by Hela Cherif and Broderick Aquilino (WithSecure)

The recent attack on China’s Industrial and Commercial Bank (ICBC) underscores the sophisticated threat landscape associated with ransomware, emphasising the need for heightened cyber security measures. The development of Activity Monitor is aimed at assisting organisations in addressing these kinds of threats.

In the realm of cyber security, ransomware has evolved beyond the tactic of tricking users into executing the ransomware themselves, now presenting a multiple-threat scenario to organisations. This multifaceted strategy involves cyber criminals gaining unauthorised access to valuable data, intending to sell it on the dark web before initiating the ransomware onslaught by executing the malware. While it is not yet confirmed that LockBit was the ransomware used and Citrix Netscaler was exploited in the recent ICBC incident, all indicators point towards these possibilities. The incident serves as a vivid illustration of the sophisticated tactics employed by cyber adversaries.

The LockBit ransomware attack on China’s Industrial and Commercial Bank (ICBC) serves as a stark reminder of the vulnerabilities within complex systems. Exploiting a vulnerability in the Citrix server, the attackers infiltrated ICBC’s systems, causing widespread disruption and financial chaos. This incident highlights the need for organisations to reassess their cyber security strategies in the face of evolving threats.

At WithSecure, we acknowledge the complexity of modern cyber threats. A multi-layered security approach is employed, leveraging various technologies to bolster defences against a range of cyber threats. The recent ICBC LockBit incident sheds light on a critical vulnerability – the exploitation of unpatched systems like Netscaler to gain unauthorized access and subsequent LockBit execution. Recognising this gap, WithSecure offers proactive solutions that not only detect initial breaches but also mitigate the impact of ransomware execution.

WithSecure’s Rollback, based on its Activity Monitor technology, and part of WithSecure Elements Endpoint Protection, emerges as a crucial component in the cyber security landscape. It is designed to be the last line of defence in the event of a successful cyber attack. Going beyond traditional backup methods, Rollback enables organisations to swiftly restore original files and settings, effectively turning back the clock on a system compromised by malware. This capability is particularly relevant in scenarios where attackers gain unauthorised access, as evidenced in the ICBC LockBit incident.

It is crucial to note that WithSecure’s Activity Monitor is designed to analyse the behaviour of applications and does not purport to comprehensively identify all forms of ransomware. Rather, its functionality lies in the identification of ransomware through the recognition of an application encrypting files and subsequently holding them for ransom. The evolving landscape of ransomware may continually change, but the act of encrypting files for ransom is expected to persist. This underscores the inherent advantage of the Activity Monitor in discerning ransomware.

The ICBC LockBit incident underscores the need for proactive and innovative cyber security measures. WithSecure’s Rollback is positioned as a resilient defence against ransomware attacks. As the digital battleground continues to evolve, organisations must consider solutions that provide a robust response to cyber threats.

Rollback’s effectiveness is not just a claim; it has been demonstrated in action against the notorious LockBit 3.0 ransomware. At the SPHERE23 co-security unconference, we showcased the real-world application of Rollback as it thwarts LockBit 3.0. The demonstration serves as tangible evidence of Rollback’s resilience against genuine cyber threats.

In conclusion, the evolving landscape of ransomware threats requires a reevaluation of cyber security strategies. The ICBC LockBit incident highlights the vulnerabilities organisations face, particularly in the exploitation of unpatched systems like Netscaler to gain unauthorized access and subsequent LockBit execution. WithSecure’s Rollback offers a proactive and effective last line of defence against such threats. As organisations navigate the complexities of the digital era, resilient cyber security solutions like Rollback become essential in safeguarding against ransomware attacks.