Ransomware Roundup: 06.19.23

Cl0p Ransomware Gang Hits Department of Energy in Mass Exploit of MOVEit Vulnerability

The Russian-linked Cl0p ransomware gang is actively exploiting a patchable vulnerability in the MOVEit file transfer software to compromise multiple targets, including the US Department of Energy, according to reports.

“While the exact number of victims remains unknown, Clop on Wednesday listed the first batch of organizations it says it hacked by exploiting the MOVEit flaw,” TechCrunch reports.

“The victim list, which was posted to Clop’s dark web leak site, includes U.S.-based financial services organizations 1st Source and First National Bankers Bank; Boston-based investment management firm Putnam Investments; the Netherlands-based Landal Greenparks; and the U.K.-based energy giant Shell.”

Additionally, CyberScoop’s Christian Vasquez reports that the US Department of Energy has confirmed that "records from two DOE entities were compromised" by Cl0p attacks leveraging the MOVEit vulnerability exploit.

Takeaway: The mass exploitation of the MOVEit file transfer vulnerability by the Cl0p ransomware gang closely follows their success earlier this year in conducting the mass compromise of more than 100 organizations leveraging a vulnerability in another file transfer program called GoAnywhere.

Whether or not Cl0p has been successful in effectively monetizing these compromises to collect the ransom demands is still unclear. While the earlier attacks did not elicit much of a response from the US government aside from some FBI/CISA joint alerts, the prospect that Cl0p has trained its sights on critical infrastructure targets - namely the Department of Energy - will certainly prompt Federal authorities to ramp up their efforts against these operators.

And while the potential for widespread disruptions to the energy sector is cause for serious concern, the possibility that sensitive records at the agency may have been accessed or exfiltrated raises the stakes tremendously. The DoE not only regulates the nation's power grids, it is also the agency that manages most of our nuclear capabilities.

We know that groups like Cl0p are closely aligned - if not directly controlled to a degree - by the Russian government and intelligence apparatus, and we know the Putin regime is under pressure as their invasion of Ukraine continues to falter. Given the level of support, the US is providing to Ukraine, along with other Western nations, it should not come as a surprise that they may start targeting our critical infrastructure - and some recent attacks in Germany and the UK may be linked as well.

That said, the Russians need to be very cautious about how they conduct such attacks so they don't trigger an international incident that would elicit a direct response from the US or their allies. Using ransomware gangs like Cl0p as a proxy to conduct the attacks in order to maintain plausible deniability and thwart attribution is likely the strategy here. This is one of the key reasons cyber operations have become such an important aspect of larger geopolitical issues - attribution is hard.

Also of note, both of these campaigns by Cl0p (GoAnywhere/MOVEit) are strong evidence that these ransomware operators are increasingly using automation to identify exposed organizations that may not have had the time or resources to patch against known vulnerabilities.

Given how readily Cl0p is compromising targets, it is likely they have successfully exfiltrated large amounts of confidential information from the victims, and other targets may experiencing data loss as a precursor to the detonation of a ransomware payload at this very moment, and they don't even realize they are in the midst of a major cyberattack.

Today's ransomware attacks often have a long tail and can involve weeks or even months of effort by attackers to infiltrate the target network. But so far this year, Cl0p is demonstrating over and over that it only takes one vulnerability on one key piece of software to make hundreds of organizations easy targets for automated attack sequences. The attackers have upped their game - we need to respond in kind through a focus on resilience.  

We will never be able to stop ransomware attacks, but we can stop them from being successful by arresting the attack at ingress or lateral movement; by preventing data exfiltration; by blocking execution of the ransomware payload; by rapidly recovering systems and minimizing downtime.

Ransomware Attack Exploits Sharepoint Without Compromising Endpoints

Researchers have observed successful ransomware attacks abusing Microsoft 365’s SharePoint Online by way of a compromised Microsoft Global SaaS admin account.

“Once in, the attacker created a new Active Directory (AD) user called Omega with elevated privileges, including Global Administrator, SharePoint Administrator, Exchange Administrator, and Teams Administrator; and site collection administrator capabilities to multiple SharePoint sites and collections. The attacker also removed existing administrators (more than 200) in a 2-hour period,” Security Week reports.

