In the last few weeks two cyber criminal groups that have also targeted Italian institutions and businesses, are back in the news: they are
LockBit 3.0 Black and
BlackCat aka
AlphV, which had already been reported by media in the first decade of last July.
Like all ransomware, this is a type of malware that, once introduced into an organization, encrypts the data and then requires the victim to pay a ransom in order to decrypt it.
TG Soft 's
CRAM researchers had the chance to test their Heuristic Behavioral technologies to combat even the variants of this family type of Ransomware attacks. Again these technologies, made available since 2015, proved to be effective and efficient in blocking the cyber attack, started in any mode, automatically within 100 milliseconds {1 tenth of a second => a blink of an eye} from the start of the encryption process.
LockBit 3.0 Black
The
LockBit 3.0 Black attack analyzed by
TG Soft's
CRAM researchers, showed that access by cyber criminals was via exposed RDP.
As already reported in the
Ransomware attack information via RDP access violation, drafted in 2017 and re-proposed in 2019, WE STRONGLY ADVISE EVERYONE AGAINST making accesses available via RDP because it is, even today, a potential access gatway to PCs/Servers for " bad actors."
The analyzed attack spread the ransomware
Lockbit 3.0 aka
LockBit Black {28/10}, as highlighted in the side image and the {02/11} the
Makop... both were blocked in the initial phase of the attack, by Vir.IT's AntiRansomware eXplorer PRO system.
Contact with cyber criminals is made via chat from the URLs given in the ransomware instructions.
Attack result...
The tandem of ransomware used in this case - Lockbit + Makop - was effectively blocked in the initial phase of the attack by the Heuristic-Behavioral technologies built into the Vir.IT eXplorer PRO suite....
Moral of the story
All PC and/or Server machines where Vir.IT eXplorer PRO was properly installed, configured and updated have effectively "blocked" / MITIGATED this multiple encryption attack!
BlackCat / AlphV
Another threat around is the
BlackCat ransomware also known as
AlphV.
Below some payload info from TG Soft's CRAM Analysts on BlackCat / ALPHV Ransomware.
Encrypted file structure ransomware BlackCat / ALPHV:
[ORIGINAL_FILENAME].[ORIGINAL_extension].specific/different for each affected company |
We underline that this ransomware uses a different extension for each affected Company/Entity.
Ransom instructions are released within each folder where the ransomware has encrypted files. The ransomware file is released in text format with structure:
FileNameRequestToRansomStrRandom.txt
From the attack we simulated in our real infrastructure with a sample retrieved from an actual attack, the heuristic-behavioral protection of Vir.IT eXplorer PRO AntiRansomware Protection CryptoMalware, intervened in the range of 100 milliseconds {1/10th of a second} from the start of the encryption process. The few files encrypted in the initial phase of the attack can be recovered/restored through the RECOVERY & RESTORE tools of Vir.IT eXplorer PRO: BackupOnTheFLY and/or Vir.IT Backup!
The computer where the malicious process was initiated, simulating a HumanOperatedRansomware Attack, was automatically isolated from the rest of the network so that the ransomware attack could not propagate to the entire infrastructure, thus ensuring BusinessContinuity.
Obviously, as with any other software, its effectiveness and efficiency is subject to the 4 rules of good use:
- Correctly INSTALLED on ALL PCs as well as on Server(s) even if they are not used for WEB browsing;
- Correctly CONFIGURED;
- Correctly UPDATED;
- and properly USED...
Vir.IT Anti-Ransomware Crypto-Malware Protection
TG Soft has been developing and integrating since May 2015 in the Vir.IT eXplorer PRO suite - THE ONLY product with proprietary engine developed 100% in Italy - AntiVirus, AntiSpyware and AntiMalware, AntiRansomware Crypto-Malware protection technologies that, through the heuristic-behavioral approach, block the encryption process in the initial phase of the attack saving, on average, at least 99.63% of the data files otherwise potentially encrypted
In addition, as a last parachute, you can restore from Vir.IT BackUp, which is built in Vir.IT eXplorer PRO suite, data files that cannot be restored or recovered using other restore/recovery tools.
For more info on these technologies, 100% developed in Italy, you can contact the administrative office of TG Soft Cyber Security Specialist by writing to segreteria@tgsoft.it or by calling the direct number 049.8977432.
C.R.A.M.
TG Soft's Anti-Malware Research Center