Last Week in Ransomware: 07.22.2024

Last week in ransomware news we saw Clay County issue a disaster alert after ransomware attack, RaaS groups exploiting Veeam for data exfiltration, CDK Global named in lawsuits following attack...

Ransomware Disaster Declaration

Clay County, Indiana, has issued a disaster declaration due to a ransomware attack that has disrupted operations at the Clay County Courthouse and the Clay County Probation/Community Corrections facilities.  

The attackers remain unidentified, but recent ransomware activity in nearby Monroe County by a Russia-linked cybercrime group suggests a potential connection. This incident is part of a troubling trend of ransomware attacks on local government services across the United States.

In the past year, similar attacks have affected Fulton County, Georgia, Jackson County, Missouri, and Cleveland, Ohio, causing significant disruptions and leading to emergency declarations.  

These attacks highlight the inadequacy of the current collective response to ransomware, which not only disrupts critical services but also raises concerns about national security.

Ransomware attacks increasingly appear to serve dual purposes: they are lucrative for the attackers and advance the geopolitical interests of adversarial nations like Russia.  

This dual nature is particularly concerning as the U.S. approaches a contentious election season, where disruptions to voting systems could undermine public confidence.  

The U.S. government must recognize ransomware attacks as not just cybercriminal acts but as significant threats to national security, particularly when they target healthcare, utilities, and election systems.  

Real consequences must be imposed on both the cybercriminals and the nation-states that benefit from these attacks. Without such measures, ransomware operators will continue to act with impunity, causing greater harm and allowing adversarial nations to gain geopolitical advantages.  

Recognizing and addressing the dual nature of these attacks is essential to protect critical infrastructure and maintain national security.

READ MORE HERE

Ransomware Operators Exploit Veeam - Again

A second ransomware group has been found exploiting a year-old vulnerability (CVE-2023-27532) in Veeam’s Backup & Replication product to exfiltrate sensitive data.  

This vulnerability allows attackers to create bogus user accounts, deploy additional hacking tools, exfiltrate credentials and data, perform Active Directory reconnaissance, deploy post-exploitation tools, and deactivate security products.  

Veeam’s solution, designed to protect sensitive data from ransomware attacks, had a flaw that allowed attackers to extract user credentials stored in the configuration database in cleartext.

Despite Veeam issuing a patch in March 2023, the Cuba ransomware group exploited this bug soon after, leading to multiple attacks leveraging the exploit.  

Attackers could take ownership of the Veeam backup folder and compress and upload data from other systems, including documents, images, and spreadsheets, to harvest confidential and potentially valuable data.

This development highlights the limitations of relying on data backups as the primary recovery method from ransomware attacks. While backups are crucial for disaster recovery, they are increasingly targeted by ransomware attackers.  

A recent study found that nearly 80% of businesses depend on data backups not only for disaster recovery but also as the primary means of recovering from a ransomware attack.  

However, restoring thousands of devices from backups is logistically challenging, requiring weeks of work.

Modern ransomware attacks often include data exfiltration, meaning even if systems can be restored without paying for decryption keys, there is no guarantee that stolen data will not be exploited.  

Attackers commonly use legitimate network tools to delete shadow copy backup files, reducing the effectiveness of "rollback" features touted by some vendors. Even when uncorrupted backups are available, restoring every infected device is a time-consuming and costly process.  

For instance, a manufacturing company attacked by the Akira ransomware group last year had to halt operations and rebuild systems from scratch, requiring months and multiple technology partners.  

This can be an existential threat for small to medium organizations lacking the resources for such an extensive recovery process.

While data backups remain essential, they are not a foolproof solution against ransomware attacks, which are sophisticated operations designed to also target and compromise backup systems.

READ MORE HERE

CDK Lawsuits Roll In

CDK Global is facing multiple lawsuits from auto dealerships and employees following a ransomware attack that compromised its dealer management system and exposed sensitive customer data.  

At least eight lawsuits, including a proposed class action by Omar Aviles, an employee of Asbury Automotive Group, allege that CDK failed to adequately protect customer data, resulting in the exposure of Social Security numbers and financial details for tens of thousands of individuals.

The plaintiffs argue that CDK’s cybersecurity measures were insufficient despite the company’s claims of robust protection. They seek damages and demand better data protection. The lawsuits highlight inadequate employee training on cybersecurity and claim that data exposure has caused significant stress and anxiety for affected individuals.  

Dealers also report severe business disruptions, unable to process sales or manage transactions due to cyberattacks. Criticism has also been leveled at CDK's rushed system restorations, which allegedly led to repeated breaches, compared to improper medical treatment causing prolonged harm.

This surge in class action lawsuits related to ransomware attacks and data exfiltration underscores the substantial pressure on C-suite executives and Boards of Directors. Even organizations with robust response and recovery plans face heightened liability risks when sensitive data is compromised.  

The trend of ransomware operators threatening to publish or sell stolen data if ransoms are not paid introduces severe consequences, such as regulatory fines, legal liabilities, and long-term damage to brand and customer trust.

Ransomware attacks now often involve data exfiltration, making them a significant legal and regulatory concern. Data protection laws may mandate prompt reporting of breaches, with severe penalties for non-compliance.  

The increased scrutiny extends to company executives and Boards, signaling a shift towards accountability at the highest levels. The aftermath of security incidents now includes potential class action lawsuits, regulatory actions, and criminal prosecutions, particularly when sensitive data is compromised.

Notable cases, such as legal actions against the former Chief Information Security Officer (CISO) of Uber and recent cases involving SolarWinds, highlight the escalating liability for security decision-makers.  

Regulations, like the new SEC reporting rule effective in December, requiring disclosure of a "material" security event within four days, place executives in a precarious position. This rule, along with others, risks forcing premature disclosures, adding to the pressure on organizations already struggling to defend against ransomware attacks.

In conclusion, the complex situation demands a balanced approach where organizations must enhance their cybersecurity measures while navigating the challenging regulatory terrain to mitigate the risks of further victimization.

READ MORE HERE

‍

Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.