Power Rankings: Halcyon Ransomware Malicious Quartile Q1-2024

Ransomware attacks in 2023 broke nearly all previous records, with the majority (75%) of organizations reported being targeted by at least one ransomware attack, and 26% reporting they were targeted with ransomware four or more times.  

All-in-all, the volume of attacks surged in 2023 by 55.5% year-over-year, and a report from Chainalysis revealed that payments to ransomware operators exceeded $1 billion in 2023, breaking all previous estimations.  

But the first quarter of 2024 is telling a bit of a different story, with some research indicating that ransomware attacks may have decreased by 20% or more from levels observed in the last quarter of 2023.  

Several factors may be at play in prompting the drop in attacks, including law enforcement actions against two of the top ransomware-as-a-service (RaaS) platform providers – LockBit and BlackCat/ALPHV - as well as a push by governments and some security experts to ban ransomware payments.  

Other factors may include a decrease in the mass exploitation of patchable vulnerabilities like we saw with the massive MOVEit campaign, and a possible “exit scam” by one of the disrupted ransomware gangs that has undermined trust in the profit-sharing RaaS business model.  

So, does this mean we are finally getting the upper hand in the fight against ransomware? It’s far too soon to tell, and while we may see significant disruptions in some of the most pervasive operations, these gains are likely short-term.  

Rather than getting too optimistic that we have found the magic combination of efforts that will result in a sustained decrease in ransomware attacks, it is much more likely that we are simply in the eye of the storm.  

Ransomware attacks remain extremely profitable, relatively easy to carry out, and the offenders face little-to-no potential consequences for their activities.

The Halcyon team of ransomware experts put together this RaaS and extortion group guide as a quick reference guide based on data from throughout Q1-2024. Download the full report here: Power Rankings: Ransomware Malicious Quartile.

Change Healthcare: Unprecedented Attack

Despite seeing a measurable decrease in the number of attacks in the first quarter of 2024, the impact from ransomware operations had never been more disruptive, as exemplified by the BlackCat/ALPHV attack against healthcare payment processor Change Healthcare that threatened the U.S. healthcare system with near collapse, as providers simply could not get reimbursed for services.

While Change Healthcare is basically a financial company and not a healthcare provider, nonetheless the attack the attack had widespread impact on both healthcare providers and their patients, for example:

• The New Mexico Cancer Center owed $2 million to its supplier of chemotherapy medication and is concerned the supplier will cut them off
• A therapist in Raleigh-Durham said that they hadn’t received payments of nearly $200,000 for services rendered
• The CEO of Pulse Wellness in Portland said they needed to either sell her home or use credit cards to meet payroll
• A Naperville was hospitalized as he was unable to pay out-of-pocket for medication typically covered by insurance

UnitedHealth, the parent company Change Healthcare, announced in March that it was pouring more than $2 billion into recovery efforts following what American Hospital Association CEO Rick Pollack described as “the most serious incident of its kind leveled against a U.S. health care organization.”

The attack was reported in February despite reports that a law enforcement operation back in December may have taken down the ransomware gang’s leaks website. The U.S. government had also announced a bounty of as much as $15 million for information leading to the arrest of BlackCat/ALPHV operators and affiliates.  

The takedown attempt apparently failed as the group appeared to have quickly regained control of the websites before claiming attacks on Trans-Northern Pipelines, Prudential Financial, and LoanDepot. This casts doubt on the whether law enforcement actions alone are an effective means to disincentivize ransomware attackers.

Despite being in the crosshairs of a major law enforcement takedown BlackCat/ALPHV operators were still able to carry out some really devasting attacks against some big-name companies like Change Healthcare, calling into doubt the effectively of these limited law enforcement actions.  

What remains to be seen is whether the subsequent exit scam by the ALPHV/BlackCat ransomware gang that cut affiliate attackers out of their share of a purported $22 million ransom payment from Change Healthcare will do more damage to the RaaS business model than the law enforcement actions.  

While the long-term impact has yet to play out, rumors of the exit scam no doubt fueled a lot of distrust between affiliates and RaaS providers, and this breakdown of trust will hopefully undermine the ransomware-as-a-service business model.  

Proxies and the Dual Nature of Ransomware Attacks

On thing that is not being talked about enough in the media and by policy makers is the very real potential that some ransomware operations may essentially be proxy attacks designed to further the interests of adversarial nations.  

For the most part, ransomware operators are out there trying to cause as much pain, publicity and frustration as possible because it translates into illicit dollars in their pockets.  

That said, we also cannot discount the dual nature of a good portion of today’s ransomware attacks, where the attackers may be serving themselves from a financial perspective but are also furthering a larger geopolitical strategy.  

The fact that ransomware attacks appear on the surface to merely be cybercriminal activity provides a convenient level of plausible deniability when those attacks also serve the larger geopolitical goals of rogue regimes like Russia, Iran and North Korea.  

