On Monday, December 12th, LockBit claimed to have stolen 76 gigabytes of data from the California Department of Finance including “databases, confidential data, financial documents” and “sexual proceedings in court.”
The Department of Finance (DOF) has until December 24th to meet LockBit’s demands before they will publish the stolen files on the dark web.
In response to the attack, the California Governor’s Office of Emergency Services announced in a statement that the California Cybersecurity Integration Center (Cal-CSIC) is “actively responding to a cybersecurity incident involving the California Department of Finance” (Vicens), and that “while we cannot comment on specifics of the ongoing investigation, we can share that no state funds have been compromised, and the department of finance is continuing its work to prepare the governor’s budget that will be released next month” (Page).
LockBit has falsely claimed to have infiltrated companies before, however, if they have managed to infiltrate DOF, this is deeply concerning. In total, Lockbit has extorted roughly $100 million from their combined victims (Vicens) since it was first identified back in 2019.
The LockBit ransomware attack has sent California government into a frenzy. CISO’s are alert and wary of a similar attack happening to their department. However, if you aren’t a security specialist, you may not have a full understanding of what’s going on and of the situation’s enormity. Understanding this threat, and cybersecurity in general, is vital. According to a study by Stanford University Professor Jeff Hancock, approximately 88% of all data breaches are caused by employee mistake (Sjouwerman). The World Economic Forum furthered this statistic, finding that 95% of all incidents occur due to human error, with 43% of breaches attributed to insider threats (Zhadan).
I am not a Chief Security Officer, however, from layman to layman, I have compiled research that I believe is valuable for the everyday Joe.
The California Department of Finance was targeted by the ransomware LockBit. Well, what’s ransomware? The Oxford dictionary defines it as a “malicious software designed to block access to a computer system until a sum of money is paid.” Hence, ransom (to hold something or someone of value with the intent to gain something upon its return) combined with ware (a root word commonly used in IT—software, hardware, etc).
There are 4 subclasses of ransomware:
1.) Locker ransomware – Blocks a user’s access to their computer system
2.) Crypto ransomware – User has access to computer system, but files/data are encrypted (converted to code). The decryption key is given to the victim upon payment
3.) Double extortion – Similar to crypto ransomware, except your files/data are then exfiltrated and threatened to be published.
4.) RaaS (Ransomware as a Service) – Perpetrators can rent access to a ransomware strain from the creator as a pay-per-use service. RaaS is hosted on dark net sites where criminals can purchase the strain as a subscription. A portion of the ransom payments collected by the perpetrator is partitioned to the ransomware author.
LockBit falls under the Ransomware as a Service subclass and employs double extortion.
LockBit has 3 known iterations. It was first identified in 2019 but didn’t gain popularity until its second iteration: LockBit 2.0. Palo Alto Networks reported LockBit 2.0 as the most widespread ransomware variant in the first quarter of 2022 and to have the fastest encryption capabilities (Rees). The latest version is LockBit 3.0, an upgraded version of its predecessor with new techniques and capacities (including a bug bounty program, using Zcash, etc.).
So, the California Department of Finance had 76 gigabytes of data/files encrypted and exfiltrated. The information gathered will be published for other criminals to see and use, and DOF will not be able to read their own data/files, unless they pay a certain amount by December 24th.
What can you do to avoid a similar attack happening at your department and/or prevent further infiltration?
LockBit ransomware is often spread using Remote Desktop Protocol (RDP). RDP is what Network Administrators use to remotely diagnose problems of individual users and is what gives users the ability to remotely access their physical computers (Chai and Posey).
There are 3 key, simple, things that you can do to protect your organization from perpetrators, even if you aren’t a security specialist:
1.) Use multi-factor authentication and have a strong password.
2.) Be careful to avoid phishing emails with shady links.
3.) Be careful with who in your organization has what permissions.
In 2022, businesses around the globe faced a ransomware attack every 11 seconds, a 20% increase from 2019 (Bulao). Almost 80% of cyber attackers target government agencies, with 46% of these attacks being directed towards the United States (Bulao).
These small efforts can make a massive difference for your organization as cyber attacks continue to increase