By Charles Smith, Consulting Solution Architect, Data Protection, Barracuda Networks (EMEA)

The constant string of attacks organisations face is an ever-present reminder of how important it is to have an up-to-date, readily accessible copy of everything that matters to your business. Resilient backups allow you to recover more quickly from data damage, disruption, or loss, particularly if a ransomware attack has resulted in encrypted or deleted files.

These are well-known and widely reported benefits of backups — but there’s more. Immutable data backups can also protect you from the underrated threats of data tampering and malicious insiders, unpredictable activities that can significantly damage brand trust and reputation if they’re not addressed.

Data tampering and manipulation

Data tampering such as deletion and manipulation have been called the “next level of cyberattacks.” While attacks on data integrity aren’t new, their growing sophistication in the age of generative AI will make them harder to spot.

The perpetrators could be external, such as activists or nation-state groups, but more often they are internal, disaffected insiders with broad access rights out for revenge, mischief, personal, or financial gain.

Hypothetical external incidents could include an attacker successfully breaching a stock market’s IT system to alter share price updates, leading to panic selling and financial chaos. There are also reported examples of malicious insiders trying to alter data records within their current or former company, changing passwords, disabling servers, deleting files, or engaging in cyberespionage.

Companies need defences that will detect and prevent any attempt at data tampering inside the network, but also provide them with a robust and accurate version of the truth that can restore the original data and set the record straight.

The double defence against data tampering

Your first layer of protection should be a security solution that includes strong access controls, data encryption, secure communication protocols, and AI-driven measures to detect and respond to anomalies that could signpost attempted data interference. The combined impact should prevent external attackers from being able to access your network and alter or delete data, and it should also block internal malicious actions by authorised users.

There is a second, equally important layer of defence: an immutable data backup. Immutable data cannot be changed or deleted. This means that if an attacker does manage to tamper with or manipulate your communications, documents, and more — your backup files are unaffected and can be used to restore data and prove beyond doubt where content has been falsified.

The many benefits of immutable backups

Immutable backups can help an organisation to recover from any incident where data is encrypted, deleted, damaged, tampered with, or lost.

1. They offer an extra line of defence against determined bad actors. Despite the security measures in place, determined attackers may find ways to compromise or bypass security controls. Immutable backups provide an extra safeguard by ensuring that even if the primary data is tampered with, the backup remains intact and unaltered.

• They protect the company from insiders with ill intent.  No one likes to think about insider threats. These are your colleagues after all. But our own recent research suggests that malicious insiders were the root cause of around a third (39%) of data breaches in the last year. Immutable backups help to protect against insider attacks, as they prevent authorised users from altering or erasing data.

• They mitigate the impact of ransomware. Immutable backups can protect against ransomware attacks by ensuring that a clean, unaltered copy of the data is available for restoration, reducing the impact and potential need to pay the ransom.

• They protect you from accidental data corruption. Data can be corrupted due to hardware failures, software bugs, or human error. Immutable backups help protect against these scenarios by providing a point-in-time copy of the data that cannot be modified or corrupted, allowing for reliable data restoration.

• They are essential for compliance and data protection regulations. Some industry sectors and regulatory frameworks require organisations to maintain immutable backups for data retention and compliance purposes. Immutable backups ensure the integrity and authenticity of the data.

By combining security measures with immutable backups, organisations can implement a resilient data protection strategy that addresses both major, common cyberthreats such as ransomware and underrated, unanticipated threats that could do just as much harm. With immutable backups, you’re ready for them all.

By Sarah Sabotka, Bryan Campbell, And The Proofpoint Threat Research Team

What happened 

Beginning April 24, 2024, and continuing daily for about a week, Proofpoint observed high-volume campaigns with millions of messages facilitated by the Phorpiex botnet and delivering LockBit Black ransomware. This is the first time Proofpoint researchers have observed samples of LockBit Black ransomware (aka LockBit 3.0) being delivered via Phorpiex in such high volumes. The LockBit Black sample from this campaign was likely built from the LockBit builder that was leaked during the summer of 2023.  

Messages were from “Jenny Green” with the email address of Jenny@gsd[.]com. The emails contained an attached ZIP file with an executable (.exe). This executable was observed downloading the LockBit Black payload from Phorpiex botnet infrastructure.  

The emails targeted organizations in multiple verticals across the globe and appeared to be opportunistic versus specifically targeted. While the attack chain for this campaign was not necessarily complex in comparison to what has been observed on the cybercrime landscape so far in 2024, the high-volume nature of the messages and use of ransomware as a first-stage payload is notable.  

The attack chain requires user interaction and starts when an end user executes the compressed executable in the attached ZIP file. The .exe binary will initiate a network callout to Phorpiex botnet infrastructure. If successful, the LockBit Black sample is downloaded and detonated on the end user’s system, where it exhibits data theft behavior and seizes the system, encrypting files and terminating services. In an earlier campaign, the ransomware was directly executed, and no network activity was observed, preventing network detections or blocks. 

Attribution 

Proofpoint Threat Research has not attributed this campaign to a known threat actor. Phorpiex is a basic botnet designed to deliver malware via high-volume email campaigns. It operates as a Malware-as-a-Service and has garnered a large portfolio of threat actor customers over more than a decade of operation (earlier versions were first observed on the threat landscape circa 2011). Since 2018, the botnet has been observed conducting data exfiltration and ransomware delivery activities. Despite disruption efforts throughout the years, the botnet persists.  