“We expect this trend to grow,” the researchers told SecurityWeek. “The attacker invested the time to build automation for this attack, which implies a desire to use this capability in the future. We also suspect it will grow because there are few companies with a strong SaaS security program, whereas many companies are well invested in endpoint security products.”

Takeaway: Ransomware operators are constantly improving their TTPs and are increasingly using automation in the exploitation of known vulnerabilities and other avenues to infection, and the huge increase in the volume of attacks observed in early 2023 is evidence of this latest trend. The reported abuse of SharePoint Online in these operations is concerning.

These are multi-staged attacks, where the threat actors are designed to infiltrate as much of the victim network as possible to exfiltrate sensitive data for extortion. This ingress and lateral movement on the targeted network usually takes a good amount of time, so automating these aspects of the attack sequence allows threat actors to compromise more targets faster.
Some of these automated techniques and attack tooling are extremely difficult to detect and are more typical of APT-type operations.

March of 2023 was the most prolific month so far for the sheer volume of ransomware attacks observed, with research indicating there were 459 successful attacks, up 91% from February volume and up 62% year-over-year. Threat actors are getting better at taking advantage of unpatched vulnerabilities and misconfigurations by automating aspects of their attack progressions. Automation means ransomware operators can simply hit more victims faster.

For example, hundreds of organizations have been hit by the Cl0p ransomware gang this year as they continue to exploit a known vulnerability in the GoAnywhere software. We are also seeing signs of automation in attacks exploiting a similar vulnerability in IBM Aspera Faspex. ‍In early April, researchers published an analysis of a new semi-autonomous ransomware strain dubbed Rorschach, noted for its automation, fast encryption speed, and stealthy DLL side-loading for security evasion and persistence.

Later in April, the Vice Society ransomware gang was observed using Living-off-the-Land (LotL) techniques with a custom PowerShell-based tool that automates data exfiltration on targeted networks, and the Play ransomware gang also developed two new custom data exfiltration tools.

No, the Ransomware Problem is Not Going Away

According to the 2023 Verizon Data Breach Investigations Report (DBIR), the volume of ransomware attacks was flat in 2022 after trending up dramatically the last few years.

“The telecom giant said that while ransomware continues to be exceedingly popular among threat actors, the share of breaches involving ransomware held steady year-over-year at 24%,” TechTarget reports.

“While a number of vendors and researchers have observed either a stagnation or even slight decline in various aspects of the ransomware ecosystem, the reality of the situation appears more complicated.

Takeaway: While some measures seem to indicate that ransomware attack volumes waned or significantly decreased in 2022, 2023 attack volume thus far shows that the ransomware problem is not going away any time soon. Ransomware is still the number one threat to organizations, and the financial impact can be devastating.

One of the reasons for the spike is that threat actors are taking advantage of unpatched vulnerabilities and automating more aspects of the earliest stages of attacks. Hundreds of organizations have been hit by the Cl0p ransomware gang as they exploit a known vulnerability in the GoAnywhere software.  

Automation means ransomware operators hit more victims faster, which translates to more ransoms collected and more fiscal pain for the victim organizations. There have been at least one university and several healthcare organizations that have shuttered operations permanently due to severe disruptions following a ransomware attack.

And for those that do recover, the costs can be extremely high. Case in point, in April Dorel Industries confirmed that it was the victim of a “security incident” (assessed to be a ransomware attack) that the company anticipates will result in Q1-2023 revenue losses estimated at $12-15 million, according to a statement.

It is clear that the majority of ransomware gangs are either loosely affiliated or wholly controlled by the Russian government, with ample overlap between threat actors, tooling, and attack infrastructure.  

The lull in attacks in 2022 as assessed by the most recent DBIR does not reflect a trend, but instead is evidence that these malicious actors can be diverted from their criminal activities to support state-sponsored operations as directed by the Putin regime.

The DBIR also does not address the marked increase in data exfiltration associated with today’s more complex multi-stage ransomware attacks. Data exfiltration means that even if the targeted organization is prepared for an attack and can recover impacted systems in a timely manner, they are still subject to extortion and high ransom demands in efforts to protect that data from being exposed.

