Last Week in Ransomware: 11.04.2024
Last week in ransomware news we saw the data of 100M UnitedHealth patients were exposed, Operation Salt Typhoon targeting US politicians, NotLockBit ransomware targeting macOS...
Data of 100M UnitedHealth Patients Exposed
In February 2024, a ransomware attack on Change Healthcare, a UnitedHealth subsidiary, exposed sensitive data of over 100 million individuals, marking one of the largest healthcare breaches in recent years.
UnitedHealth officially acknowledged the breach's scope for the first time, corroborated by the U.S. Department of Health and Human Services Office for Civil Rights (OCR). The breach, which impacted millions across the U.S., compromised personal and medical privacy, exposing policy details, diagnoses, treatments, Social Security numbers, and financial information.
Modern ransomware attacks increasingly involve data exfiltration, where attackers steal data first, threatening to publish or sell it if ransom demands aren’t met. This strategy not only heightens regulatory and legal risks for affected organizations but also escalates reputational damage.
With regulatory scrutiny intensifying, executives and board members face growing accountability, often becoming direct targets in lawsuits linked to ransomware incidents involving data theft.
Many cybercriminal groups have shifted focus from encryption to exclusive data theft, intensifying the importance of compliance with stringent data breach notification laws. Non-compliance can result in severe penalties, and delayed disclosures may lead to added regulatory pressure.
Traditional defenses that address ransomware only during or after the encryption stage are now outdated; organizations must prioritize early detection and response to prevent data exfiltration in the initial attack phases.
Moreover, third-party service providers increasingly face legal exposure, as they are often named in lawsuits alongside primary victims. This shift in ransomware tactics has elevated it to a critical legal and regulatory concern, as breaches involving sensitive data draw heightened attention.
As ransomware becomes a growing threat to corporate liability and business sustainability, organizations must adopt proactive measures to mitigate potential regulatory and financial repercussions.
Operation Salt Typhoon Targets US Politicians
Operation Salt Typhoon, also known as GhostEmperor, FamousSparrow, and UNC2286, is a sophisticated Chinese state-sponsored cyberespionage group that recently escalated its targeting of U.S. telecommunications infrastructure.
This group has conducted complex operations against critical infrastructure in North America and Southeast Asia, with a particular focus on compromising Cisco routers essential to global internet traffic.
Salt Typhoon's recent campaign involved high-profile political figures, reportedly including devices used by former President Donald Trump, Senator JD Vance, Vice President Kamala Harris's campaign, and staff of Senator Chuck Schumer.
This high-value targeting indicates Salt Typhoon’s commitment to gathering political intelligence from both major U.S. parties, enhancing their strategic insight into national affairs.
Telecom providers are prime targets for espionage due to the sensitive data they handle, including personally identifiable information (PII) and confidential communications. However, despite significant cybersecurity investments, many providers struggle with visibility across their networks, making them vulnerable to persistent and advanced attacks.
Salt Typhoon’s methods include supply-chain compromises, where infiltrating one telecom company provides access to interconnected systems and customer data globally. Such breaches have substantial implications, exposing millions to espionage and data theft and compromising U.S. intellectual property, with estimated losses in the billions annually.
This operation underscores the urgent need for telecoms and critical infrastructure providers to strengthen cybersecurity protocols, improve threat intelligence sharing, and develop advanced detection and response capabilities to counter these sophisticated threats.
NotLockBit Ransomware Targets MacOS
NotLockBit is a new ransomware strain that primarily targets macOS systems while also functioning on Windows, marking a shift in ransomware attacks to include Apple’s ecosystem.
Written in the Go programming language, NotLockBit mimics the well-known LockBit ransomware by using a similar ransom note and banner, misleading victims and researchers alike.
This strain deploys typical ransomware tactics like file encryption, shadow copy deletion, and double extortion, where stolen data is exfiltrated to force ransom payments. Distributed as an x86_64 binary, NotLockBit operates on Intel Macs and Apple silicon devices through Rosetta emulation.
