Last Week in Ransomware: 11.06.23

Last Week in Ransomware News we saw the SEC charge SolarWinds and their CISO with fraud, Boeing Investigating a LockBit attack, and the debate regarding paying ransom demands rage on...

Boeing Investigates LockBit Attack and Data Exfiltration

Boeing, one of the world's leading aerospace and defense companies, recently found itself in the crosshairs of the notorious LockBit ransomware gang. The attack, which was first disclosed by Boeing last Friday, has raised significant concerns due to the potential compromise of sensitive data and the looming threat of data exposure if the company doesn't meet the ransom demands by November 2.

The LockBit gang wasted no time in making their intentions clear. They announced that they had exfiltrated sensitive data and were ready to publish it if Boeing failed to respond within the specified deadline. As per Reuters reports, the group stated, "Sensitive data was exfiltrated and ready to be published if Boeing do not contact within the deadline!" The hackers went on to emphasize their seriousness, adding, "For now we will not send lists or samples to protect the company BUT we will not keep it like that until the deadline."

This alarming situation has put Boeing in a delicate position. A company spokesperson acknowledged that they are "assessing this claim." The urgency and potential consequences of this attack cannot be understated, as it not only threatens Boeing's sensitive information but could also have serious national security repercussions.

LockBit, a Ransomware-as-a-Service (RaaS) group, has been active since 2019 and is known for its adeptness at evading security tools and its remarkable encryption speed. They employ multiple tactics for extortion, often demanding a ransom for the encrypted data as well as the encryption key itself. In fact, LockBit has been one of the most prolific ransomware operations, demanding ransoms exceeding $50 million.

The list of LockBit's notable victims includes prominent organizations such as SpaceX, Shakey's Pizza, Banco De Venezuela, GP Global, Kuate Ministry of Commerce, MCNA Dental, Bank of Brazilia, Endtrust, Bridgestone Americas, and even the Royal Mail. Their aggressive approach to ransom demands is evident from their audacious $70 million ransom demand to Taiwan Semiconductor Manufacturing Company (TSMC) in July.

LockBit continues to evolve its RaaS platform, introducing LockBit 3.0 in June 2022 and, more recently, venturing into macOS ransomware variants in April 2023. Their latest versions come with advanced anti-analysis features and pose a significant threat to both Windows and Linux systems. LockBit's methods often involve exploiting remote desktop protocol (RDP), spreading through Group Policy Objects, and using PsExec via the Server Message Block (SMB) protocol.

The Boeing incident underscores the ongoing debate surrounding ransomware attacks – to pay or not to pay. Recent cases, such as MGM's decision not to pay a ransom after a disruptive ransomware attack in September, and Caesars Entertainment choosing to pay in a similar situation, have intensified this debate. A survey of security leaders revealed that 83% of organizations admitted to paying hackers following a ransomware attack, with more than half paying at least $100,000.

READ MORE HERE

The Ransom Debate

Ransomware attacks that include data exfiltration have become increasingly common, forcing victims to consider paying the ransom even if they have recovery options. The exfiltration of sensitive data can lead to significant financial losses, reputation damage, and a loss of customer trust. Organizations must carefully assess the risks and benefits of paying a ransom to protect their stakeholders.

Law enforcement and security experts generally recommend against paying ransom demands to discourage attackers. However, the decision to pay or not may vary depending on the organization's circumstances. While large companies like MGM might afford not to pay and deal with downtime, hospitals dealing with life-threatening situations might face more complex decisions.

The dilemma over paying ransoms stems from differing opinions among experts. Proponents argue that paying is the quickest way to regain access to data and reduce overall attack impact, as the cost of paying is often lower than the cost of data restoration or potential financial losses. Opponents contend that paying incentivizes attackers and doesn't guarantee data restoration, exposing victims to further attacks.

READ MORE HERE

SEC Criminal Enforcement Actions

In the case of the SEC's enforcement actions against SolarWinds and its CISO, Timothy G. Brown, the spotlight is on security failures and the alleged fraud related to internal control deficiencies. SolarWinds is a well-known software services provider, and the company's initial public offering in December 2020 was followed by the revelation of a two-year-long cyberattack.

The SEC complaint alleges that SolarWinds and CISO Brown misled investors by overstating their cybersecurity protections and not accurately disclosing known risks. The company's filings with the SEC during this period allegedly provided only generic and hypothetical risks while specific deficiencies and elevated risks were known internally.

The SEC further claims that a series of communications in 2019 and 2020 indicated the company's awareness of its inability to defend critical assets from cyberattacks. This enforcement action highlights the importance of transparency and accountability in publicly traded companies' security practices.

While increased transparency regarding cybersecurity at publicly traded companies is essential, it presents challenges. Deciphering what constitutes a "material" attack event and educating investors about the complexities of cyberattacks are crucial. Companies must balance the need for transparency with the potential for incomplete information during the early stages of an incident investigation.

Investor reactions and stock price fluctuations following the disclosure of a security event will depend on their understanding of the incident's implications. For instance, a denial of service (DoS) attack may disrupt operations but not pose an existential threat, while a corporate espionage attack could have far-reaching consequences.

The SEC's disclosure rules must be accompanied by efforts to educate investors about the nuances of cyberattacks, security operations, and risk management to avoid causing unnecessary panic or undermining investor confidence.

READ MORE HERE

Active Exploit in the Wild – Patch Now

In the ever-evolving landscape of ransomware attacks, threat actors are continually enhancing their techniques and exploiting vulnerabilities. The recent exploitation of a critical vulnerability in Apache ActiveMQ by the HelloKitty ransomware group exemplifies the growing sophistication of ransomware campaigns. This particular vulnerability (CVE-2023-46604) allows remote code execution and arbitrary shell commands, earning a maximum CVSS score of 10.0.

The HelloKitty ransomware family, whose source code was leaked in October, was attributed to the exploit of this vulnerability. Their goal was to deploy ransomware binaries on target systems and hold victim organizations at ransom.

Ransomware attacks have become a lucrative business, with attackers reinvesting their proceeds to develop advanced tools and techniques. There is an increasing overlap between state-sponsored APT operations and cybercriminal ransomware attacks, and Linux versions introduced by ransomware operators are particularly concerning, as Linux systems are often crucial for critical infrastructure.

To combat ransomware, organizations must adopt a resilience strategy that includes robust endpoint protection, patch management, segmented data backups, access controls, employee training, and readiness for incident response. Planning for resilience in the aftermath of a successful ransomware attack is essential, as security incidents are increasingly inevitable in today's digital landscape.

READ MORE HERE

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.