We know that a good portion of ransomware operators also participate in nation-state sponsored attacks, and there is also a good deal of evidence that there is shared attack infrastructure and tooling between cybercriminals and nation-state operators.  

Research by Chainalysis found that 74% of all revenue from ransomware attacks in 2021 went to attackers "highly likely to be affiliated with Russia.” There is little doubt this level of activity is going unnoticed by the Putin regime.

This is why it is imperative that the US government and allied nations who are the targets of these attacks should consider differentiating at least some of the attacks and classify them as terrorist acts – specifically those attacks that target healthcare and other critical infrastructure functions like utilities and elections.  

Executive Order 13224 seems to be clearly applicable to some ransomware attacks, especially those against healthcare and other critical infrastructure providers:

‍“For the purpose of the Order, “terrorism” is defined to be an activity that (1) involves a violent act or an act dangerous to human life, property, or infrastructure; and (2) appears to be intended to intimidate or coerce a civilian population; to influence the policy of a government by intimidation or coercion; or to affect the conduct of a government by mass destruction, assassination, kidnapping, or hostage-taking.”

If we call these attacks what they are – terrorist attacks meant to instill fear and influence geopolitical issues – then we unlock a whole host of options for both offensive cyber and even traditional kinetic military responses as a deterrence.  

Ransomware attacks against critical infrastructure are a form of terrorism in and of themselves, and the fact that many of the attacks are so closely related to the geopolitical interests of adversarial nations and are providing plausible deniability on the part of nation-state actors means we can no longer address these issues as a criminal matter.

Q1-2024 Trends

Some interesting trends emerged in the first quarter of 2024:

Automation and Exploits:

• Threat actors were observed targeting improperly configured Microsoft SQL (MSSQL) servers in a massive campaign designed to deliver Mimic ransomware, with attacks detected in the European Union, the United States, and Latin America: Bleeping Computer
• Ransomware operators have been observed leveraging remote access tool TeamViewer by way of exposed or brute-forced credentials to compromise networks and deploy payloads developed with the LockBit builder: Bleeping Computer
• Exploit that takes advantage of a high severity bug in the Fortra GoAnywhere MFT software could allow attackers administrative permissions on a targeted device: The Hacker News
• The LockBit ransomware gang continued to exploit a known vulnerability in the Citrix NetScaler web application delivery control (ADC) and the NetScaler Gateway appliance: SC Magazine
• Threat actors were observed conducting automated scans for vulnerable aiohttp Python libraries that could allow unauthorized access to files on targeted systems when symlinks are not present: Bleeping Computer

Data Exfiltration:

• Threat actors claimed to have exfiltrated 27 TB of confidential data from Johnson Controls International which “holds classified/sensitive contracts for DHS that depict the physical security of many (Department of Homeland Security) facilities”: Bleeping Computer
• LockBit Threatened to release exfiltrated Fulton County documents that "contain a lot of interesting things and Donald Trump's court cases that could affect the upcoming US election": Business Insider
• The Rhysida ransomware gang claimed they sold sensitive data exfiltrated in a February attack on Lurie Children's Hospital after putting it up for sale for $3.4 million: The Record
• Ransomware operators almost always target data backups in attacks and organizations with compromised backups were almost twice as likely to pay the ransom (67% versus 36%): TechRadar
• Ransomware operators threatened individual patients whose data had been exposed in a ransomware attack with swatting, a harassment tactic that involves calling in bomb threats or other false threats to law enforcement: The Register

Healthcare Disproportionately Impacted

• According to a new FBI Internet Crime Complaint Center’s (IC3) latest report, of the 16 industries designated as critical U.S. infrastructure, healthcare suffered more ransomware attacks than any other sector: Axios
• American Hospital Association CEO Rick Pollack said the attack on Change Healthcare is “the most serious incident of its kind leveled against a U.S. health care organization”: NBC News
• UnitedHealth, parent company Change Healthcare, is pouring $2 billion into recovery efforts as healthcare providers are in a serious financial crisis highlighting the impact of attacks on critical infrastructure: SC Media

LEO Actions

• The United States posted a bounty of up to $10 million for information leading to the identification of the Hive ransomware operation, despite the group being inactive following an LEO infiltration and takedown in 2022: Reuters
• Authorities disrupted LockBit’s infrastructure in February, but the group claims to still be active: Bleeping Computer
• Following an LEO takedown attempt, BlackCat/ALPHV appears to have voluntarily shut down operations in order to cheat affiliates out of a cut of the purported $22 million ransom payment from Change Healthcare: BleepingComputer

