Last Week in Ransomware: 09.16.2024

Last week in ransomware news we saw Iranian ransomware hit US infrastructure, Schools Close following ransomware attacks, RansomHub TTPs include disabling EDR...

Iranian Ransomware Hits US Infrastructure

The Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI and the Department of Defense Cyber Crime Center (DC3), issued a joint advisory warning about Iranian-backed cyber actors facilitating ransomware attacks on U.S. organizations. These actors, known by various aliases such as Pioneer Kitten, UNC757, Parisite, and Lemon Sandstorm, have been targeting multiple sectors in both the U.S. and abroad.

The FBI's investigations in August 2024 have linked these groups to the Iranian government and an Iranian IT company. Their primary strategy involves compromising networks and selling access to ransomware affiliates for future attacks. This advisory echoes a 2020 alert on similar Iranian groups exploiting VPN vulnerabilities, and it includes new indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs).

Since 2017, these Iranian actors have breached various U.S. organizations, including healthcare, education, financial institutions, and local governments. They monetize their access through cybercrime markets, selling full network control to ransomware groups like NoEscape, Ransomhouse, and BlackCat/ALPHV. Additionally, these groups have carried out hack-and-leak campaigns, notably Pay2Key in 2020, aimed at destabilizing Israeli infrastructure.

The advisory highlights the growing collaboration between nation-state actors and criminal groups, creating a landscape where geopolitical motives and cybercriminal activities intertwine. This convergence allows nation-states, such as Iran, Russia, and North Korea, to obscure their cyber operations behind criminal fronts, creating plausible deniability.

Given the dual motives—financial gain and geopolitical objectives—the advisory suggests that ransomware attacks on critical infrastructure should be classified as acts of terrorism. This reclassification would allow the U.S. and its allies to pursue more aggressive cyber and even military responses. Recent legislative efforts, such as the U.S. Senate Intelligence Committee’s proposal, aim to treat ransomware as a national security threat, elevating its priority in the U.S. intelligence community.

READ MORE HERE

School Closes Following Ransomware Attack

Charles Darwin School in South London has temporarily closed due to a significant ransomware attack that has crippled its IT systems, affecting around 1,300 students. The attack targeted essential operational systems, including email and internet services, disrupting the school’s ability to function. Headteacher Aston Smith alerted parents and guardians about the breach, confirming that all staff devices had been seized for investigation and student accounts were disabled to prevent further compromises.

Cybersecurity experts and data recovery specialists have been called in to assess the damage, and the Information Commissioner’s Office (ICO) has been notified. Ransomware attacks on schools have surged globally, with educational institutions becoming frequent targets due to their outdated cybersecurity infrastructure and limited resources. In 2023, K-12 ransomware attacks increased by 92%, putting sensitive student and staff data at risk.

To maintain some level of continuity during the incident, the school has switched to remote learning platforms like Satchel One. Meanwhile, parents and students are being warned to remain cautious of suspicious communications as recovery efforts continue.

The incident highlights the systemic vulnerabilities within the education sector, where schools often struggle to maintain adequate cybersecurity defenses. Limited funding, outdated security tools, and a shortage of skilled cybersecurity personnel leave schools vulnerable to sophisticated ransomware operations. Addressing these challenges requires significant financial investment in advanced security solutions and hiring cybersecurity professionals to reduce long-term risks.

READ MORE HERE

RansomHub TTPs Include Disabling EDR

RansomHub has adopted a sophisticated new attack strategy by combining two well-known tools—Kaspersky's TDSSKiller and LaZagne—to bypass security defenses and steal credentials, expanding their tactics, techniques, and procedures (TTPs). This is the first known instance of RansomHub using these tools in its operations, according to Information Security Buzz.

The attack begins with reconnaissance and privilege enumeration, targeting high-privilege accounts such as “Enterprise Admins.” RansomHub uses TDSSKiller to disable endpoint detection and response (EDR) systems by exploiting the "-dcsvc" flag, a technique similar to those used by the LockBit ransomware group. Once security services are neutralized, LaZagne is deployed to steal credentials from applications, browsers, databases, and email clients. This enables lateral movement within the network, threatening critical systems and sensitive data.

