Protecting Financial Institutions

Against Ransomware Attacks:

Strategies and Best Practices

A Whitepaper by Picus Security 1

 Table of Contents

● Abstract

● Introduction

● Emerging Threat: Ransomware

- Ransomware Trends
- Ransomware Groups

● LockBit Ransomware Case Study

- Initial Access
- Execution
- Discovery
- Credential Access
- Privilege Escalation
- Defense Evasion
- Command & Control
- Exfiltration
- Impact

● Ransomware Prevention Strategies

● Conclusion

● References

● About Picus

A Whitepaper by Picus Security 2

 Abstract
Financial institutions face significant cyber threats, with ransomware being one of
the most potent. This paper examines the techniques employed by the LockBit
ransomware group, as well as the best practices financial institutions can
implement to prevent these techniques. In addition, it provides valuable strategic
insights for establishing effective ransomware prevention strategies for the
financial sector.

Introduction
While the motivations behind cyber attacks are diverse, financial gain is the
primary objective of most threat actors. These adversaries employ various tactics
such as ransomware, Denial-of-Service, and data exfiltration to extort money from
organizations. Given the substantial assets and sensitive information held by
financial institutions, they are tempting targets for financially motivated cyber
attacks. Recent studies show that ransomware attacks are on the rise, with the
financial sector being a prime target. According to the Red Report 2023, the T1486
Data Encrypted for Impact technique exhibited by nearly a quarter of all malware
highlights the ongoing threat of ransomware to organizations [1]. The 2023
CyberThreat Defense Report indicates that nine of ten organizations in the finance
industry were victimized by ransomware last year [2].

Percentage of organizations victimized by

ransomware in the last 12 months, by industry Based on these developments, this paper
explores the latest dynamics of ransomware
attacks and the evolving threat landscape,
with a specific focus on analyzing the
infamous LockBit ransomware.

By understanding the techniques LockBit

employs throughout each stage of its attack
campaigns, financial institutions can
establish effective mitigation strategies to
defend against varying ransomware attacks.
Additionally, this paper outlines best
practices and strategies for preventing
ransomware attacks.
Source: 2023 Cyberthreat Defense Report, CyberEdge Group

A Whitepaper by Picus Security 3

 Emerging Threat: Ransomware
Ransomware has become a significant threat to organizations and an important tool in
adversaries' arsenal. The primary objective of ransomware attacks is to encrypt the
victims' sensitive data and demand a ransom for the decryption key. Without this key,
accessing encrypted data can become impossible, thereby leading to extensive
business disruptions. Unfortunately, recent trends in the ransomware landscape have
made such attacks even more impactful and difficult to recover.
Adversaries infect organizations with ransomware regardless of their size, region, or
industry. However, ransomware attacks have costly and far-reaching implications for
financial institutions. In 2022, financial institutions saw a 41% increase in ransomware
attacks compared to the previous year [3].

Ransomware Trends
As ransomware gained popularity, ransomware threat actors have developed business
models to make ransomware attacks more profitable, prolific, and impactful. These
models have become trends and have been adopted by numerous ransomware
groups.

● Ransomware-as-a-Service (RaaS): RaaS is a business model used by

ransomware threat actors that enables non-technical users to launch
ransomware attacks simply by signing up for a service. RaaS has become a
profitable business model for ransomware developers and enabled them to get
more use out of their effort. These services are promoted on the dark web, just
like any legitimate software.
The DarkSide ransomware gang offers an example of this model [4], screening
potential customers before granting access to a management panel. This panel
allows users to become cyber threat actors, enabling them to build ransomware,
manage victims, create content in the DarkSide blog, and access technical
support. Additionally, ransomware has a self-destruct option which enables
ransomware to remove its traces.

● Double Extortion: With the rise of ransomware attacks, many organizations

implemented or improved their data backup strategies to minimize the
disruption caused by ransomware attacks. While data backups are vital to
mitigate the impact of ransomware, many ransomware threat actors adopted the
double extortion method. In double extortion, ransomware threat actors
exfiltrate the victims' sensitive data prior to encrypting it and then threatening to
leak or disclose it if the ransom is not paid. A 2023 research report indicates
that the number of double extortion attacks targeting the financial services
sector alone increased by 130% [5].

