Firm Should Take to Outsmart the Hackers

Feb 13, 2023

by Christian Scott - CISO & COO at Gotham Security, an Abacus Group Company

Another day, another major ransomware attack. This time, the global financial software firm ION Group has been targeted by the Russia-linked LockBit Ransomware-as-a-Service (RaaS) affiliate hackers. As a RaaS group, LockBit develops and sells its sophisticated ransomware software to affiliate hackers, who then deploy the ransomware on its victims’ systems. Historically, LockBit has employed a double extortion technique where sensitive data is first exfiltrated and then encrypted to disrupt business operations. Following this, a ransom note to decrypt important data is sent to the victim with further threats to leak sensitive company data if the ransom is not paid in a timely manner. 

The ransomware attack on ION Group has upended many trading and clearance of exchange-traded derivative markets, with affected entities likely to include financial services giants like RBC, ABN AMRO, and Bank of America. Some markets have even been forced to revert to slow, manual post-trade reporting processes, which may put some firms at risk of non-compliance and regulatory sanction. Furthermore, some clients may also have concerns about potential backdoors into their systems via the ION software - but ION’s recent choice adds to the contentious debate around the ethics of paying hackers. 

While these costly and disruptive attacks on businesses are nothing new, the prevalence of successful attacks has been increasing; with an outstanding 78% increase from 2021 to 2022. This begs the question, why do these attacks keep happening on a more frequent basis?

Concisely put, malicious actors are evolving their techniques and capabilities to become ever more sophisticated while many organizations struggle to keep up with the “cyber arms race” between them and hackers.

Despite all the warning signals, many financial companies still haven’t kept up with the times and have failed to fundamentally improve their cybersecurity defense-in-depth posture, which has made them bigger targets for more sophisticated malicious actors such as LockBit affiliates.

In reality, the deployment of LockBit ransomware on victims’ systems could be obtained through a plethora of attack vectors, including phishing, brute forcing exposed servers with remote desktop protocol (RDP) accounts and leveraging newly discovered vulnerabilities.

All noted, every organization can implement several clear, actionable measures to help reduce risk and stay ahead of evolving attackers.

So, what proactive steps should your firm take to protect revenue and reputation against a similar ransomware attack? 

1) Gain a Real-Time Understanding of the Network and Endpoint Attack Surface

Too many firms are simply unaware of which vulnerabilities pose the highest risk to their business. Financial firms need a complete, real-time view of their shifting attack surface as their online presence constantly expands and adjusts to changing business requirements. This visibility can only come from continuous attack surface analysis, rather than monthly or quarterly snapshots.

Daily or weekly scanning of both internal and external systems is essential. Companies must continuously test and learn about their exploitable vulnerabilities – just as LockBit and other malicious actors would – to prioritize weaknesses and speed up remediation. Gotham Security provides firms with insightful real-time risk management services, including continuous vulnerability management and attack surface analysis, to proactively identify and close any security gaps within an organization that could lead to a breach.   

2) Perform Social Engineering Testing Alongside Traditional Network Pentesting

Ransomware affiliate groups that work with LockBit do not just look for technical vulnerabilities – they are skilled at manipulating staff via email phishing, SMS phishing and voice phishing to obtain a foothold within organizations. Therefore, network penetration testing alone is not enough to thoroughly emulate a hacker because it only focuses on technical vulnerabilities, rather than the human factor.

When an organization contracts a cybersecurity firm for a network penetration test it’s important to ensure social engineering testing is conducted in tandem. Better yet, transitioning to this strategy provides much more insight into improving the organization's incident response capabilities in detecting and containing threats. Our team of experts at Gotham Security are skilled at mirroring the techniques of the most sophisticated hackers, providing a full suite of adversary emulation services alongside pentesting. By combining cutting-edge technology with unique human expertise, firms can proactively identify and mitigate a broad range of vulnerabilities before malicious actors exploit them. 

3) Use MFA, but Know its Limits

A surprising number of businesses are yet to adopt multi-factor authentication (MFA), a basic staple of cybersecurity hygiene. These firms are setting themselves up for failure. MFA can help mitigate the ransomware threat, as it requires a second form of verification that can block most attacks stemming from compromised accounts. This often limits the usefulness of stolen credentials like usernames and passwords.

However, MFA isn’t fool proof – and firms should not use it as a catch-all defensive measure. While MFA was once considered the ‘gold standard’, hackers have learned how to bypass MFA by performing SIM hijacking MFA push notification fatigue attacks and 'Browser-in-the-Middle' (BitM) attacks. Organizations should seriously consider deploying additional security controls such as impossible travel, which helps detect unauthorized user logins based on the login location, as well as MFA push notification additional login context with number matching. 

4) Communicate and Educate

Technology changes a lot faster than the business world does. To avoid getting left further behind, organizations must re-think how they communicate cyber risk at every level of the business. Traditional risk management structures have tended not to include technology as an integral part of planning – but now cybersecurity must be front and center of a firm’s everyday risk management processes. Cybersecurity risk management should become a native business-as-usual process for organizations rather than a reactive response to the threat and compliance landscape.

In order to adapt, cybersecurity professionals need to take a leading role in communicating and educating the C-suite on the practical impacts of cybersecurity on business operations, finance, and technology. Continuous end-user education must also become a key feature of a firm’s cybersecurity strategy, with immersive simulations, tabletop exercises, and engaging real-world examples of adversaries like LockBit adding further value. The Cybersecurity and Infrastructure Security Agency (CISA) has also created many additional guides to help organizations prevent and respond to ransomware attacks.

It’s important to engage with a trusted cybersecurity partner who can help firms strengthen their risk management processes and communicate where to best prioritize time and focus. Discover how our strategic cybersecurity advisory service is helping countless organizations develop, implement, and manage robust security programs that are tightly aligned with wider business objectives. 


Learn more about how your firm can benefit from our comprehensive IT and cybersecurity services.

Contact Us