In August 2021, Envision Credit Union disclosed that they’d been the victim of a ransomware attack. Envision Credit Union serves over 50,000 members living and working in South Georgia and North Florida. Credit unions are an attractive target for ransomware attackers because they store large amounts of private customer information but often lack the full-time IT and security resources to adequately protect that data.
During a ransomware attack, an external group takes control of an organization’s data, encrypts it, and holds it ransom, locking it up and threatening to release it until a ransom is paid. The Envision attack was specifically a LockBit 2.0 attack.
LockBit is a RaaS (Ransomware-as-a-Service) company that sells ransomware encryption software to hackers. LockBit released its 2.0 version in August 2021, and cases like Envision’s have been on the rise since then. The majority of LockBit’s victims are small and medium sized businesses. These sorts of attacks cost businesses millions in lost time, ransoms paid and fines assessed, in addition to the incalculable cost of damage to the brand and loss of customer trust.
LockBit 2.0 Infection Chain
During a LockBit 2.0 attack, hackers first gain access to a user account and then propagate through the network by exploiting potentially insecure protocols such as SMB. Once propagated, LockBit systematically steals and encrypts sensitive information, preventing legitimate operators from being able to access it. If the LockBit Ransomware is able to access a domain controller this problem can be exacerbated even more by allowing the hackers to disable security features like Windows Defender network wide, and can even allow for the execution of custom malicious code on every connected host.
Sicura automatically prevents the misconfigurations that act as a broken lock (or even a wide-open door) for an attempted ransomware attack. By enforcing globally recognized Center for Internet Security (CIS) Benchmarks, Sicura automatically remediates the misconfigurations and errors that allow a ransomware group to break into an organization’s environment.
Sicura deters, slows, and blocks ransomware attacks at the following four stages:
Your password strategy is the first step in keeping attackers out - think of it as the lock on the front door. Sicura automatically enforces robust password policies requiring complexity, length, maximum age, and lockout timers. These policies deter brute-force password attempts common in ransomware attacks.
Even if ransomware attackers can access the system, Sicura can prevent them from taking any action once inside. When Sicura is used to implement the CIS Benchmarks, access to system files and registry locations is restricted to Administrators. The fewer people who have login access, the better, as it limits the chances of a single breach into an employees email or computer allowing full access to the entire system. Reducing your attack vector (in this case, the number of user accounts on a system) is always a positive step in the security world
One of the first things hackers will do after breaching a system is try to find a way to escalate to a user with administrator access. To combat this Sicura changes the default Admin and Guest user accounts, while also disabling the Guest user. This leaves less opportunity for an unmanaged Guest account to be breached while also ensuring that hackers cannot simply guess the name of the Administrator account.
Sicura takes other measures to deter unwanted privilege escalation:
Lockbit 2.0 ransomware is particularly powerful because it can move laterally throughout the network. Potentially vulnerable protocols such as SMB can be exploited to gain access to shared network drives and other devices. To combat this, Sicura ensures that both the server and client for SMB v1 is disabled.
Inbound firewall rules can also help prevent access between systems within the same network. Sicura configures the local inbound firewall rules to block all but necessary traffic even within trusted networks to ensure a defense in depth strategy is used and to limit propagation if a breach does occur.
Had Envision used Sicura, the Lockbit 2.0 attackers would have had at least 4 additional layers to go through before accessing, encrypting, and ransoming their data.
The National Credit Union Administration has made recommendations to help promote good cyber hygiene and prevent attacks such as the one that happened to Envision. These recommendations include using the CIS Benchmarks to assess cyber posture and maturity. Sicura enforces these best practices across your system - automatically or with the click of a button, without hiring a dedicated employee.
Sicura ensures you are consistently compliant with CIS Controls and Benchmarks so credit union leaders can rest assured that they are deploying strategies to deter, defend, and protect against attacks. Interested in learning how Sicura can empower your organization to implement security best practices? Reach out.
