Last Week in Ransomware: 10.23.2023
Last Week in Ransomware News we saw law enforcement take down Ragnar Locker sites, Ukrainian Hacktivists wipe out Trigona servers, and DHS alert on NoEscape ransomware...
NoEscape Ransomware: The Russian Revamp
The US Department of Health and Human Services' Health Sector Cybersecurity Coordination Center (HHS HC3) issued an advisory on the NoEscape ransomware operation which is believed to be a spinoff of defunct Russian threat actor Avaddon.
NoEscape has a few tricks up its sleeve. It can run scripts in Windows safe mode to disable endpoint defenses and comes with a suite of additional features including a Tor admin panel, private chat functions, and even distributed denial-of-service (DDoS) attacks available for an extra fee!
What's truly worrisome is NoEscape's indiscriminate targeting of healthcare providers. These attacks have the potential to disrupt critical medical services and place lives at risk. Victims are slapped with ransom demands as high as $10 million. Some attacks combine data exfiltration and encryption with DDoS assaults for maximum impact.
Healthcare providers are prime targets for ransomware attacks due to their limited resources, aging infrastructure, and high-stakes consequences. Ransomware operators like NoEscape are constantly evolving, recruiting top talent, and causing more disruption.
To defend against these threats, organizations must implement a robust strategy that includes endpoint protection, patch management, data backups, access control, employee awareness programs, resilience testing, and procedure testing. Prevention is crucial, but resilience ensures operations continue even after an attack.
FBI and CISA vs. AvosLocker
Our second stop takes us to the joint efforts of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) as they tackle the AvosLocker ransomware operators.
AvosLocker affiliates are a threat to critical infrastructure sectors, targeting Windows, Linux, and VMware ESXi environments. They infiltrate networks using legitimate software and open-source remote system administration tools. Their data extortion tactics involve threatening to leak or publish stolen data, making the stakes higher for victims.
AvosLocker first surfaced in 2021, following the Ransomware-as-a-Service (RaaS) model. Over time, they've upped their ransom demands from hundreds of thousands to millions of dollars. Their attacks utilize legitimate tools for lateral movement, credential theft, tunneling, and data exfiltration, making detection challenging.
AvosLocker, while not as prolific as some ransomware groups, has made a resurgence, targeting various sectors. They utilize legitimate tools to evade detection and often exploit vulnerabilities in target systems. This emphasizes the need for organizations to stay vigilant and continuously update their defenses.
Ransomware's Impact on Patient Care
A study from the Ponemon Institute reveals the devastating effects of ransomware attacks on organizations. An alarming 88% of organizations experienced an average of 40 attacks in the past year, with healthcare providers bearing the brunt.
More disturbingly, 68% of respondents reported that ransomware attacks led to disruptions in patient care. Data exfiltration during these attacks negatively impacted patient care, causing increased mortality rates and more complications in medical procedures.
Ransomware attacks are a significant threat, and healthcare providers have been hit particularly hard. CISA released guidelines for K-12 organizations, but the guidelines alone aren't enough to stem the tide of attacks.
Legacy security tools are ill-equipped to handle these threats, and the healthcare sector, in particular, is often vulnerable due to resource constraints.
Ukrainian Hacktivists Strike Trigona
Our next destination takes us to the bold efforts of Ukrainian hacktivists who infiltrated and dismantled the Trigona ransomware gang's servers. They exfiltrated data, including source code and potential decryption keys, and wiped the servers clean.
Trigona, a ransomware operation that emerged in 2022, exhibited significant activity in the early months of 2023. They primarily targeted technology, healthcare, banking, manufacturing, and retail companies. Trigona's attacks were marked by their use of legitimate programs, making detection a challenging task.
The takedown of the Trigona ransomware gang is a welcome victory in the ongoing fight against cybercriminals. Trigona, although less technically savvy than some groups, posed a significant threat to various industries. The cybersecurity community remains vigilant, ready to combat new threats.
Law Enforcement Hit Ragnar Locker
Our final destination takes us to a coordinated international law enforcement operation aimed at seizing the negotiation and data leak sites of the Ragnar Locker Ransomware gang. Authorities from multiple countries joined forces to bring this ransomware operator to justice.
Ragnar Locker, which first emerged in 2019, had targeted various sectors, including manufacturing, energy, financial services, government, and information technology. They utilized vulnerabilities in Remote Desktop Protocol (RDP) software to compromise victim networks, demonstrating the importance of securing remote access.
The takedown of Ragnar Locker is a significant win in the fight against ransomware. This group, known for its high ransom demands and persistent attacks, will no longer threaten organizations.
But the battle continues, and as long as cybercriminals persist, so will the determination of those who protect our digital world. Stay safe, stay vigilant, and be prepared to adapt to the ever-changing threat landscape.
Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.
Related Posts
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!