A Whitepaper by Picus Security 4

 ● Initial Access Brokers (IABs): Gaining initial access to corporate networks can
be challenging for adversaries. However, the emergence of Initial Access
Brokers (IABs) has simplified the initial access phase of the attack. These
financially-driven cyber threat actors locate vulnerable systems by scanning
networks and looking for known vulnerabilities on remote systems to sell access
to enterprise networks to other adversaries via the dark web.

IABs also sell knowledge and tools used to conduct breaches into the company
network using SQL injections, remote code execution (RCE) exploits, and other
exploited vulnerabilities. Thus, initial Access Brokers have accelerated and
simplified the initial access phase of the attack chain for adversaries by
demanding payment only for verified access to a given target.

Ransomware Groups
The development of profitable ransomware business models has made it an attractive
proposition for threat actors, leading to the emergence of several high-profile
ransomware groups. While there are hundreds of ransomware groups with varying
sizes and skills, some groups are able to conduct highly sophisticated ransomware
campaigns. Among these groups are those that focus on financial institutions, such as:

● LockBit: This financially-motivated ransomware group first emerged in

September 2019 and has employed ransomware business models such as
Ransomware-as-a-Service (RaaS), double extortion, and Initial Access Brokers
(IABs). The LockBit attacks are spread to nearly all industries as they are
financially motivated, opportunistic attacks. It is estimated that LockBit is
responsible for nearly 40% of all ransomware infections worldwide [9]. Later in
this paper, we will outline the techniques used by LockBit and advise financial
institutions on how they can defend themselves against potential ransomware
attacks.

● BlackCat: Emerged in November 2021, BlackCat (also known as ALPHV) is a

Ransomware-as-a-Service (RaaS) group that is infamous for developing
sophisticated ransomware payloads written in Rust. BlackCat is believed to be
the successor of the DarkSide because of the similarities in their techniques.
DarkSide was disbanded after their devastating ransomware attacks against
Colonial Pipeline [4].

● Lazarus: Established in 2009, Lazarus is identified as a North Korean

state-sponsored cybercrime organization by the FBI [6]. Lazarus group is
responsible for several high-profile cyber attacks against financial institutions.
The notable attacks were Bangladesh Bank Heist in 2016 and the WannaCry
ransomware attacks in 2017. More recently, Lazarus has targeted organizations
involved with cryptocurrencies, such as Axie Infinity and Horizon Bridge, from
where they were able to steal nearly USD 700 million in 2022 [7]. Maui and
HolyGhost are two of the affiliated ransomware groups that operate under the
Lazarus umbrella and are known to target financial institutions.

A Whitepaper by Picus Security 5

 LockBit Ransomware Case Study
This case study delves into the LockBit ransomware group and their progression since
their inception in September 2019, when they released the ABCD ransomware. In
2020, they launched their RaaS affiliate program and leak site with the adoption of
RaaS and double extortion models. LockBit further expanded their operations in June
2021 with the introduction of the LockBit 2.0 ransomware variant and StealBit data
exfiltration tool [8], launching multiple attacks against major organizations such as
Accenture, Continental, and Foxconn.

The most recent variant employed by LockBit is termed the LockBit 3.0 or LockBit
Black, observed in June 2022, and is distinguished by its modular and evasive nature.

While LockBit threat actors employ different procedures during their attack campaigns,
there are similarities in their techniques and tools that security teams can analyze in
detail to establish effective mitigation strategies.

Initial Access

Phishing Vulnerability Stolen Initial Access

Email Exploitation Credentials Brokers

Execution

Command and
Scripting Interpreter

Discovery Credential Access Privilege Escalation Defense Evasion

Network Discovery System Discovery OS Credential Dumping Vulnerability Exploitation Indicator Removal
Masquerading
netscan.exe systeminfo.exe mimikatz.exe CVE-2022-21999 File Deletion

Lateral Movement Persistence & Command and Control Exfiltration

Remote Services Protocol Tunneling & Proxy Exfiltration Over Web Service
psexec ngrok rclone

