Last Week in Ransomware: 07.29.2024
Last Week in ransomware news we saw UK arrest teen for MGM attack, LA courts shuttered by ransomware attack, SolarWinds SEC case dismissed...
Teen Nabbed for MGM Attack
UK authorities have arrested a 17-year-old from Walsall, England, suspected of orchestrating the ransomware attack on MGM Resorts in Las Vegas in 2023. The teen, who remains unidentified, faces charges of blackmail and violating the UK's Computer Misuse Act.
The investigation, conducted with the UK’s National Crime Agency and the FBI, led to the seizure of several digital devices from his residence, currently under forensic examination. The suspect is believed to be part of a global cybercrime group, though specifics were not disclosed.
The ALPHV/BlackCat ransomware group claimed responsibility for the MGM attack, which involved a simple 10-minute phone call to a Help Desk employee using information from LinkedIn. This attack resulted in a nine-day shutdown of MGM Resorts’ systems, causing significant disruption.
The arrest highlights the slow pace of law enforcement in tackling ransomware attacks. Analysts identified the attackers, part of the Scattered Spider group, within days of the attack, but it took a year to arrest the suspect.
Prosecution will likely take even longer, raising concerns about the effectiveness of legal actions as a deterrent. The delay underscores the need for more immediate and effective measures to combat ransomware.
One suggested approach is to make ransomware attacks unprofitable, potentially by banning ransom payments, though this is controversial. Another crucial strategy is to improve early detection of attacks, such as during initial ingress or lateral movement, to prevent the severe impacts seen in incidents like the MGM breach.
Largest US Court System Disrupted
The Los Angeles Superior Court, the largest unified trial court in the U.S., was forced to close on Monday due to a ransomware attack that occurred the previous week. The attack, detected on Friday, led to the shutdown of all 36 courthouse locations in Los Angeles County as court personnel and security experts worked to repair the significantly impacted network systems. The court's website remained partially offline, affecting key functions like the jury duty portal and internal case management. The attackers have not been identified, and operations are expected to resume on Tuesday.
The ransomware attack rendered every electronic platform containing court data inaccessible, including internet-connected devices and telephone systems. This incident is part of a broader trend where ransomware attacks increasingly disrupt essential services across various sectors. Hospitals have had to cancel medical procedures and divert ambulances, and schools have faced closures due to ransomware, now as frequently as for inclement weather.
State and local governments are also increasingly experiencing severe disruptions, prompting emergency declarations, such as the recent case in Clay County, Indiana. These disruptions highlight the inadequacy of the current response to ransomware attacks. Law enforcement actions and government sanctions, while necessary, are insufficient. Arrests of individual threat actors or disruption of operations have minimal long-term impact, as replacements quickly emerge.
Modern ransomware attacks often serve dual purposes: they are highly profitable for perpetrators and advance geopolitical interests of adversarial nations, particularly Russia. This dual nature is particularly concerning as it could affect critical infrastructure and create widespread fear and uncertainty, especially during sensitive periods like election seasons.
It is crucial for the U.S. government to reclassify significant ransomware attacks as national security threats, particularly those targeting healthcare, utilities, or election systems. Severe consequences must be imposed not only on the individuals orchestrating these attacks but also on the nation-states benefiting from them. Without meaningful repercussions, these attackers will continue to act with impunity, escalating the severity of these disruptions.
SEC Case Against SolarWinds Dismissed
A U.S. judge has largely dismissed the Securities and Exchange Commission (SEC) lawsuit against SolarWinds, a software company, and its Chief Information Security Officer (CISO), Timothy Brown. The SEC alleged SolarWinds defrauded investors by concealing its security vulnerabilities before and after a cyberattack linked to Russia that targeted the U.S. government.
U.S. District Judge Paul Engelmayer dismissed all claims related to post-attack statements, calling them "hindsight and speculation." In his 107-page decision, he also dismissed most pre-attack claims except for one regarding a statement on SolarWinds' website about its security controls. SolarWinds and Brown expressed satisfaction with the ruling, while the SEC did not comment.
The Sunburst cyberattack on SolarWinds' Orion software platform compromised multiple U.S. federal agencies and was revealed in December 2020. The U.S. government suspects Russian involvement, which Russia denies. The SEC lawsuit, filed last October, was notable for targeting a company victimized by a cyberattack and involving an executive not tied to financial statements.
The SEC accused SolarWinds of downplaying its cybersecurity issues and the attack's severity while hiding customer warnings about malicious activity. However, Judge Engelmayer noted that anti-fraud laws do not require "maximum specificity" in risk warnings, which could aid attackers. He stated SolarWinds had no obligation to disclose individual incidents, recognizing cyberattacks as an unfortunate reality.
