Last Week in Ransomware: 06.10.2024

Last week in ransomware news we saw London hospitals crippled by Russian group Qilin, Operation Endgame Disrupt malware distro platforms and Ticketmaster data for sale...

Operation Endgame

Operation Endgame represents a significant collaborative effort between U.S. and European law enforcement agencies to dismantle major cybercriminal infrastructures used to deliver ransomware and other malware.  

Touted as the largest operation against botnets, this initiative focuses on disrupting platforms that distribute malware "droppers" or "loaders" such as IcedID, Smokeloader, and Trickbot.

Droppers, often deployed via email attachments, hacked websites, or bundled with legitimate software, silently load malware onto users' systems. Cybercriminals use deceptive methods, like paid ads on Google, to distribute these droppers disguised as popular free software.  

The operation targets individuals who develop and maintain these services, aiming to simultaneously disrupt multiple cybercrime operations.

Operation Endgame marks a potential turning point in the battle against cybercrime, illustrating that coordinated, large-scale law enforcement actions can effectively disrupt sophisticated criminal networks.  

However, the resilience and adaptability of cybercriminals necessitate that such operations be part of a sustained and coordinated effort. Past experiences, such as the rapid resurgence of the LockBit group post-Operation Cronos, underscore the need for continuous vigilance and persistent action to maintain the integrity of digital spaces.  

Ongoing efforts are crucial to protect sensitive data, uphold public trust in technology, and secure the foundations of the digital economy against evolving threats.

READ MORE HERE

Ticketmaster Data

A threat group known as ShinyHunters has reportedly published a 1.3TB database containing sensitive information on over 560 million Ticketmaster customers on the BreachForums criminal forum, demanding a $500,000 ransom.  

The leaked data includes names, postal addresses, email addresses, phone numbers, ticket sales and event details, order information, and partial payment card data.  

The partial payment card data encompasses cardholder names, the last four digits of the cards, expiration dates, and some customer fraud details.

The timing of this leak coincides with the recent relaunch of BreachForums, an underground hacking forum, just weeks after it was seized by the FBI and one of its key administrators was arrested. ShinyHunters, claiming to be beyond the FBI’s reach, is involved in this breach.

This incident underscores the critical need for evolving cybersecurity practices. The breach at Ticketmaster serves as a stark reminder that no organization is immune to sophisticated cyber threats.  

Cybercriminals continuously develop new techniques to bypass security measures, necessitating a proactive and comprehensive approach to cybersecurity, including measures against ransomware and data extortion.

Organizations must enhance their defenses, share threat intelligence, and utilize cutting-edge security solutions to address specific threats. The Ticketmaster breach should prompt the industry to reinforce defenses and remain vigilant against evolving cyber threats.  

Only through continuous improvement and robust cybersecurity practices can we hope to stay ahead of those seeking to compromise our systems.

READ MORE HERE

London Healthcare Attacks

A ransomware attack against pathology services provider Synnovis has led to the cancellation of medical procedures at multiple London hospitals and a critical emergency being declared.  

The disruption has caused some appointments to be canceled or redirected to other providers on short notice, increasing the burden on other hospitals and potentially leading to more critical incidents.  

The duration of the disruption is currently unknown. Reuters reports that the blood transfusion IT system has been affected, risking significant impacts on trauma cases, with only urgent blood components being transfused when critically indicated.

The takeaway from this incident highlights the dual nature of many ransomware attacks. While attackers may be motivated by financial gain, these attacks often further larger geopolitical strategies, providing adversarial governments like Russia with plausible deniability.  

This underscores the necessity for the US government and allied nations to reclassify certain ransomware attacks as terrorist acts, especially those targeting healthcare and other critical infrastructure where lives are at risk.

Reclassifying these attacks as terrorism would unlock new options for offensive cyber and traditional military responses, moving beyond merely issuing more alerts, guidelines, and frameworks.  

Ransomware attacks against critical infrastructure should be viewed as acts of terrorism designed to instill fear and advance geopolitical goals. Addressing these issues as simple criminal matters is no longer adequate, given the potential for loss of life and the strategic interests at play.  

The healthcare sector, in particular, cannot afford to treat such attacks as mere IT downtime issues, as the stakes are significantly higher.

READ MORE HERE

Qilin Ransomware Gang

Ciaran Martin, former chief executive of the U.K.’s National Cyber Security Centre, revealed that the ransomware-as-a-service (RaaS) group Qilin was responsible for the recent attack on Synnovis, a pathology services provider.  

This attack delayed diagnostic testing and forced the cancellation of medical procedures across several London hospitals.  

Qilin, also known as Agenda, operates freely within Russia, has a two-year history of targeting various organizations worldwide, and maintains a presence on the dark web.

Synnovis’ chief executive, Mark Dollar, stated that an IT task force from Synnovis and the NHS is working to assess the full impact of the attack. He expressed regret over the disruption, acknowledging the inconvenience and distress caused to patients and service users.

Qilin first emerged in July 2022, using programming languages Go and Rust to target both Windows and Linux systems. Rust's secure and cross-platform nature, along with its performance capabilities for concurrent processing, aids in evading security controls and developing variants for multiple operating systems.  

Qilin exploits vulnerabilities in applications such as Remote Desktop Protocol (RDP) and employs multiple encryption techniques, offering various configuration options for attacks.

The group's operations involve data exfiltration for double extortion, threatening to expose or sell stolen data if ransom demands are not met. Their affiliate program offers an 80% share for ransoms under $3 million and 85% for those over $3 million.  

Qilin targets large organizations capable of paying substantial ransoms, focusing on sectors like healthcare and education. Their ransom demands often reach millions of dollars.

Notable victims of Qilin include Big Issue Group, Ditronics Financial Services, Daiwa House, ASIC S.A., Thonburi Energy Storage, SIIX Corporation, WT Partnership Asia, and FSM Solicitors.  

This incident underscores the severe threat posed by ransomware groups and highlights the need for robust cybersecurity measures and international cooperation to combat such attacks.

For more information on active ransomware and data extortion groups, consult the quarterly Power Rankings: Ransomware Malicious Quartile report.

READ MORE HERE

‍

Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.