This is because organizations put too much focus on post-payload response. There needs to be more focus on the data exfiltration aspect in the earlier stages of these attacks; once sensitive data goes out the door, the attack becomes much more difficult to mitigate. Even if the ransomware payload is identified, isolated, and remediated, the victim organization is still faced with extortion attempts and the risk that the data could be further exposed.

Being ready to respond to a ransomware attack is just part of the equation. Resilience must be built into that response protocol so organizations can limit the impact of a ransomware payload on operations.

A solid resilience strategy that includes data exfiltration defenses will ease the potential financial losses victim organizations face and eliminate the need to pay a ransom demand to unlock systems or cooperate with the attackers to secure stolen data.

Healthcare Provider SMP Health Shuttered Following Ransomware Attack

Illinois healthcare provider SMP Health will close in part due to the financial impact from a disruptive ransomware attack. St. Margaret’s Health located in Spring Valley will cease operations this week, NBC News reports.

“Due to a number of factors, such as the Covid-19 pandemic, the cyberattack on the computer system of St. Margaret’s Health, and a shortage of staff, it has become impossible to sustain our ministry,” said Suzanne Stahl, the chair of SMP Health.

Closure of the facility will force local residents to travel about half an hour to receive any emergency or obstetrics services.

“The hospital closure will have a profound impact on the well-being of our community. This will be a challenging transition for many residents who rely on our hospital for quality healthcare,” said Spring Valley’s Mayor Melanie Malooley-Thompson.

Takeaway: While the perception is that given how expensive healthcare is to obtain, the industry must be flush with cash and very stable, that is a misconception. The reality is that, despite the fact that some doctors and specialists may make a good living, the healthcare system in our nation is largely operated by non-profit entities who work on shoestring margins.  

The demise of SMP Health due to its inability to process payments following a disruptive ransomware attack demonstrates how fragile our healthcare system is.

Ransomware attacks are the biggest threat facing organizations today, and healthcare providers have been hit particularly hard. Criminal ransomware groups know that the impact of an attack against healthcare organizations does not just disrupt everyday business; it directly affects the lives of their patients.

Ransomware groups continue to prove they are ruthless, heartless criminals with zero consciences. They continue to victimize healthcare providers simply because they are easy targets. This sector typically lacks the appropriate budgets and staff to maintain a reasonable security posture.  

Despite available grant money or technology donations from big companies, these organizations also lack the staff to properly manage and protect their infrastructure.

The average time it takes for an organization to recover from a ransomware attack has been pegged at about three weeks or more according to multiple studies. While a private, profitable organization with ample resources may be able to weather such a lengthy disruption to operations, the healthcare game is one of immediacy - patients are different than customers, and in most cases, they cannot afford delays in treatment without putting their health or lives at risk.

As well, if a healthcare organization loses the ability to bill and be reimbursed for services rendered, it cannot sustain operations, pay for medical supplies, make regular payroll dates, and more. Ransomware attacks are extremely disruptive to any victim organization, but for healthcare providers, it can literally mean an end to their mission, as evidenced by the demise of SMP Health.

FBI and CISA Release Joint Advisory on LockBit Ransomware Operations

The FBI and CISA, along with partners at the MS-ISAC, have issued a joint advisory detailing the threat posed by the LockBit ransomware gang.  

LockBit is one of the most prolific and successful Ransomware-as-a-Service (RaaS) operators to date, with numerous confirmed attacks against a wide range of verticals including financial services, food and agriculture production, the education and energy sectors, government and emergency services, healthcare providers, other manufacturing and transportation organizations.

Given the scale of the LockBit operation and the sheer number of affiliate attackers who use the platform, there is a wide variance on the TTPs employed in attacks, making LockBit difficult to detect.

“LockBit has been successful through innovation and ongoing development of the group’s administrative panel and the RaaS supporting functions,” the advisory states. “In parallel, affiliates that work with LockBit and other notable variants are constantly revising the TTPs used for deploying and executing ransomware.”