Regulators, Liability and Lawsuits

• The US Department of Health & Human (HHS) Services Office for Civil Rights (OCR) is investigating medical payments giant Change Healthcare to see if Change Healthcare was in compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security and Breach Notification Rules: Infosecurity Magazine
• Healthcare providers are increasingly facing lawsuits for failing to safeguard sensitive patient data and inadequately addressing ransomware attacks: Bloomberg Law
• Research indicates that filings made thus far under the new SEC four-day reporting requirement set are “not compliant with the new SEC cybersecurity incident disclosure rules: Forbes
• Law firm Mastagni Holstedt a filed lawsuit against managed service provider (MSP) LanTech LLC and data backup provider Acronis for more than $1 million in damages alleging the companies failed to protect the firm from a disruptive ransomware attack: MSSP Alert
• US Fertility (USF) settled a class action lawsuit for $5.75 million following a 2020 ransomware attack that included the exfiltration of sensitive data for nearly 900,000 people: Health IT Security

Ransomware attacks pose a significant threat to organizations of all sizes and industries. By fostering a culture of cybersecurity, investing in the right technologies and personnel, and developing comprehensive incident response and business continuity plans, organizations can minimize the impact of ransomware attacks and maintain a strong security posture.  

As well, in understanding and addressing the unique challenges that ransomware presents, stakeholders can work together to protect their organizations and maintain the trust of their customers and employees.  

Financial losses, operational disruptions, data exfiltration, reputational damage, legal consequences, and the evolving threat landscape are all factors that demand attention.  

To protect your business, invest in robust cybersecurity measures, engage in ongoing employee training, and cultivate a culture of cybersecurity awareness. Collaborate with legal counsel to navigate the legal and regulatory landscape and develop a crisis communication plan to address reputational damage.  

Defeating Ransomware: Metrics for Cyber Resilience

When considering cyber resilience and how to effectively assess and organizations posture, we must take into account that the threat landscape is continuously evolving, presenting formidable challenges to organizations striving to safeguard their assets and maintain operational continuity.  

Amidst this dynamic environment, the focus needs to emphasize not only the prevention of cyber threats but also the ability to swiftly detect, respond to, and recover from potential breaches.  

Achieving cyber resilience requires more than just robust cybersecurity measures; it demands a comprehensive understanding of an organization's preparedness to withstand and rebound from cyber incidents.  

Central to this endeavor is the strategic selection and diligent monitoring of key performance indicators (KPIs) and metrics tailored to assess cyber resilience effectively. Here are some of the essential metrics that can assist in bolstering cyber resilience:

• Mean Time to Detect (MTTD): This measures how quickly an organization identifies a cyber threat or incident. A lower MTTD indicates better detection capabilities, helping to contain the impact and prevent further spread during a breach.
• Mean Time to Respond (MTTR): MTTR measures how rapidly an organization responds to a detected cyber threat. Lower MTTR signifies quicker response capabilities, emphasizing the importance of efficient incident response procedures.
• Incident Response Plan Effectiveness: Evaluate the effectiveness of incident response plans by measuring factors such as containment time, communication efficiency, and coordination among response teams. Ensure plans are followed and updated to address evolving threats.
• Cybersecurity Training and Awareness: Track metrics related to employee awareness, training completion rates, and performance in simulated phishing exercises. Effective training programs are crucial in mitigating human error, a common factor in cyber incidents.
• Cybersecurity Hygiene: Monitor practices such as system patching frequency, vulnerability scanning results, and compliance with security policies. Strong cybersecurity hygiene forms the foundation of resilience and should be prioritized.
• Cyber Risk Exposure: Quantify risk based on asset criticality, vulnerability severity, and threat likelihood. Understanding risk exposure guides resource allocation and prioritization efforts.
• Third-Party Risk Management: Track metrics related to third-party assessments, compliance with security requirements, and incidents involving third-party vendors. Assessing and managing third-party risk is vital in today's interconnected business landscape.
• Security Controls Effectiveness: Evaluate the efficacy of security controls through metrics like IDS/IPS alerts, firewall rule effectiveness, and malware detection rates. Ensure investments in security technologies yield desired outcomes.
• Backup and Recovery Metrics: Measure backup success rates, recovery time objectives (RTO), and recovery point objectives (RPO) to ensure data resilience. Regular testing confirms that recovery processes align with business needs.
• Business Continuity and Disaster Recovery (BCDR) Metrics: Assess the organization's ability to maintain operations during and after a cyber incident by tracking RTOs, RPOs, and BCDR exercise success rates. Regular testing ensures readiness for real-world scenarios.

Effective cyber resilience requires a holistic approach that incorporates proactive measures, rapid detection, efficient response, and robust recovery mechanisms.  

By monitoring and optimizing these key metrics, organizations can enhance their ability to withstand and recover from cyber threats, safeguarding their operations and maintaining business continuity.

Lastly, think about how often the plan is tested and confirm disaster recovery planning. Sometime this is outside of cyber, but it's important to confirm that your plans can be implemented in a true DR scenario and services remain available.

‍

Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to fill endpoint protection gaps and defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more, and check out the Recent Ransomware Attacks resource site.