LockBit Lives: Claims DC Department of Insurance, Securities and Banking Data Leak


April 22, 2024

World map

Calling into question the effectiveness of a major law enforcement takedown of the infamous LockBit ransomware gang’s infrastructure in February, LockBit seems to be very much alive, albeit somewhat diminished in capacity.  

In mid-April LockBit claimed it compromised the D.C. Department of Insurance, Securities and Banking (DISB) and exfiltrated as much as 800GB of sensitive data and threatened to leak it if a ransom payment was not received.

A DISB representative stated that the agency had been alerted to a breach by a third-party software provider, Tyler Technologies, who said they had detected “unauthorized access to their cloud that stores DISB’s STAR system client data.”

“We immediately took the system offline and have been in close contact with affected clients. In coordination with third-party experts, we launched an incident response investigation,” The Record reports.  

“In parallel, our security and technical support teams began working to restore system access in a safe and secure manner. Known, good (immutable) backups were available, and recovery of the application environment and associated data have been a focus for Tyler since we discovered this situation. Our investigation found that a threat actor encrypted the system and acquired data.”

Takeaway: Organizations need to understand that today’s ransomware attacks involve a great deal more than just the delivery of a malicious payload and the issuing of a ransom demand.  

Data exfiltration and the threat of exposure are now a central aspect of nearly every ransomware operator’s playbook and significantly increase the chances for the extortion efforts to be successful – and put the victim in hot water with regulators and through lawsuits.

In some cases, the attackers may not only demand payment of a ransom to regain access to encrypted systems, but they may also demand further payment for the stolen data itself.  

And even then, there is no guarantee that a ransom payment will protect the stolen data from being exploited. The exposure of sensitive data can lead to regulatory fines, legal liabilities, and severe damage to the company's brand and customer trust.  

Protecting sensitive data through robust cybersecurity measures, including encryption, access controls, and employee training, is essential in safeguarding against data loss and intellectual property theft.

The ransomware payload is the tail-end of the attack, so more resources need to be dedicated to prevention and early detection, particularly at the data exfiltration stage.  

This means arresting ransomware attacks before the victim even knows it’s a ransomware attack. If we do our jobs right, we will be talking more about combatting initial ingress and less about dealing with disruptive ransomware payloads.

Halcyon recently published a reference guide that explores what each C-level executive should know about ransomware to ensure a strong security posture and protect their organization: What Executives Should Know about Ransomware.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.