March 16, 2023
There are many Ransomware-as-a-Service models in existence, LockBit being one of the more prevalent. All models use the same tactics: locate files to encrypt, create an encryption key, encrypt and/or exfiltrate the files, remove backups, notify the device user of the ransomware and provide a demand (usually money). Each model adjusts the levers on these tactics to fly under the radar of defensive agents. For example, LockBit is particularly interesting because it encrypts only the first 4,000 bytes of each file versus the entire file. However, it is untenable to protect against each variant of each model through one-off behavior matching. Instead, aim to continuously test the ransomware protection provided by your EDR by sending it various samples from different models. Ransomware is impossible to pull off (in the traditional sense) on “secure by design” operating systems, so wherever possible switch from workstations and servers to iPads, Chromebooks and containers.
Be immediately notified of new advisories and associated security tests