Ransomware incidents attributed to LockBit:  

• Australia: From April 1, 2022, to March 31, 2023, LockBit made up 18% of total reported Australian ransomware incidents. This figure includes all variants of LockBit ransomware, not solely LockBit 3.0.
• Canada: In 2022, LockBit was responsible for 22% of attributed ransomware incidents in Canada.
• New Zealand: In 2022, CERT NZ received 15 reports of LockBit ransomware, representing 23% of 2022 ransomware reports.
• United States: In 2022, 16% of the State, Local, Tribal, and Tribunal (SLTT) government ransomware incidents reported to the MS-ISAC were identified as LockBit attacks. This included ransomware incidents impacting municipal governments, county governments, public higher education and K-12 schools, and emergency services (e.g., law enforcement).

Takeaway: LockBit has been active since 2019 and is enabled with security tool evasion capabilities and an extremely fast encryption speed. LockBit is noted for using a triple extortion model where the victim may also be asked to purchase their sensitive information in addition to paying the ransom demand for decrypting systems.

LockBit raced to the lead position of the RaaS group threats during 2022, overtaking Pysa early in the year by volume of attacks, and until very recently boasted the fastest encryption speed.

The group continues to improve their attack platform and introduced LockBit 3.0 in June of 2022 which bore some similarities to the BlackMatter ransomware. The latest version incorporates advanced anti-analysis features and is a threat to both Windows and Linux systems. LockBit employs a Base64-encoded hash and an RSA public key in its configuration and hashes it with MD5. LockBit also created their own bug bounty program.

LockBit tends to target larger enterprises across any industry vertical with the ability to pay high ransom demands, but also tends to favor Healthcare targets. LockBit has demanded ransoms in excess of $50 million.

LockBit has a very well-run affiliate program and a great reputation amongst the affiliate (attacker) community for the maturity of the platform as well as for offering high payouts of as much as 75% of the attack proceeds. LockBit is known to employ multiple extortion techniques including data exfiltration to compel payment.

Read the full advisory here.

Ransomware Attacks Drive 50% Surge in Cyber Insurance Premiums

Bloomberg reports that cyber insurance premiums shot up as much as 50% in 2022 as ransomware attacks continue to hammer both public and private organizations.

“Ransomware attacks soared last year, pushing demand for coverage after the pandemic-induced work-from-home era also made remote workers more vulnerable to digital attacks. Those attacks also spurred companies and individuals to adopt more robust cybersecurity measures,” the report notes.

“Premiums collected from policies written by insurers reached $7.2 billion in 2022 and tripled in the past three years, ratings firm AM Best said in a study released this week.”

Takeaway: It's not surprising to see cyber insurance premiums surge as the industry struggles to ascertain how to effectively quantify cyber risk, especially when it comes to ransomware. Insurers want to offer affordable policies, but they also have a responsibility to their shareholders and can't offer policies that produce a negative return.  

Many organizations purchase cyber insurance policies to cover the cost of a cyberattack or data breach event. The increased damage posed by ransomware attacks in recent years had made cyber insurance even more appealing. Today, however, most insurers no longer cover all the potential losses from ransomware attacks and those that do have significantly increased premium costs.

With so many variables in a ransomware attack, insurance providers find it difficult to quantify the real risk of ransomware to accurately set premiums. Whether or not cyber insurance is the right instrument for organizations to adopt and if the continually rising costs are worth it is a hot topic at the executive levels across the Fortune 500.

For cyber insurance policies that do offer ransomware coverage, most will no longer cover the ransom payment (they can vary too wildly, so it is too hard to define actuarially). Only after a ransomware attack hits an organization do they find that the policy will only cover a fraction of the remediation and recovery costs.

Thus, cyber insurance is not always a viable option for all organizations, especially small and mid-size businesses, and it’s certainly not for companies who think they can indemnify instead of investing in security.

For a policy to be in force, the organization needs to have an extensive accounting of its security program. If the organization is out of compliance when it comes time to submit a claim – for example, if it did not apply patches in a timely manner or if it misconfigured security applications – it will quickly find that its policy coverage is useless.

Modern companies recognize the need to invest in a proactive approach to ransomware, leveraging tools and solutions that will prevent an attack from happening in the first place and ideally reducing their policy premiums at the same time. If customers can reduce premiums with effective controls, then insurance providers can scope risk more accurately and improve their policies to the benefit of both parties.

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.