Last Week in Ransomware: 10.07.2024

Last week in ransomware news we saw DragonForce using LockBit and Conti code, UMC Health attack a threat to national security, and the Embargo ransomware attacking cloud instances...

DragonForce Using LockBit and Conti Code

DragonForce, an emerging ransomware group, has gained prominence by reusing and customizing leaked ransomware builders, a tactic increasingly used among modern cybercriminals.  

Over the past year, DragonForce has targeted 82 victims across the U.S., U.K., and Australia, demonstrating its rapid growth and significant impact on the cyber landscape. While not linked to any specific country, reports suggest the group may be based in Malaysia.

DragonForce operates a sophisticated Ransomware-as-a-Service (RaaS) platform, built using a leaked builder from the notorious LockBit ransomware group. This platform enables the group to carry out highly targeted and disruptive attacks, showcasing their technical expertise and capability to bypass conventional security measures.  

By leveraging LockBit’s architecture, DragonForce has advanced its platform with enhanced data encryption, exfiltration, and stealth techniques, making it challenging for security teams to detect their activities before deployment.

One of DragonForce’s notable strategies is the use of LockBit’s double extortion tactic, where they encrypt data and exfiltrate sensitive information, threatening to publicly leak it unless their ransom demands are met.  

This approach significantly increases the likelihood of payment, making their attacks particularly effective. The group’s rapid encryption capabilities further complicate organizations’ response efforts, often leaving them vulnerable to extensive damage.

DragonForce operates like a structured business, focusing on recruitment and affiliate support, enabling even less skilled criminals to execute sophisticated attacks. The group’s emphasis on research and development allows them to continually refine their platform, staying ahead of modern cybersecurity defenses.  

Their commitment to innovation has resulted in numerous high-profile attacks in 2024, targeting companies like Seafrigo Group, the Ohio Lottery, and Coca-Cola Singapore. With their adaptable tactics and growing reach, DragonForce has become a formidable player in the ransomware ecosystem, posing a significant threat to large, high-value organizations worldwide.

READ MORE HERE

UMC Health Attack Threat to National Security

The University Medical Center Health System (UMC) is currently grappling with a severe ransomware attack that began on Thursday, causing widespread IT outages and disrupting operations.  

The cyberattack has forced UMC, the only Level 1 trauma center within a 400-mile radius, to divert emergency and non-emergency patients to other facilities, significantly delaying patient care and creating a critical situation.  

The hospital has engaged third-party cybersecurity firms to manage the response and restore services, but there is no clear timeline for full recovery.

John Riggi, National Advisor for Cybersecurity and Risk at the American Hospital Association (AHA), expressed serious concerns, describing the attack as a national security issue. He emphasized the potential for loss of life when hospitals are incapacitated, especially in cases like this where UMC serves as the primary trauma center in the region.  

According to Riggi, Russian organized crime gangs are typically behind these attacks, often operating under the protection of the Russian government. He noted that these criminal groups collaborate with other nation-state actors, such as Iran, to target American institutions, complicating efforts to combat these threats.

The ransomware attack follows a typical pattern: hackers infiltrate a network, often selling access to other criminal groups who execute the actual attack. Once inside, attackers steal sensitive data and shut down systems, paralyzing essential hospital operations.  

In many cases, patient health information is exfiltrated and encrypted, with attackers demanding ransom to restore access. This disruption not only impacts hospital operations but also puts lives at risk.  

Riggi warned that no single hospital is equipped to defend against these sophisticated, nation-state-backed cyberattacks, calling for stronger federal intervention akin to counter-terrorism efforts.

The effects of ransomware attacks on healthcare facilities can be catastrophic. Between 2016 and 2021, research indicates that ransomware attacks contributed to the deaths of 42 to 67 patients and led to a 33% increase in death rates for hospitalized Medicare patients.  

This alarming trend underscores the urgency of reclassifying ransomware attacks as national security threats. Currently, law enforcement agencies are responsible for investigating and prosecuting these cybercrimes.  

However, when such attacks disrupt critical infrastructure and endanger lives, they may necessitate a more forceful response, including potential offensive actions against the perpetrators.

The U.S. has already begun to take a stronger stance on ransomware. The Senate Intelligence Committee recently introduced legislation to address the growing threat, proposing to treat ransomware gangs as “hostile foreign cyber actors” and to classify nations harboring these groups as “state sponsors of ransomware.”  

This legislation, sponsored by Committee Chairman Mark Warner (D-Va.), would impose sanctions on these countries and grant the U.S. intelligence community expanded authority to target ransomware gangs.  

The proposed bill aims to elevate ransomware to a national intelligence priority, signifying a major shift in policy by linking ransomware to terrorism.

Recognizing ransomware attacks as critical national security threats will enable a more aggressive response, disrupting both the criminal elements and hostile state actors involved.  

Until the U.S. and its allies take more direct action against regimes that support or harbor ransomware operations, such as Russia, the frequency and severity of these attacks are likely to continue unabated.  

Treating ransomware attacks on healthcare and other critical infrastructure as acts of state-sponsored terrorism could unlock a broader set of response options, including offensive cyber operations and even traditional military responses.

READ MORE HERE

Embargo Ransomware Attacking the Cloud

Microsoft has issued a warning about the ransomware group Storm-0501, which has shifted its focus to target hybrid cloud environments, a tactic that allows it to compromise both on-premises and cloud assets.  

First identified in 2021 as an affiliate of the Sabbath ransomware group, Storm-0501 has since collaborated with several high-profile ransomware gangs such as Hive, BlackCat, and LockBit, and is currently deploying the Embargo ransomware.  

The group has targeted sectors including healthcare, government, manufacturing, and law enforcement in the United States.

Storm-0501 typically gains access to cloud environments through weak credentials and privileged accounts, enabling them to steal data and deploy ransomware payloads. They often obtain initial access by using stolen or purchased credentials or by exploiting vulnerabilities like CVE-2022-47966 (Zoho ManageEngine) and CVE-2023-4966 (Citrix NetScaler).  

Once inside a network, they use tools such as Impacket and Cobalt Strike for lateral movement and custom binaries for data exfiltration. They also disable security defenses using PowerShell commands and leverage stolen Microsoft Entra ID (formerly Azure AD) credentials to transition from on-premises to cloud environments.

By exploiting these credentials, the group compromises synchronization accounts and hijacks sessions to establish persistence within the cloud infrastructure. Storm-0501 then creates a new federated domain, which allows them to authenticate as any user in the environment.  

They deploy the Embargo ransomware across an organization’s assets using techniques like scheduled tasks or Group Policy Objects (GPOs), which encrypt files and maintain backdoor access for future operations.

This shift in tactics highlights the increasing sophistication of ransomware groups, as they adapt to the widespread use of hybrid environments in large enterprises.  

By targeting both cloud-based and on-premises assets, Storm-0501 is capable of causing extensive disruption and demanding higher ransoms. As cloud environments often serve as critical data backups and operational platforms, compromising them can have cascading effects across an entire organization.

To counter these evolving threats, organizations must implement a comprehensive security strategy that includes robust identity and access management controls, network segmentation, and continuous monitoring.  

Traditional perimeter-based defenses are no longer sufficient; a zero-trust architecture is essential. Ransomware operators are also developing cross-platform payloads that can target both Windows and Linux systems, further expanding their reach and impact.  

Consequently, businesses should approach cloud security with the same rigor as they do for on-premises environments, understanding that a breach in one area could compromise the entire hybrid infrastructure.

READ MORE HERE

‍

Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.