Last Week in Ransomware: 07.01.2024
Last week in ransomware news we saw that LockBit did not pop the US Fed, KillSec RaaS at Just $250, and ransomware fallout as UK hospitals struggle...
LockBit Lies
The LockBit ransomware gang has claimed to have breached the U.S. Federal Reserve, exfiltrating 33 TB of sensitive data, which they describe as "Americans' banking secrets." However, no proof or samples of the alleged stolen data have been provided.
Experts are skeptical, viewing the announcement as a potential attention-seeking move. The Federal Reserve is a high-profile target, and a breach could have severe consequences.
Given LockBit's damaged reputation and previous law enforcement actions against them, many believe the claim could be an attempt to regain relevance. While it’s not impossible for ransomware groups to target significant organizations, false claims by such groups are common.
Until concrete evidence surfaces for any claimed attack, it is prudent to treat these boasts with caution and avoid further speculation.
KillSec RaaS for $250
KillSec has introduced a new Ransomware as a Service (RaaS) platform, offering an advanced locker written in C++, a denial-of-service (DoS) tool, and an infostealer for harvesting sensitive data.
Access to KillSec's RaaS program costs $250, targeting "trusted individuals," with KillSec taking a 12% commission from any ransom payments collected. This pricing strategy aims to make advanced cyber tools accessible while ensuring profitability.
The rise of RaaS gangs parallels the traditional Software as a Service model, significantly lowering the technical barriers for launching ransomware campaigns.
Individuals with basic network admin skills can now conduct sophisticated attacks. The ransomware economy involves several key players:
- Initial Access Brokers (IABs): Specialists in penetrating secure networks and selling access to other threat actors.
- RaaS Platform Providers: Develop and improve ransomware tools, assist in negotiations, manage customer service, and market to new affiliates for a share of the profits.
- RaaS Affiliates: Execute the ransomware attacks, often obtaining access through IABs and using RaaS platforms.
- Crypto Exchange Money Launderers: Facilitate the movement of illicit ransom payments through crypto exchanges, concealing the origins and destinations of the funds for a fee.
The ransomware economy's maturity and organization have led to tactics and techniques that rival those of nation-state attackers.
The complexity of today's ransomware attacks makes them increasingly difficult to defend against. The Halcyon team has compiled a guide on RaaS and extortion groups based on Q1-2024 data, available for further insights.
CDK Recovery Slow
CDK Global, a software-as-a-service provider for over 15,000 auto dealerships, experienced significant operational disruptions following two cyberattacks on June 18th and 19th.
Over a week later, CDK announced that they had restored access to their main Dealer Management System (DMS) for a small number of car dealerships, with plans to gradually reintroduce more dealerships and system functionalities.
Despite these efforts, CDK has declined to comment on whether they intend to pay a ransom, reportedly in the tens of millions of dollars, to expedite the recovery process. This situation underscores the complex decisions organizations face in the aftermath of ransomware attacks.
One critical decision is whether to pay the ransom. While paying could expedite data recovery, it doesn't guarantee success, as data could be corrupted during decryption.
Additionally, paying often encourages repeated attacks, sometimes from the same threat actors who demand higher ransoms.
Attackers typically exfiltrate sensitive data to increase leverage, demanding additional payments to prevent public leaks. Even if the ransom is paid, there is no assurance that the data will be secure or that further extortion won’t occur.
Ransomware victims must address the root cause of their vulnerability rather than just the immediate problem. Implementing robust preventive measures and enhancing resilience is crucial for recovery from successful attacks.
According to Halcyon's Ransomware and Data Extortion Business Risk Report, ransomware and data extortion have had significant impacts on businesses over the past 24 months. The report found that 18% of organizations suffered ransomware infections 10 or more times, and 30% were infected 2-4 times.
Sensitive data exfiltration was reported by 60% of respondents, with 55% experiencing additional ransom demands to prevent data leaks.
The study highlights a disconnect between organizations’ confidence in their security measures and the reality of their effectiveness.
Despite high confidence levels, 36% of organizations were infected five or more times in two years, and 62% reported major operational disruptions, with some lasting over six months.
The cost of remediation exceeded $1 million for 59% of respondents, and 57% anticipated long-term negative impacts on their operations and competitiveness. Even with cyber insurance, 39% saw significant premium increases post-attack.
The report concludes that organizations need to reassess their prevention and recovery strategies to better defend against ransomware threats.
The full study is available in the Ransomware and Data Extortion Business Risk Report.
UK Hospitals Reeling from Ransomware
The National Health Service (NHS) in England is urgently seeking O-type blood donations following a ransomware attack on Synnovis, disrupting blood-type matching systems.
This attack has led to hospitals struggling to match patients’ blood as usual, prompting a critical need for O Negative and O Positive donors, which can be used universally.
The full impact of the attack is still being assessed, and the NHS is reporting in line with Information Commissioner’s Office requirements.
Medical procedures in multiple London hospitals have been canceled, and a critical emergency has been declared due to the attack. Patients have been redirected to other providers, stretching resources and potentially leading to more critical incidents.
The disruption to the blood transfusion IT system could significantly impact trauma cases, allowing only urgent blood transfusions.
The Russia-based Qilin ransomware gang is responsible for the attack. Qilin, a Ransomware-as-a-Service (RaaS) operation, targets sectors capable of paying large ransoms, particularly healthcare and education.
Their ransom demands often reach millions of dollars, with notable victims including Big Issue Group and Daiwa House.
Ransomware attacks on healthcare providers are increasingly linked to negative patient outcomes, including increased mortality rates and complications in medical procedures.
Research has found that ransomware attacks contributed to patient deaths and a 33% increase in monthly death rates for hospitalized Medicare patients between 2016 and 2021.
These attacks, while financially motivated, may also align with the geopolitical interests of adversarial nations like Russia. A significant portion of ransomware revenue in 2021 went to Russia-linked attackers.
The dual nature of these attacks, serving both financial and geopolitical goals, suggests a need to reclassify them as terrorist acts. This reclassification could enable a broader range of responses, including offensive cyber and military actions, rather than just preventive measures.
Ransomware attacks against critical infrastructure, particularly healthcare, pose severe risks and should be addressed as terrorism, reflecting their potential to cause widespread harm and further geopolitical agendas.
Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.
Related Posts
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!