Proofpoint has observed a cluster of activity using the same “Jenny Green” alias with lures related to “Your Document” delivering Phorpiex malware in email campaigns since at least January 2023.  

LockBit Black (aka LockBit 3.0) is a version of LockBit ransomware that was officially released with upgraded capabilities by the ransomware affiliates in June 2022. In September 2022, the confidential ransomware builder was leaked via Twitter. At the time, multiple parties claimed attribution, but LockBit affiliates claimed the builder was leaked by a disgruntled developer. The leak allows anyone to adopt the configuration for customized versions.  

Why it matters 

Ransomware as a first-stage payload attached to email threat campaigns is not something Proofpoint has observed in high volumes since before 2020, so the observation of a LockBit Black sample in email threat data on this global scale is highly unusual. Additionally, this campaign has been particularly notable due to the high volume of messages in the millions per day, volumes not commonly observed on the landscape. The number of messages and cadence associated with recently observed LockBit Black campaigns are at a volume not seen in malspam since Emotet campaigns. 

The LockBit Black builder has provided threat actors with access to proprietary and sophisticated ransomware. The combination of this with the longstanding Phorpiex botnet amplifies the scale of such threat campaigns and increases chances of successful ransomware attacks. This campaign is another good example of how the threat landscape continues to change, underscored by recurring and significant shifts and pivots in the tactics, techniques, and procedures (TTPs) used by threat actors.  

By: Omar Akar, Regional Vice President for Middle East & Emerging Africa, Pure Storage

Data is the currency of the digital domain, and with every passing day, the world is getting increasingly ‘datafied’. Billions of gigabytes of digital data pertaining to citizens, businesses, governments, and institutions are generated, collected, and processed every day. Understandably, there are concerns about how we can protect personal data, business data, as well as sensitive data that has implications for national security.

Challenges associated with data sovereignty

It is possible that a company based in a certain country uses cloud infrastructure from a provider abroad, and that cloud provider also has customers in other countries and regions. If data collection, data storage, and data processing happen in different countries, it will be subject to the data sovereignty rules of all those countries. Many of the concerns surrounding data sovereignty pertain to ensuring data privacy and preventing data that’s stored abroad from violating the laws of that country. Many countries have therefore introduced new laws, or modified the existing ones, so that data is kept within the boundaries of the country where the individual or entity is based. However, verifying that data indeed exists only at permitted locations can be very difficult.

On the other hand, storing huge amounts of data at only a few locations can increase the risk of data loss and data theft through cyberattacks, which can have huge ramifications on the financial health and reputation of businesses.

Moreover, data sovereignty makes it complex to share data across international borders. This can increase cost and inefficiencies for any business that operates across multiple countries and requires flow of data between its offices. Such businesses must now establish infrastructure in local data centers to comply with data protection regulations in each country. Companies also need to keep in view the data sovereignty requirements of each country and international data sharing agreements while wanting to share data which can impact business operations.

Ways to ensure data sovereignty and elevate data performance

Although establishing data sovereignty is undoubtedly challenging, there are some best practices and approaches that can help in achieving it and elevating data performance. Organizations should conduct a comprehensive audit of their data, including where it is stored, processed, and shared. This is the first step in identifying potential data sovereignty risks and ensuring compliance with the relevant laws and regulations of the concerned countries. It is also necessary to adopt data protection measures — such as encryption, access controls, and monitoring — to prevent unauthorized access and use of data, whether it is in transit or at rest.

The company’s data protection policy should define protocols for handling and storing data as well as measures for protecting it. This policy should be regularly reviewed and updated to keep up with any changes in data protection laws and regulations. If an organization has a footprint spanning multiple regions, it is a good idea to take the strongest data sovereignty laws among them and implement it across all regions. Cloud providers can be of assistance in this regard.

Benefits of working with cloud service providers

Most cloud providers have data centers in multiple countries. Organizations should go for a provider whose data residency provisions are aligned with their own data sovereignty requirements. Today, leading cloud providers also offer other features, including data encryption, that can help in achieving data sovereignty. To take it one step further, companies must introduce strict data governance processes in the cloud. This will ensure regulatory compliance, risk assessment, and risk mitigation at all times.

Data sovereignty laws apply not only to data but also to data backups. It is therefore important to understand how your organization backs up information — whether it is done on-premises or using dedicated cloud services or public cloud services. Adopting cloud-ready solutions and leveraging the benefits of all-flash storage is one of the ways to future-proof your organization’s data storage infrastructure. Uncomplicating storage will help in reimagining data experiences and powering the digital future of the business.

Finally, it is important to view data sovereignty holistically, and not as the exclusive responsibility of any one individual or team. The need to comply with data regulations extends across the board, from businesses to suppliers to the end-users. From a business perspective, ensuring data sovereignty calls for robust governance, holistic risk management, and concerted efforts on the part of the IT security, legal department, procurement, risk managers, and auditors — under the guidance and supervision of the company’s Chief Information Officer. It is a good way to build digital trust in today’s business environment.