Impact

Data Encrypted Inhibit System

for Impact Recovery

A Whitepaper by Picus Security 6

 Initial Access
Initial Access is one of the most crucial steps in ransomware attacks. Gaining access
to the target network opens up multiple attack paths for adversaries. LockBit utilizes
the following initial access techniques:

● Phishing: In phishing attacks, adversaries craft legitimate-looking emails,

advertisements, or websites to create a sense of urgency, fear, or curiosity in
their targets. Then, the targeted users are led to share confidential data, click on
links to malicious websites, or execute malware-laced documents.
● Vulnerability Exploitation: Since public-facing applications are easily
accessible, adversaries exploit known and critical vulnerabilities in these
applications. For example, while they were discovered and patched quite some
time ago, ProxyShell and Log4Shell vulnerabilities are still exploited by the
LockBit group as an initial access technique.
● Stolen Credentials: Data breaches have caused the unauthorized disclosure of
millions of credentials worldwide. If these credentials are used in more than one
service or application, ransomware threat actors may use them to infiltrate the
target network.
● Initial Access Brokers (IABs): The LockBit group purchases initial access
vectors, including stolen credentials, from IABs to infect the target network with
ransomware.

Best practices to mitigate Initial Access:

● Provide comprehensive security awareness training to all employees to
ensure they are knowledgeable about the latest social engineering and
phishing techniques and how to avoid them.

● Keep all software and applications updated with the latest patches and
security updates. This reduces the risk of known vulnerabilities being
exploited.

● Implement multi-factor authentication across all accounts, applications,

and services can help defend against stolen credentials.

● Conduct regular vulnerability assessments to identify weaknesses in the

network's security posture.

A Whitepaper by Picus Security 7

 Execution
Once the LockBit group gains initial access, they execute their malicious batch scripts
to learn about the infected network. These scripts use built-in scripting interpreters and
masquerading techniques such as stenography to evade the victim's defenses. For
example, a LockBit threat actor sends an image file containing a hidden malicious batch
script via a phishing email. Upon a user clicking on the image file, the script operates in
the following manner:

1. Checks the current user's privileges, trying to elevate its privileges if not granted.
2. Changes the user's password.
3. Forces the infected host to reboot in Safe Mode.
4. Executes the ransomware payload

LockBit employs many variants and several threat actors with their malicious tools,
resulting in varied ransomware attack campaigns. However, using Command and
Scripting Interpreters is a common practice.

Best practices to mitigate Execution:

● Implement endpoint security controls that can detect and block malware
from executing on the endpoints.

● Restrict users' privileges to limit the potential for malware to elevate its
privileges and execute its payload.

● Implement a defense-in-depth strategy that incorporates various security

layers to deter attackers and prevent them from executing their payload.

● Continuously monitor systems and processes for suspicious activity,

detecting when malware is attempting to execute its payload and
responding accordingly.

A Whitepaper by Picus Security 8

 Discovery
After gaining initial access, LockBit employs both built-in and publicly available tools to
discover hosts in the victim's environment. This enables adversaries to plan stealthier
and more impactful attack campaigns. The discovery stage is often conducted in two
steps. In the first step, LockBit uses a native binary named systeminfo.exe to collect
information about the infected system, such as its OS configuration, hardware
properties, software versions, and applied patches. In the second step, adversaries
use 'netscan.exe,' a publicly available tool, to collect information about other hosts,
services, and shared folders in the network. The information collected in the second
step can be used to exfiltrate sensitive information, move laterally and escalate
privileges.

Best practices to mitigate Discovery:

● Implement network segmentation, which restricts the host discovery and
movement of the attackers within the network, making it difficult for them to
traverse across the organization's systems and applications.

● Establish measures to detect unauthorized or suspicious use of common

system administration tools such as systeminfo.exe and netscan.exe, which
can be used by attackers to gather information about the victim's systems.

● Limit access privileges to critical systems and information, which makes it

more difficult for attackers to move laterally within the network and locate
sensitive information.

● Continuously monitor networks and review network traffic to detect any

unusual activity that may indicate a potential attack.

