Ransomware Roundup: 06.12.23

Paying the Ransom: More than 20% Still Do Not Recover Data

According to newly published research, 80% of the organizations surveyed decided to pay a ransom demand despite more than half having a “do not pay” policy with regards to ransomware attacks.  

Of the organizations that paid a ransom, 21% were unable to fully recover their impacted data, and 74% reported an increase in their cyber insurance premiums following the attack.

Takeaway: We see again and again that negotiating with criminals who have zero concern for their victims beyond their ability to pay up is no guarantee of a swift or certain resolution to a ransomware attack. It's likely the actual attackers simply do not have the prerequisite skills necessary to undo the damage they inflict - affiliate attackers rent the attack infrastructure, but that does not mean they have either the technical prowess or motivation to assure the victim is returned to a normal operating state.

The debate on whether to pay ransom demands or not has become a contentious issue among experts. The simple answer is that victims should never pay a ransom demand, which would significantly diminish the financial incentives for these attacks. In most circumstances that would be the logical approach, but it may not seem like the right approach for every organization.

For instance, it may be within the risk tolerance of a retailer to refuse a ransom demand even though downtime is costing the organization revenue while recovery efforts are underway. But what about a hospital who urgently requires access to systems where any delays could pose a risk to human life? In these cases, the decision on whether to pay a ransom demand is more complicated.

This is why experts are divided on whether organizations should pay ransomware demands. Those who advocate for paying the ransom believe that it's the quickest and easiest way to regain access to valuable data and is the best way to reduce the overall impact of an attack. They argue that the cost of paying the ransom is often lower than the cost of restoring data from backups or the potential financial losses incurred from delayed recovery.

On the other hand, those who oppose paying the ransom argue that doing so only encourages cybercriminals to continue their attacks by reinforcing the financial incentives that drive ransomware attacks.

They point to examples where paying the ransom did not guarantee that the victim's data was restored or cases where the data was corrupted during decryption. They also point out that most victims who paid a ransom demand were attacked again, often by the same threat actor who demands a higher ransom payment knowing the victim is likely to pay.

Additionally, paying a ransom does not address the root cause of the problem, which is the vulnerability of the victim's systems to ransomware attacks. Organizations should focus on implementing both preventative and organizational resilience measures to protect their data from future attacks and assure the organization is ready to respond effectively to a ransomware attack. By taking these measures, organizations can reduce the potential impact of a ransomware attack.

Ransomware Attack on MCNA Dental Insurance Exposes Data of 9 Million Patients

A ransomware attack in February against MCNA Dental Insurance, one of America’s largest dental health insurers, exposed the personal information nearly nine million patients in the largest breach of health information so far this year.

“The information stolen includes a trove of patients’ personal data, including names, addresses, dates of birth, phone numbers, email addresses, Social Security numbers, and driver’s licenses or other government-issued ID numbers,” TechCrunch reports.

“Hackers also accessed patients’ health insurance data, including plan information and Medicaid ID numbers, along with bill and insurance claim information. In some cases, some of this data pertained to a patient’s ‘parent, guardian, or guarantor,’ according to MCNA Dental, suggesting that children’s personal data was accessed during the breach.”

Takeaway: Criminal ransomware groups have shown time and time again that there is no line they will not cross. Whatever data these groups can extract from a target will be weaponize in their extortion schemes. The patients whose personal information is stolen will continue to be at risk of identity theft and financial fraud well into the unforeseeable future.

Ransomware attacks that include the theft of sensitive data will continue unabated until the profit motives for the threat actors are eliminated. This is organized crime we are dealing with; they only care about bringing pain to victims for their own financial gain.

Ransomware groups continue to victimize the insurance providers simply because they are for the most part easy targets, and they have a wealth of personally identifiable information.

Legacy security tools like Antivirus and NextGen Antivirus are simply not designed to address the unique threat that ransomware presents. And even if the insurance and healthcare sectors had better solutions to assist them, they would still lack the staff to properly manage them and realize any benefits.

To protect themselves and their patients, organizations that handle personally identifiable information (PII/PHI) must reevaluate what kinds of data they collect and store and for how long. Eliminating the unnecessary storage of sensitive data will make organizations a less attractive target to attackers and help reduce collateral damage after a successful attack.