In August 2021, Envision Credit Union disclosed that they’d been the victim of a ransomware attack. Envision Credit Union serves over 50,000 members living and working in South Georgia and North Florida. Credit unions are an attractive target for ransomware attackers because they store large amounts of private customer information but often lack the full-time IT and security resources to adequately protect that data.
During a ransomware attack, an external group takes control of an organization’s data, encrypts it, and holds it ransom, locking it up and threatening to release it until a ransom is paid. The Envision attack was specifically a LockBit 2.0 attack.
LockBit is a RaaS (Ransomware-as-a-Service) company that sells ransomware encryption software to hackers. LockBit released its 2.0 version in August 2021, and cases like Envision’s have been on the rise since then. The majority of LockBit’s victims are small and medium sized businesses. These sorts of attacks cost businesses millions in lost time, ransoms paid and fines assessed, in addition to the incalculable cost of damage to the brand and loss of customer trust.
LockBit 2.0 Infection Chain
During a LockBit 2.0 attack, hackers first gain access to a user account and then propagate through the network by exploiting potentially insecure protocols such as SMB. Once propagated, LockBit systematically steals and encrypts sensitive information, preventing legitimate operators from being able to access it. If the LockBit Ransomware is able to access a domain controller this problem can be exacerbated even more by allowing the hackers to disable security features like Windows Defender network wide, and can even allow for the execution of custom malicious code on every connected host.
Sicura automatically prevents the misconfigurations that act as a broken lock (or even a wide-open door) for an attempted ransomware attack. By enforcing globally recognized Center for Internet Security (CIS) Benchmarks, Sicura automatically remediates the misconfigurations and errors that allow a ransomware group to break into an organization’s environment.
Sicura deters, slows, and blocks ransomware attacks at the following four stages:
Your password strategy is the first step in keeping attackers out - think of it as the lock on the front door. Sicura automatically enforces robust password policies requiring complexity, length, maximum age, and lockout timers. These policies deter brute-force password attempts common in ransomware attacks.
Even if ransomware attackers can access the system, Sicura can prevent them from taking any action once inside. When Sicura is used to implement the CIS Benchmarks, access to system files and registry locations is restricted to Administrators. The fewer people who have login access, the better, as it limits the chances of a single breach into an employees email or computer allowing full access to the entire system. Reducing your attack vector (in this case, the number of user accounts on a system) is always a positive step in the security world
One of the first things hackers will do after breaching a system is try to find a way to escalate to a user with administrator access. To combat this Sicura changes the default Admin and Guest user accounts, while also disabling the Guest user. This leaves less opportunity for an unmanaged Guest account to be breached while also ensuring that hackers cannot simply guess the name of the Administrator account.
Sicura takes other measures to deter unwanted privilege escalation:
Lockbit 2.0 ransomware is particularly powerful because it can move laterally throughout the network. Potentially vulnerable protocols such as SMB can be exploited to gain access to shared network drives and other devices. To combat this, Sicura ensures that both the server and client for SMB v1 is disabled.
Inbound firewall rules can also help prevent access between systems within the same network. Sicura configures the local inbound firewall rules to block all but necessary traffic even within trusted networks to ensure a defense in depth strategy is used and to limit propagation if a breach does occur.
Had Envision used Sicura, the Lockbit 2.0 attackers would have had at least 4 additional layers to go through before accessing, encrypting, and ransoming their data.
The National Credit Union Administration has made recommendations to help promote good cyber hygiene and prevent attacks such as the one that happened to Envision. These recommendations include using the CIS Benchmarks to assess cyber posture and maturity. Sicura enforces these best practices across your system - automatically or with the click of a button, without hiring a dedicated employee.
Sicura ensures you are consistently compliant with CIS Controls and Benchmarks so credit union leaders can rest assured that they are deploying strategies to deter, defend, and protect against attacks. Interested in learning how Sicura can empower your organization to implement security best practices? Reach out.