A Whitepaper by Picus Security 9

 Credential Access
In a financial organization, there are thousands of user accounts with varying degrees
of privileges. Adversaries are always on the lookout for compromised credentials for
these accounts to gain access or elevate their privileges in the target network as they
help them stay hidden. When LockBit threat actors gain access to a target network,
they use the OS Credential Dumping technique to access the credentials of previously
established accounts using the infamous tool, Mimikatz.

Mimikatz is a tool that allows adversaries to extract and leverage credentials from the
operating system. The LockBit group often uses it to dump LSASS memory, which
stores credentials for the Windows operating system. After memory dumping,
Mimikatz extracts the credentials of other accounts stored in LSASS memory.

Best practices to mitigate Credential Access:

● Implement strong password policies to reduce the likelihood of credential
theft or compromise.

● Enable Windows Credential Guard, which prevents access to credentials

through mechanisms like Mimikatz and other credential-dumping tools.

● Regularly scan endpoints for the presence of tools such as Mimikatz, which
are commonly used to dump credentials to detect and block them.

● Implement endpoint detection and response (EDR) software capable of

detecting indicative processes, networks, and/or artifacts utilized during
credential dumping.

A Whitepaper by Picus Security 10

 Privilege Escalation
The actions of adversaries are often limited to the compromised user accounts'
privileges. If a non-privileged account provides initial access, adversaries work to
escalate their privileges, as many malicious operations require privileged access. The
LockBit group is known to exploit the vulnerability in the Windows Print Spooler service
named SpoolFool (CVE-2022-21999). The vulnerability allows adversaries to grant any
user to "NT AUTHORITY\SYSTEM" privileges via DLL injection. This vulnerability
enables adversaries to grant any user to "NT AUTHORITY\SYSTEM" privileges via DLL
injection. However, this is a local privilege escalation vulnerability, meaning that
adversaries require an initial foothold to exploit it.

Best practices to mitigate Privilege Escalation:

● Follow the principle of least privilege by limiting the number of users
possessing administrative privileges and setting the privileges of all user
accounts in accordance with their roles.

● Keep software and operating systems updated to reduce the chances of

attackers discovering known vulnerabilities to exploit.

● Monitor user activity, system logs, and network traffic can help detect any
suspicious or unusual behavior that may signal attempts at privilege
escalation.

● Carry out security audits regularly to identify and fix any security
weaknesses or misconfigurations which may leave systems open to
exploitation by attackers.

A Whitepaper by Picus Security 11

 Defense Evasion
In every step of the ransomware attack, the LockBit group aims to avoid being
detected by security controls because any detection alert may warn security teams
and prompt them to shut down the entire operation. While LockBit uses various
defense evasion methods in every step, two techniques are seen prominently in their
campaigns. The first technique is "Masquerading," where threat actors manipulate
malicious files and their metadata to appear legitimate to users or security controls.
When executed, the benign-looking files operate under a legitimate service name to
evade defenses. The second technique is "Indicator Removal," whereby adversaries
remove any artifact left behind by their malicious activity to limit or block malware
analysis.

Best practices to mitigate Defense Evasion:

● Use a multi-layered security approach that includes advanced threat
detection and response technologies such as endpoint detection and
response (EDR). This can help identify and stop suspicious activity before it
can cause damage.

● Implement security information and event management (SIEM) tools that

provide real-time threat monitoring, log management, and incident
response, which can help detect and respond to defense evasion activities.

● Monitor critical system files for unauthorized changes that may indicate
indicator removal activity. This best practice helps detect and prevent
malware from removing any artifacts left behind to block malware analysis.

A Whitepaper by Picus Security 12

 Command & Control
Large-scale ransomware attacks against financial institutions require time and
planning. From the initial access to the impact stage, adversaries need an established
connection to the victims' network. They also need a command and control
mechanism to orchestrate sophisticated attacks. To tackle these challenges, the
LockBit ransomware group uses a publicly available tool called Ngrok. By establishing
a secure tunnel to victims' local machines and bypassing detection, attackers can
establish persistence and transfer malicious tools into victims' networks.

Best practices to mitigate Command & Control:

● Use network segmentation to limit the spread of ransomware across the
network by isolating critical systems, such as financial systems, from the
rest of the network.

