Boeing versus LockBit: handling a ransomware attack.
N2K logoNov 13, 2023

LockBit finally publishes its proof-of-hack as Boeing hangs tough on ransom.

Boeing versus LockBit: handling a ransomware attack.

Boeing sustained a ransomware attack by the LockBit gang with a November 2nd deadline to pay up or face the release of stolen data. Dark Reading reports that this actually showed some uncharacteristic circumspection on the part of a ransomware operator. Such criminal gangs are usually quick to publish proof-of-hack. Reuters reports that LockBit escalated to doxing on November 10th, releasing files they claim were taken in the attack. Computing wrote this morning that the leaked files appear to contain some financial data, and that Boeing had refused to pay the ransom.

An industry look at the early stages of the incident...

Jim Doggett, CISO, Semperis, commented on the incident in its early stages. "Boeing has recently acknowledged it is investigating a cyber related incident days after the Russian backed ransomware group LockBit posted info about an attack against the aerospace manufacturer," he wrote. "This latest ransomware attack is yet another reminder that even the largest organizations in the world are being victimized by the ransomware scourge. With certainty, Boeing employs some of the best security threat analysts and incident responders, with deep understanding and knowledge of threats and common infection points in networks. And yet, motivated and persistent criminals are successfully finding gaps in even the most secure organizations."

He argued that paying ransom is a mug's game. Invest in resilience, not ransom. "The bottom line is that you can’t pay your way out of ransomware. The good new is that solutions and strategies, when applied properly in advance, help combat these heartless and calculated attacks. Organizations should focus on the resiliency of their systems: hardening the critical systems before an attack, implementing measures to identify and stop attacks before they do significant damage and making sure they can recover quickly after an attack."

And, of course, risk management requires self-understanding. "Additionally, companies need to know what their critical systems are (including infrastructure such as Active Directory) before attacks occur. It would be beneficial to run tabletop exercises that simulate  critical systems’ recovery before an incident occurs. While cyberattacks that expose sensitive data are jarring, defenders can make their organizations so difficult to compromise that adversaries look for other companies to attack. Organizations should also regularly conduct security awareness training, adopt an around the clock threat hunting program, monitor for unauthorized changes occurring in their Active Directory environment which threat actors use in most attacks - and have real time visibility to changes to elevated network accounts and groups."

...And an industry look at the most recent stages.

James Dyer, Threat Intelligence Lead at Egress, approves of Boeing's refusal to pay. He says that "LockBit has shown they aren't afraid to call organizations' bluff when they say they have their data!" but might equally well have said that Boeing called LockBit's bluff.

“Since their birth in the 80s, ransomware and cyber gangs have operated using a combination of approaches; the first involves demanding payment from legitimate threats where data has been stolen, and the second is when the threat actors make up claims to earn a quick buck, expecting the victim to concede to their pressure tactics despite no data actually being obtained by the cybercriminals. But when the data is released on the internet for all to see, it's horrifying proof that LockBit isn’t messing about," Dyer observed. “Other victims currently targeted by LockBit may feel hot around the collar knowing that the cybergang definitely had Boeing’s data rather than an empty threat. When faced with a ransomware attack, the general advice is not to pay up; not only is there the ethical issue of handing millions of dollars to a criminal organization, but by boosting their success rate, you’re encouraging threat actors to continue their activities and potentially giving them tips on their next attacks."

The task is now recovery and prevention of a reattack. “Boeing now has an extremely important job to clean up and ensure all passageways into their organization are shut to ensure LockBit actors cannot creep back in whenever they choose. They’ll also have the responsibility of notifying and supporting the victims. If this unfortunate case has taught us anything, it’s that you should review your cybersecurity frequently, and have an incident report plan prepared for any occasion, no matter how big or small the company may be." And Dyer, again, likes Boeing's decision to hang tough. “Ultimately, they did the right thing by not paying.”

(Added, 2:15 PM ET, November 13th, 2023.) Dror Liwer, co-founder of Coro, wishes everyone would follow Boeing's example and refuse to pay ransom. “Refusing to pay a ransom is the right thing to do. If everyone followed Boeing’s path, ransomware ROI would become an uneconomical vector, and eventually cease to exist." It happened before, when good backups rendered the older form of ransomware, which relied on encrypting the victims' data, obsolete. "When ransomware gangs encrypted files, having timely backups rendered that method obsolete. Now that the ransom is against leakage, we recommend all sensitive data and files be encrypted with privileged access to the data limited to the minimum number of employees possible.”

The incident shows, James McQuiggan, security awareness advocate at KnowBe4, the importance of improving security practices to adapt to an evolving threat. “The recent LockBit ransomware attack demonstrates a persistent and sophisticated threat because an organization decides not to pay the ransom and ignores the impending leak warning and has its data displayed and made available for the world to see," he said. "As cyber threats evolve, the need for robust and continuous improvement in an organization's cybersecurity defenses becomes more critical.”