LockBit ransomware attacks Essendant

The LockBit ransomware group is claiming responsibility for taking down a US-based distributor of office products called Essendant. This attack, which is said to have begun on or around March 6, created severe ramifications for the organisation, disrupting freight carrier pickups, online orders, and access to customer support.

As noted by Bleeping Computer, the original notification that something had gone wrong made no mention of ransomware or even any form of compromise. There’s still no mention on the updated notification page. However, this may be about to change in the wake of LockBit’s claims.

As with so many ransomware groups out there, LockBit is a fan of using stolen data to apply additional pressure and make victims pay the ransom. In cases where the payment is not made, the data is put up for sale, or simply posted online for free. This is a big leveraging factor on many businesses when deciding what to do about ransom threats.

On March 14, LockBit added Essendant to its leaks page with the threat of supposedly stolen data being published by March 18, if its demands are not met.

Essendent data on the LockBit data leak site

The description of the embattled organisation comes with the message “Change a recovery company and try again”. This could be a reference to previous failed attempts to decrypt the compromised data.

LockBit has demonstrated time and again that it will release stolen data if the target refuses to pay. Just last month, Royal Mail found itself on the wrong end of a data dump via the LockBit leak portal after a high profile ransomware attack caused all manner of postal delays.

Unusually, the Royal Mail data dump also came with a chat log of the entire conversation between LockBit and Royal Mail. The log is absolutely fascinating and illustrates the need for victims to employ someone who knows what they’re doing when negotiating with attackers.

LockBit is arguably the most dangerous malware in the world right now. It was by far the most dominant ransomware in 2022, and hasn’t slowed down in 2023, which is why it’s one of the five threats you can’t afford to ignore in our in our 2023 State of Malware report.

Chart of the most prevalent ransomware-as-a-service groups in 2022
Known attacks by the most prevalent ransomware groups in 2022

Its success comes from its professionalism. LockBit is run as a business: It has a slick website, it avoids the political grandstanding of its competitors, and even offers bug bounties to people who find flaws in its software. It distributes three different versions of its ransomware-as-a-service (RaaS), which are reportedly used by 100 affiliates, and its largest known ransom demand is $80 million.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

https://blog.malwarebytes.com/feed/