● Implement network security controls such as intrusion prevention systems

(IPS) or next-generation firewalls (NGFW) to prevent unauthorized network
activity, including identifying attackers attempting to establish a command
and control connection to victims' networks.

● Monitor network traffic for unusual activity to detect the establishment of a

secure tunnel, such as the one used by LockBit with Ngrok.

A Whitepaper by Picus Security 13

 Exfiltration
Stealing sensitive files and using them in the double extortion method has become
increasingly popular among ransomware groups, and LockBit is no exception. The
group steals victims' sensitive files by transferring them to cloud storage services such
as Dropbox, MEGA, and Google Drive using rclone. By threatening to release the stolen
data from their data leak site if the victims refuse to pay the ransom for the decryption
key, LockBit puts significant pressure on organizations.

Financial institutions are bound by legal requirements to store users' and employees'
confidential data securely, making data exfiltration a significant cyber threat on its
own. Unauthorized disclosure of such data affects reputation and may have legal
ramifications.

Best practices to mitigate Exfiltration:

● Encrypt sensitive data to prevent unauthorized access and protect data in
case of data exfiltration. Use strong encryption tools and ensure that keys
are stored securely.

● Implement data loss prevention (DLP) solutions to detect and prevent

sensitive data from leaving the organization's network. These solutions can
help identify data exfiltration attempts and alert security teams of potential
incidents.

● Monitor cloud storage accounts for suspicious activity, including

unauthorized access and file transfers. Ensure that access to cloud storage
accounts is closely monitored and controlled.

A Whitepaper by Picus Security 14

 Impact
In the last stage of the ransomware attack, LockBit delivers the final blow and brings
the victims' operations to a halt by encrypting files with their ransomware payload.
Some ransomware variants implement encryption algorithms inaccurately, and security
professionals devise tools to recover files. However, LockBit variants seem to utilize
AES and RSA encryption algorithms so efficiently that they claim to be the fastest
encryptor in the ransomware scene. The encryption process renders files useless, and
decryption is practically impossible without the decryption key. After encryption, the
file names are appended with specific extensions depending on the variant. LockBit
3.0 appends encrypted files with "HLJkNskOq".

Some organizations may choose to recover their files from backups and continue their
operation with minimal disruption. LockBit deletes volume shadow copies to inhibit
system recovery. This action pressures organizations without cold backups to pay the
ransom for the decryption key.

Best practices to mitigate Impact:

● Regularly back up data to recover more quickly from ransomware attacks.
Ensure that backups are stored securely and not accessible from the main
network.

● Follow the 3-2-1 backup rule, which means creating three copies of data,
storing them in two different formats, and keeping one offsite.

● Test backups regularly, and ensure the integrity and recoverability of

backed-up data.

A Whitepaper by Picus Security 15

 Ransomware Prevention Strategies
While ransomware attacks pose a significant threat to financial institutions, the good
news is that prevention is possible. By studying the techniques employed by
ransomware groups, organizations can defend themselves against even the most
notorious ransomware attacks. Here are some of the strategies for ransomware
prevention:

1- Reduce Your Organization's Attack Surface

Knowing your assets can assist in controlling, managing, and reducing your
organization's attack surface. Maintaining an inventory of assets and identifying
associated risks is the first step toward setting up defenses. This information provides
a better understanding of the asset landscape and enables an organization to focus
resources on reducing the attack surface.

2- Implement a Defense-in-depth Security Strategy

Adopting a layered security approach that incorporates people, processes, and

technology is essential to keep your organization secure against ransomware attacks.
This should include regular employee cybersecurity training, security awareness
campaigns, effective security controls and robust backup, and disaster recovery
solutions.

3- Validate Security Controls

Regularly validating endpoint, network, data, and email security controls can help
ensure they are functioning correctly and effectively. Using Breach and Attack
Simulation (BAS) tools can help organizations evaluate their security posture by
simulating various types of attacks in a controlled environment. BAS can provide
valuable insights into the organization's defenses and identify any weaknesses
requiring remediation, reducing the chances of a successful ransomware attack.

