Ransomware Roundup: 06.26.23

BlackCat/ALPHV Ransomware Gang Phished a Reddit Employee... And???

The BlackCat/ALPHV ransomware gang has claimed the February attack against social media platform Reddit, asserting that 80GB of data was exfiltrated.

The attack, alleged to have begun with a phishing operation aimed at employees, resulted in the attackers getting access to documents, source code, employee’s personal data, and information about the company’s advertising customers.

"After successfully obtaining a single employee's credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems. We show no indications of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data),” Bleeping Computer reports a company spokesperson as saying.

“The threat actors say they attempted to contact Reddit twice, on April 13th and June 16th, demanding $4.5 million for the data to be deleted but did not receive a response. After not receiving a response, the threat actors now threaten to leak Reddit’s data if the company doesn’t pay the ransom and backtrack on their plans on charging for API access” Bleeping Computer continued.

Takeaway: Phishing attacks are always going to be an issue, and they continue to be one of the main infection vectors for ransomware. And while many in the industry continue to throw end-users under the bus for data breaches, the fact is it’s not their responsibility to assure systems are secure.

Yes, employees need to exercise a reasonable level of discretion in their daily work to assure they are not providing an easy avenue for attackers; that said, as an industry we need to abandon the “weakest link” excuse for the failure of our security operations up and down the stack.

Yes, employees are going to click on malicious links and open tainted attachments. Why? Because they are busy and distracted doing their jobs.  

And just as security staff are not overly concerning with things marketing budgets, customer acquisition and retention campaigns, facilities management and other critical business operations, corporate staff should not be expected to be the front lines for network defense.

In the case of a ransomware attack that starts with a phishing expedition, sure, maybe the employee messed up by clicking a bad link in a moment of distraction. We can all pile on them for not noticing the spelling error or poor grammar in the email, or that the URL was a typo-squat, or that the email meta data did not match up with the contents of the email, etc.

Buth where did security really fail?

It failed when it did not block the malicious email for the same reasons we want to blame the errant employee. It failed when it allowed malicious code to execute on the network. It failed when it allowed command and control to be established and additional executables to be downloaded. It failed when lateral movement and credential theft was not detected. It failed when it did not block sequences leveraging native network tools when the behavior was outwardly malicious. It failed when it did not detect and block the data exfiltration. And it failed when it did not prevent critical data and systems from being encrypted.

When you evaluate an attack like this and take all of the failures into consideration, blaming the failure of the entire security stack on one employee who mistakenly clicked a link is ridiculous. Millions of dollars of security that can be undone by one click is the problem, not the person who clicked.

MOVEit Exploit, Ransomware and Data Exfiltration Hits Gen Digital (Avast, Avira, AVG, Norton, LifeLock)

The Cl0p ransomware gang continues to exploit a known vulnerability (CVE-2023-34362) in the MOVEit managed file transfer software to compromise high value targets in rapid succession, now claiming an attack on security provider Gen Digital.

More than 100 organizations have victims have fell prey to the attacks, including the U.S. Department of Energy, Ernst & Young, Oregon’s Department of Transportation, the government of Nova Scotia, British Airways, the BBC, Aer Lingus, the Illinois Department of Innovation & Technology, and the Minnesota Department of Education (MDE).  

Gen Digital is the parent company of several well-known security brands like Avast, Avira, AVG, Norton, and LifeLock.

“We use MOVEit for file transfers and have remediated all of the known vulnerabilities in the system. When we learned of this matter, we acted immediately to protect our environment and investigate the potential impact. We have confirmed that there was no impact to our core IT systems and our services and that no customer or partner data has been exposed,” Security Week reports a Gen Digital spokesperson as stating.

“Unfortunately, some personal information of Gen employees and contingent workers was impacted which included information like name, company email address, employee ID number, and in some limited cases home address and date of birth. We immediately investigated the scope of the issue and have notified the relevant data protection regulators and our employees whose data may have been impacted.”

Takeaway: So, if government agencies in charge of nuclear facilities like the DoE and well-monied law firms like EY who sit on the Ransomware Task Force shaping our nation's response to this epidemic of extortion attacks can’t keep themselves from being victims, who can?

A hospital? A school district? A local PUD co-op? Forget about it.

Unfortunately, the answer is no one can. No one is immune from the possibility that one vulnerability in one piece of software can expose the organization to a disruptive and potentially devastating ransomware attack.  

And even if the organization is prepared for the worst-case scenario and is able to weather a ransomware attack - as you might expect a critical government agency or provider of security software and services to be – they may still have to contend with being extorted due to sensitive data being infiltrated.

It’s not all doom and gloom, though. Despite the fact that ransomware attacks are still making headlines daily, we have made a lot of progress in defending against ransomware attacks. The problem is that the attackers have a head start and are innovating as fast or faster than we can come up with solutions to defeat them.

It’s time we face some hard truths about the ransomware problem, namely that it is going to get worse before it can get better:

• We can’t “stop ransomware attacks” – despite what your friendly vendor may say. Attackers are going to attack as long as there is a financial incentive to do so.
• We can’t prevent every vulnerability, or exploitation of a vulnerability during an attack. Bugs are a part of the software lifecycle, and while we can certainly do a lot to reduce the number of vulnerabilities that make it to market, we can’t expect to prevent all.  

