Last Week in Ransomware: 07.08.2024

Last week in ransomware news we saw new threat actor Volcano Demon revealed, 791K Lurie Children’s Hospital records exposed, CISA Director says ransom ban unlikely...

Lurie Children’s Hospital Ransomware Saga Continues

Lurie Children’s Hospital of Chicago has informed nearly 750,000 patients that their personal and health information was compromised in a ransomware attack.  

As one of the Midwest's largest pediatric healthcare providers, Lurie treats around 250,000 children annually, specializing in childhood cancer and blood disorders. The attack disrupted hospital systems, causing delays in treating critical illnesses and forcing staff to use manual processes.

Exposed data includes health claims, medical conditions, treatments, names, addresses, birth dates, service dates, driver’s license numbers, Social Security numbers, email addresses, phone numbers, and prescription information.  

The Rhysida ransomware group claimed responsibility for the attack, stating that 600 GB of stolen data was sold on the black market after the hospital refused to pay the ransom.

Affected individuals are being offered 24 months of free identity and fraud protection services. This incident highlights the need for a more aggressive response from the U.S. government to ransomware attacks on healthcare systems, which directly impact patient care and safety.  

Studies show that 68% of ransomware attacks disrupt patient care, with 46% linked to increased mortality rates and 38% causing more medical complications.

Ransomware groups exploit the urgency and critical nature of healthcare services to pressure organizations into paying ransoms. With attacks on healthcare systems occurring almost daily, there is a pressing need to classify such attacks as national security threats.  

This would allow for more robust defense strategies beyond the capabilities of civilian law enforcement, aiming to deter these increasingly dangerous threats to public health and safety.

READ MORE HERE

Demon Serves Up LukaLocker Ransomware

Researchers at Halcyon, an anti-ransomware solutions provider, have identified a new ransomware operator named Volcano Demon. This group has been active over the past two weeks, using a ransomware payload called LukaLocker, which encrypts files with the .nba extension.  

A Linux version of LukaLocker was also found on one victim's network. Volcano Demon targets both Windows workstations and servers by exploiting common administrative credentials. Before encrypting data, they exfiltrate information to command-and-control (C2) services, using double extortion tactics.

The attackers cover their tracks by clearing logs, complicating forensic evaluations due to limited logging and monitoring solutions in place before the incident. Instead of using a public leaks website, they intimidate victim organizations through phone calls from unidentified numbers, often carrying a threatening tone.

LukaLocker, discovered on June 15, 2024, is a 64-bit PE binary written in C++. It employs API obfuscation and dynamic API resolution to hide its malicious activities, making detection and analysis difficult.  

The ransomware terminates security tools and services upon execution, similar to the Conti ransomware gang's methods. LukaLocker uses the Chacha8 cipher for data encryption, with keys derived via the Elliptic-curve Diffie–Hellman (ECDH) algorithm over Curve25519, allowing for full or partial file encryption.

The emergence of Volcano Demon and other ransomware groups like Arcus Media, APT73, dan0n, and Space Bears highlights the evolving ransomware landscape. These groups employ unique tactics, techniques, and procedures (TTPs), demonstrating increased organization and funding.  

Arcus Media operates a Ransomware-as-a-Service model, APT73 targets business services, dan0n focuses on data exfiltration, and Space Bears uses double extortion tactics with strategic affiliations. This evolution in ransomware threats underscores the need for enhanced cybersecurity measures and strategies.

READ MORE HERE

Ransom Payment Ban Unlikely

Jen Easterly, the Director of the Cybersecurity and Infrastructure Security Agency (CISA), recently stated that a formal ban on ransom payments to ransomware operators is unlikely in the United States. While such a ban could theoretically reduce financial incentives for ransomware attacks, practical implementation within the U.S. system poses significant challenges. Despite extensive efforts to mitigate ransomware, it is difficult to measure their effectiveness due to the absence of a baseline for comparison.

Easterly emphasized that achieving significant progress in combating ransomware requires the successful implementation of a Secure-by-Design campaign. This approach aims to provide businesses, especially those with limited security resources, with technology that inherently has fewer vulnerabilities. This is crucial, as businesses without substantial security teams cannot be expected to secure their infrastructure effectively.

The debate over whether to ban ransom payments is complex. On the surface, banning all ransom payments seems like a straightforward solution, as financial incentives drive ransomware attacks. Reducing or eliminating these incentives could potentially curb the industry. However, the reality is more nuanced. In critical situations, such as attacks on hospitals or other vital infrastructure, the immediate concern is often expediency. Paying a ransom might seem like the quickest way to recover, but it is not always effective, and organizations often do not regain all their data.

Implementing a waiver system for certain victims is also problematic, as determining eligibility can cause delays, endangering public health and safety. Furthermore, even if organizations choose not to pay for system restoration, they might still face extortion threats due to stolen data.

To move beyond reactive responses to ransomware attacks, there must be a focus on detecting these operations earlier in the attack sequence and building resilience to prevent data loss and prolonged downtime. Cyber resilience encompasses more than just robust cybersecurity measures; it requires a comprehensive understanding of an organization's ability to withstand and recover from cyber incidents. This involves selecting and monitoring key performance indicators (KPIs) and metrics tailored to assess cyber resilience effectively.

Key metrics for enhancing cyber resilience include:

• Mean Time to Detect (MTTD): Measures the time taken to detect a cyber threat or incident. A lower MTTD indicates better detection capabilities, helping to contain threats and reduce breach impact.

• Mean Time to Respond (MTTR): Assesses the time taken to respond to a detected threat. Faster response times can mitigate damage and restore normal operations quickly.

• Incident Response Plan Effectiveness: Evaluates the adherence to and effectiveness of the incident response plan during a cyber incident, including containment time and communication efficiency.

• Cybersecurity Training and Awareness: Tracks the effectiveness of training programs through metrics such as employee awareness levels and performance in simulated exercises. Tailored training approaches can address different roles within the organization more effectively.

• Cybersecurity Hygiene: Measures practices such as system patching frequency, vulnerability scanning results, and compliance with security policies. A prioritized approach to hygiene can prevent many incidents.

• Cyber Risk Exposure: Quantifies the organization’s risk posture based on asset criticality, vulnerability severity, and threat likelihood. Understanding exposure helps prioritize resources and enhance resilience.

• Third-Party Risk Management: Monitors third-party cyber risk through assessments, compliance levels, and incidents involving vendors. Interconnected systems require a clear understanding of third-party risks.

• Security Controls Effectiveness: Assesses the performance of security controls, such as intrusion detection and malware detection rates, to ensure they provide the expected protection.

• Backup and Recovery Metrics: Measures the success rates of backup and recovery processes, including recovery time objectives (RTO) and recovery point objectives (RPO), to ensure data can be restored as needed.

• Business Continuity and Disaster Recovery (BCDR) Metrics: Evaluates the organization’s ability to maintain operations during and after a cyber incident through RTOs, RPOs, and BCDR exercise success rates.

Effective cyber resilience requires a holistic approach that includes proactive measures, rapid detection, efficient response, and robust recovery mechanisms. By monitoring and optimizing these key metrics, organizations can enhance their ability to withstand and recover from cyber threats, ensuring operational continuity and safeguarding their operations.

READ MORE HERE

‍

Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.