To defend against this evolving threat, researchers suggest restricting the use of vulnerable drivers like TDSSKiller and monitoring for suspicious command-line flags. Network segmentation is also crucial to limit lateral movement, even if credentials are compromised.

Ransomware attacks are increasingly successful due to advanced security evasion techniques that bypass traditional endpoint protection (EPP) solutions. Attackers use "universal unhooking" and hard-coded bypasses to evade detection by antivirus (AV), next-gen AV, EDR, and extended detection and response (XDR) systems. Most top ransomware groups leverage these techniques, making even advanced security tools ineffective. Organizations must improve their defense strategies, learn from previous failures, and continuously adapt to minimize the impact of future attacks.

READ MORE HERE

Attack Leverages DLL Side-Loading and Valid Certificates

A new strain of ransomware, dubbed Kransom, has been uncovered by cybersecurity researchers. It is camouflaged as a popular game, StarRail, to evade detection, according to HackRead. This malware employs DLL side-loading techniques to deliver its payload, using a legitimate digital certificate from COGNOSPHERE PTE. LTD. to add credibility.

Kransom is embedded within a modified version of StarRail, where the ransomware hides inside an altered DLL file in the game’s directory. This DLL side-loading technique allows a seemingly trustworthy executable to load malicious code. The ransomware remains dormant until the compromised StarRailBase.dll is executed, at which point it encrypts files and initiates the attack. The encryption method used within the DLL file employs XOR, a simple but effective method to obscure the malicious code.

Kransom’s ability to exploit legitimate digital certificates makes it particularly dangerous. By signing the ransomware with a trusted certificate, it bypasses conventional security systems that typically flag unsigned or suspicious software. This tactic reduces the chances of detection by antivirus programs, as the malware poses as a legitimate software component.

Ransomware tactics have evolved, with operators leveraging advanced techniques like DLL side-loading and exploiting zero-day vulnerabilities, often blurring the line between state-sponsored attackers and cybercriminals. Legacy security tools, such as Endpoint Detection and Response (EDR), are increasingly ineffective against these sophisticated methods, as seen in high-profile attacks like the 2021 REvil breach of Kaseya.

To defend against such threats, experts recommend monitoring for unsigned DLLs, analyzing loading paths, and checking compilation timestamps for anomalies. However, attackers may also use techniques like "timestomping" to manipulate timestamps, complicating detection.

Defending against these advanced threats requires a resilient, multifaceted security approach, combining detection of subtle anomalies with broader operational strategies.

READ MORE HERE

Health Network to Pay $65M Judgement After Attack

Lehigh Valley Health Network (LVHN), a Pennsylvania-based healthcare provider, has agreed to a $65 million settlement following a class-action lawsuit related to a ransomware attack in early 2023. Hackers infiltrated LVHN’s network in January 2023 and deployed ransomware in February, compromising sensitive patient and employee data. The breach primarily affected Lehigh Valley Physician Group (LVPG) – Delta Medix, exposing over 130,000 individuals.

The stolen information included names, addresses, medical records, health insurance details, Social Security numbers, banking details, driver’s license numbers, and, in some cases, highly sensitive clinical images, including nude photographs. LVHN informed affected individuals in March 2023 and offered two years of identity protection and credit monitoring services. In July, the Alphv/BlackCat ransomware gang was confirmed to be responsible, with some of the stolen data published on their leak site.

The class-action lawsuit, filed in March 2023, accused LVHN of failing to adequately protect patient data. On September 11, 2024, the healthcare provider agreed to the $65 million settlement, marking one of the largest settlements in a healthcare-related ransomware case. Payments to affected individuals will range from $50 to $70,000, depending on the severity of the impact, with the highest compensation awarded to those whose nude clinical images were leaked.

The attack underscores the heightened risks healthcare organizations face from ransomware. These institutions often struggle with limited resources and outdated systems, leaving them vulnerable to increasingly sophisticated cyber threats. Ransomware gangs, such as Alphv/BlackCat, exploit these vulnerabilities, often weaponizing deeply personal information to pressure organizations into paying ransoms. For healthcare providers, these breaches not only disrupt operations but also jeopardize patient safety, privacy, and dignity. The LVHN incident exemplifies the devastating impact ransomware can have on both individuals and institutions in the healthcare sector.

READ MORE HERE

‍

Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.