Since the options for prevention are limited, the focus should on implementing a resilience strategy and assume they will be the victim of a ransomware attack and have the contingencies in place to recover as quickly as possible. This includes endpoint protection solutions, patch management, data backups, access controls, staff awareness training, and organizational procedure and resilience testing to be successful.

Organizations need to plan for failure by running regular tabletop exercises and ensuring all stakeholders are ready and available to respond to an attack at all times. A determined attacker with enough time and resources is going to find a way around security controls. Planning to be resilient in the aftermath of a successful ransomware attack is the best advice there is - putting all your efforts into prevention alone is just not going to be enough.

BlackCat/ALPHV Ransomware Upgrades Increase Encryption Speed and Stealth

The BlackCat/ALPHV ransomware developers released an improved variant dubbed Sphynx that dramatically increases both encryption speed and stealth in bypassing security solutions.

“BlackCat, also called ALPHV and Noberus, is the first Rust-language-based ransomware strain spotted in the wild. Active since November 2021, it has emerged as a formidable ransomware actor, victimizing more than 350 targets as of May 2023,” The Hacker News reports.

“The findings provide a window into the ever-evolving cybercrime ecosystem wherein threat actors enhance their tooling and tradecraft to increase the likelihood of a successful compromise, not to mention thwart detection and evade analysis.”

Specifically, the Sphynx version of BlackCat incorporates junk code and encrypted strings, while also reworking the command line arguments passed to the binary.

The Sphynx variant also automates network discovery to identify additional systems to infect and deletes volume shadow copies to prevent restoration via security tool “rollback” features.

Takeaway: BlackCat/ALPHV is easily the biggest threat out there right now in the ransomware threatscape, as noted in our recently published report, Power Rankings: 2022 Ransomware Malicious Quartile. While they have not reached the volume of attacks that counterparts like LockBit boast, they certainly have the most technically advanced RaaS platform offering in the market.

First observed in late 2021, BlackCat/ALPHV already had a well-developed RaaS platform and was one of the more active groups over the last year. Reports that they have improved encryption speed and the ability to circumvent security solutions are of concern.

BlackCat/ALPHV has the ability to disable security tools and evade analysis. BlackCat/ALPHV had rapidly become one of the more active RaaS platforms over the course of 2022, and typically demands ransoms in the $400,000 to $3 million range.  

BlackCat/ALPHV was observed to be the first ransomware group using RUST, a secure programming language that offers exceptional performance for concurrent processing. The ransomware also leverages Windows scripting to deploy the payload and to compromise additional hosts.

BlackCat/ALPHV has a wide variability in targeting, but most often focuses on the financial, manufacturing, legal and professional services industries and exfiltrates victim data prior to the execution of the ransomware – including from cloud-based deployments - to be leveraged in double extortion schemes to compel payment of the ransom demand.

The automation of network discovery to expand the range of addressable targets is also concerning. Automation means ransomware operators hit more victims faster, which translates to more ransoms collected and more fiscal pain for the victim organizations, which is the name of the game for these threat actors.

For example, hundreds of organizations have been hit in early 2023 by the Cl0p ransomware gang as they continue to exploit a known vulnerability in the GoAnywhere software. We are also seeing signs of automation is attacks exploiting a similar vulnerability in IBM Aspera Faspex. ‍

As well, recently researchers published analysis of a new semi-autonomous ransomware strain dubbed Rorschach that was noted for its automation, encryption speed, stealthy DLL side-loading, and advanced security evasion.

Additionally, the Vice Society ransomware gang was observed using Living-off-the-Land (LotL) techniques with a custom PowerShell-based tool that automates data exfiltration on targeted networks, and the Play ransomware gang also developed two new custom data exfiltration tools.

These are multi-staged attacks, where the threat actors are designed to infiltrate as much of the victim network as possible to exfiltrate sensitive data for extortion. This ingress and lateral movement on the targeted network takes time, so automating aspects of the attack sequence allows threat actors to compromise targets faster.

Some of these automated techniques and attack tooling are extremely difficult to detect, but many of these techniques can only be leveraged if the target has left themselves open to the attack. Simple things like not using weak or default passwords, which helps prevent brute-force or dictionary attacks.

Timely patching of vulnerabilities – both old and new - is another big one all organizations should prioritize to prevent exploitation. These attackers are out there somewhere scanning for any opening into the target network they can find.

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.