The SEC action against SolarWinds was seen as deeply flawed and counterproductive, potentially leading to less transparency following cyber incidents. Regulatory actions against companies like SolarWinds could create pressure to withhold information, ultimately harming security.
Targeting executives for security-related decisions reveals a troubling shift in liability, suggesting victims of cyberattacks could face prosecution, especially if sensitive data is compromised. This trend highlights the government's failure to protect organizations from cyber threats and its tendency to re-victimize attack victims.
Greater visibility and accountability in security events for publicly traded companies are beneficial, but premature disclosure without adequate investor education can create confusion and undermine confidence. The SEC's four-day disclosure rule risks revealing attacks prematurely, making company leadership appear incompetent.
These factors create an overzealous regulatory landscape where organizations face punitive measures in addition to defending against cyber threats, compounding their challenges.
Big Change Healthcare Attack Lawsuit Filed
The National Community Pharmacists Association (NCPA) and over three dozen healthcare providers from 22 U.S. states have filed a federal lawsuit against Change Healthcare, Optum, and UnitedHealth Group (UHG) following a severe ransomware attack in February 2024. This attack compromised significant patient data, disrupted healthcare services, and exposed vulnerabilities in the digital infrastructure of numerous healthcare providers. The plaintiffs allege that the defendants failed to implement adequate cybersecurity measures, leading to negligence in securing healthcare data, breach of contractual obligations, and violations of state and federal data protection laws, including HIPAA.
The lawsuit seeks compensation for financial losses, reputational damage, and operational disruptions caused by the breach, which has already cost UHG approximately $2.6 billion. The attack's impact was widespread, significantly affecting community pharmacists and healthcare providers who rely on Change Healthcare’s services for essential operations like billing and data management.
A survey by the American Hospital Association (AHA) found that 74% of providers reported patient care disruptions, while 94% cited financial repercussions. Similarly, the American Medical Association (AMA) reported that over 80% of providers experienced lost revenue, with some unable to make payroll. Another study linked ransomware attacks to increased mortality rates, yet public outrage remains minimal.
This lack of alarm is surprising given the extensive damage ransomware attacks cause across industries. A decade ago, concerns about Advanced Persistent Threats (APTs) drove significant increases in security spending. However, despite the growing number of ransomware attacks and their financial burden, there is not a comparable level of concern today.
Ransomware operators are now targeting every industry sector, causing billions in losses and severely impacting the economy. These attacks are becoming more sophisticated, with attackers using tactics, techniques, and procedures (TTPs) once seen only in APT operations. The proliferation of ransomware-as-a-service platforms and the work of initial access brokers have lowered the barrier to entry for ransomware attackers.
Attackers, especially from certain regions, face little risk of criminal liability, contributing to the growing crisis. To address this threat effectively, there must be heightened awareness and action. Until economic factors compel those in power to act, the pain and losses—financial and otherwise—will continue to mount.
DPRK Espionage Ops Incorporate Ransomware
APT45, a North Korea-linked threat actor known for its cyber espionage operations, has expanded into financially motivated attacks involving ransomware, setting it apart from other North Korean hacking groups.
Identified by Google-owned Mandiant, APT45 overlaps with groups like Andariel and Silent Chollima and has been active since 2009, frequently targeting critical infrastructure. This group is part of North Korea's Reconnaissance General Bureau (RGB), along with APT38, APT43, and Lazarus Group.
APT45 has deployed ransomware families like SHATTEREDGLASS and Maui against entities in South Korea, Japan, and the U.S. in 2021 and 2022, supporting its operations and generating funds for North Korean state priorities.
APT45's malware arsenal includes Dtrack, which was used in the 2019 cyberattack on India's Kudankulam Nuclear Power Plant. The group's activities reflect North Korea's shifting geopolitical priorities, moving from classic cyber espionage against government and defense sectors to targeting healthcare and crop science.
As North Korea increasingly relies on cyber operations as a national power tool, APT45's operations indicate the country's changing leadership priorities.
This trend highlights the convergence between nation-state and cybercriminal tactics, techniques, and procedures (TTPs), creating an environment of plausible deniability for the involved nation-states.
Specifically, in ransomware attacks, three models emerge: the Russian Model, financially motivated with geopolitical targeting; the Iranian Model, using ransomware for disruption without genuine ransom efforts; and the North Korean Model, conducting attacks for both disruption and financial gain.
This overlap underscores the blurring lines between nation-state-supported operations and those conducted by cybercriminal elements.
Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.
Related Posts
.jpg)
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!