4- Develop a Ransomware Response Plan

Developing a response plan tailored to your organization is crucial in case of a

ransomware attack. Identifying a team of key personnel responsible for monitoring and
responding to a ransomware attack and having a detailed response plan in place can
help minimize the impact of an attack and reduce downtime. The plan should leverage
the results of BAS simulations and incorporate the identification of contact points, the
identification of mitigation steps, and investigation strategies to mitigate future
attacks.

A Whitepaper by Picus Security 16

 Conclusion
Ransomware attacks can be devastating to financial institutions, causing
extensive business disruptions and financial losses. With the rise of RaaS, IAB,
and double extortion methods, ransomware attacks have become more
sophisticated and challenging to recover from. The LockBit ransomware group
is one of the most notorious ransomware groups in operation, using a range of
techniques to infect and disrupt organizations. By studying these techniques,
financial institutions can develop effective mitigation strategies and implement a
defense-in-depth security strategy to protect against ransomware attacks. The
prevention strategies discussed in this paper, including reducing the
organization's attack surface, validating security controls, and developing a
ransomware response plan, can help mitigate the risk of ransomware attacks.
Implementing these strategies can not only help defend against ransomware
attacks but also protect the organization's sensitive data and operations.

A Whitepaper by Picus Security 17

 References
[1] "The Red Report 2023: Stay Ahead of Evolving Cyber Threats." [Online]. Available:
https://www.picussecurity.com/resource/report/the-red-report-2023.
[Accessed: Apr. 23, 2023]
[2] P. Labs, "CyberEdge 2023 Cyberthreat Defense Report," Apr. 11, 2023. [Online].
Available:
https://www.picussecurity.com/resource/report/cyberedge-2023-cyberthreat-defense-r
eport. [Accessed: Apr. 25, 2023]
[3] "2023 SonicWall Cyber Threat Report." [Online]. Available:
https://www.sonicwall.com/2023-cyber-threat-report/. [Accessed: Apr. 23, 2023]
[4] "Illuminating DarkSide: TTPs, Tools, and Trend Towards Defense Evasion," Jun. 16,
2021. [Online]. Available:
https://www.picussecurity.com/resource/whitepaper/illuminating-darkside-ransomware.
[Accessed: Apr. 23, 2023]
[5] "2022 ThreatLabz State of Ransomware Report." [Online]. Available:
https://info.zscaler.com/resources-industry-report-2022-threatlabz-state-of-ransomwar
e. [Accessed: Apr. 23, 2023]
[6] "PARK JIN HYOK," Federal Bureau of Investigation, Aug. 30, 2018. [Online]. Available:
https://www.fbi.gov/wanted/cyber/park-jin-hyok. [Accessed: Apr. 23, 2023]
[7] C. Page, "Hacker exploits Harmony blockchain bridge, loots $100M in crypto,"
TechCrunch, Jun. 24, 2022. [Online]. Available:
https://techcrunch.com/2022/06/24/harmony-blockchain-crypto-hack/. [Accessed: Apr.
23, 2023]
[8] H. C. Yuceel, "Lockbit 2.0 Ransomware: TTPs Used in Emerging Ransomware
Campaigns," Feb. 11, 2022. [Online]. Available:
https://www.picussecurity.com/resource/lockbit-2.0-ransomware-ttps-used-in-emergin
g-ransomware-campaigns. [Accessed: Apr. 23, 2023]
[9] "LockBit ransomware - what you need to know." [Online]. Available:
https://www.tripwire.com/state-of-security/lockbit-ransomware-what-you-need-know.
[Accessed: Apr. 23, 2023]

A Whitepaper by Picus Security 18

About
At Picus Security, our priority is making it easy for security teams to continuously
validate and enhance organizations’ cyber resilience.

Our Complete Security Validation Platform simulates real-world threats to

automatically measure the effectiveness of security controls, identify high-risk
attack paths to critical assets, and optimize threat prevention and detection
capabilities.

As the pioneer of Breach and Attack Simulation, our people and technology
empower customers worldwide to be threat-centric and proactive.

www.picussecurity.com

Interested to Learn More About

BAS and Security Control Validation?

REQUEST A DEMO

picussecurity

Ⓒ 2023 Picus Security. All Rights Reserved.