It uses RSA asymmetric encryption, which involves a master key that cannot be decrypted without the attacker’s private key, making recovery impossible without paying the ransom. Stolen data is sent to an Amazon S3 bucket, though these credentials were later deactivated by Amazon upon discovery.
This malware represents one of the first fully operational ransomware attacks aimed at macOS, going beyond previous proof-of-concept samples. Researchers believe it is in an early testing phase, as samples have appeared on VirusTotal, indicating the developers are assessing its impact.
The expansion to macOS, following ransomware developments for Linux, signals that attackers are broadening their target range beyond Windows, driven by a desire to maximize disruption and increase ransom demands.
As ransomware now targets a wider range of platforms, organizations must bolster their defenses to manage the escalating risks posed by such cross-platform threats.
City of Columbus Still Recovering
During a Columbus City Council meeting, Technology Director Sam Orth updated the public on the city’s ongoing recovery from a ransomware attack in July.
Orth noted that the city aims to fully restore internet access for employees this week, with testing underway to ensure a safe reactivation. Currently, departments have limited access through city Wi-Fi and approved websites, but full internet browsing from desktops is expected soon.
In addition to recovery efforts, the city attorney's office reached a legal agreement with cybersecurity expert Connor Goodwolf, who had exposed the extent of the attack.
Under the agreement, Goodwolf is permanently barred from sharing stolen city data, and the city has dropped its lawsuit against him. Deputy Chief of Staff Brian Shinn warned that similar actions would be taken if others attempt to disseminate the stolen data.
The city is also offering free credit monitoring, with over 16,500 residents enrolled ahead of the November deadline.
Ransomware incidents highlight the need for a proactive, resilient cybersecurity approach covering detection, response, recovery, and regular assessment.
Fast detection (Mean Time to Detect, MTTD) and response (Mean Time to Respond, MTTR) are critical to containing threats, with real-time monitoring, clear response plans, and tabletop exercises essential to refining processes.
Continuous cybersecurity training, rigorous third-party evaluations, and robust backup and recovery processes further strengthen resilience.
Regularly assessing controls, patching vulnerabilities, and practicing recovery measures ensure that organizations are prepared for ransomware incidents, enabling them to minimize damage and continue operations.
North Korean APT Tied to Play Ransomware
North Korean threat group APT 45 has recently collaborated with the Play ransomware group in a financially motivated campaign between May and September 2024, marking the first observed partnership between North Korean state-backed actors and a criminal ransomware operation.
APT 45, tied to North Korea's Reconnaissance General Bureau, historically used ransomware like SHATTEREDGLASS and Maui, but Play represents a new venture.
Known for its agility and sophisticated techniques, Play operates without the ransomware-as-a-service (RaaS) model initially speculated. This partnership illustrates the growing convergence between nation-state tactics and cybercriminal operations.
APT 45 gained access to targeted networks through compromised accounts, using tools like the Sliver C2 framework and Dtrack backdoor to establish persistence.
Their pre-ransomware activities included credential harvesting, privilege escalation, and disabling endpoint detection, and they deployed trojanized binaries to collect sensitive browser data, such as credit card details.
While it remains unclear if APT 45 is a Play affiliate or acted as an initial access broker (IAB), this collaboration suggests North Korea may continue using ransomware to bypass sanctions and generate revenue.
This convergence reflects broader trends among state actors using cybercrime tactics. Russia’s ransomware groups are often influenced by government interests, while Iran uses ransomware for strategic disruption. North Korea, however, leverages ransomware for both disruption and crucial revenue generation.
Play has rapidly become one of the most active ransomware groups, exploiting Fortinet and Microsoft Exchange vulnerabilities and refining tactics like intermittent encryption. Initially targeting Latin America, they have since expanded globally, often using double extortion methods.
By blending advanced persistent threat (APT) methods with organized cybercrime, these collaborations increase threat sophistication, making attribution difficult and heightening the global ransomware landscape’s complexity.
Halcyon.ai eliminates the business impact of ransomware, drastically reduces downtime, prevents data exfiltration, and enables organizations to quickly and easily recover from attacks without paying ransoms or relying on backups – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.
Related Posts
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!