• We can’t expect frameworks and compliance checklists to keep our organizations secure. While they are a good starting point, we can see that even organizations with mature security operations can fall victim to a ransomware attack.

So, what can we do to reduce the risk that a ransomware attack will inflict irreparable damage to an organization? We can acknowledge the almost inevitable fact that we will be attacked and then focus on building resilience to reduce the potential impact of an attack.

A strong prevention and resilience strategy to defend against ransomware attacks includes:

• Endpoint Protection (EPP): Deploy an anti-ransomware solution alongside existing Endpoint Protection Platforms (EPP/EDR/XDR) to bridge the gaps in ransomware-specific coverage
• Patch Management: Keep all software and operating systems up to date and patched

• Data Backups: Assure critical data is backed up offsite and protected from corruption in the case of a ransomware attack, and don’t store sensitive data unless it’s necessary
• Access Control: Implement network segmentation and policies of least privilege (Zero Trust)
• Awareness: Implement an employee awareness program to educate against risky behaviors, phishing techniques, etc.
• Resilience Testing: Regularly test solutions against simulated ransomware attacks to assure effective detection, prevention, response, and full recovery of targeted systems
• Procedure Testing: Plan and prepare for failure by running regular tabletop exercises and ensuring all stakeholders are ready and available to respond to an attack at all times

The detection/prevention side of the ransomware attack equation is important, but organizations also have to be prepared for failure by assuring they can quickly and decisively respond to a successful ransomware attack so any potential disruption to operations are kept to a minimum.

We will never be able to stop ransomware attacks, but we can stop them from taking an entire organization’s operations down by arresting the attack at ingress or lateral movement, by preventing data exfiltration, by blocking execution of the ransomware payload, and by rapidly recovering systems and minimizing downtime.

Ransomware Gang Targeting Cancer Centers – A New Low

Attacks leveraging living-off-the-land (LotL) techniques targeting cancer centers with ransomware prompts HHS to issue an alert to the healthcare sector, a favorite target of ransomware gangs.

The TimisoaraHackerTeam ransomware gang specializes in attacks on medical facilities and has been observed exploiting known vulnerabilities and using LotL techniques – leveraging native network tools – to remain undetected.

“Little is known about the obscure group of hackers, but when its ransomware is deployed, their rarely used and very effective technique of encrypting data in a target environment has paralyzed the health and public health (HPH) sector,” the notification from Health & Human Services’ Healthcare Sector Cybersecurity Coordination Center said as reported by SC Media.

HC3 says the attack on a cancer center “rendered its digital services unavailable, put the protected health information of patients at risk, and significantly reduced the ability of the medical center to provide treatment for patients”

Takeaway: Ransomware attacks against healthcare providers pose a significant threat to human life, and it’s only a matter of time before we may see these attacks end catastrophically.  

While the perception is that the healthcare industry is flush with cash and very stable, that is a misconception. The reality is that the healthcare system in our nation is largely operated by non-profit entities who work on shoestring margins.

Ransomware gangs have been hammering the healthcare sector for some time now, and some have taken to using very shady tactics in an attempt to force victim organizations to pay. Whatever data these groups can extract, they will weaponize in their extortion schemes. They will continue to do so until it is no longer profitable.

For example, earlier this year, the BlackCat /ALPHV ransomware gang attempted to extort a Pennsylvania healthcare provider by publishing private, compromising clinical photographs of breast cancer patients. The Lehigh Valley Health Network disclosed the attack in late February, stating they were refusing to pay the ransom demand, reported The Record.

These extortion tactics demonstrate that criminal ransomware groups have absolutely zero conscience in their targeting that there is no line they will not cross. Targeting cancer centers and even leaking confidential photographs of breast cancer patients is a shocking new low.  

Additionally, the use of more advanced techniques for obfuscation and evasion means that organizations with mature security programs are at risk - and most if not all healthcare organizations simply do not have mature security operations.

Healthcare and other critical infrastructure providers are a favorite target for ransomware attacks given they typically have the least resources to dedicate to security, the networks are often composed of older legacy components, and any downtime is extremely disruptive – or potentially lethal.  

Sony and PwC Join EY and DoE as Latest Targets in Cl0p Ransomware MOVEit Exploits

The Cl0p ransomware gang has claimed attacks on Sony and PwC, just days after asserting that they hit Earnst & Young and the Department of Energy, threatening to leak exfiltrated data if ransom demands are not met.

“Sony, EY and PwC are the latest big businesses to be listed on ransomware gang Cl0p’s dark web blog as the number of victims of a massive cyberattack perpetrated by the group continues to grow,” the TechMonitor reports.

“Cl0p has been exploiting a vulnerability in file transfer platform MOVEit Transfer and demanding ransoms from affected companies. It has named 95 supposed victims of the breach. The attack, which started earlier this month, could turn out to be one of the largest in history, with victims spanning the public and private sectors in the US, UK and beyond.”

Takeaway: Organizations are literally under siege right now by ransomware gangs leveraging vulnerability exploits. The Cl0p ransomware operators continue to exploit a known vulnerability (CVE-2023-34362) in the MOVEit managed file transfer software to compromise numerous high-value targets in rapid succession.

More than 100 organizations have victims have fallen prey to the attacks, including Oregon’s Department of Transportation, the government of Nova Scotia, British Airways, the BBC, Aer Lingus, the Illinois Department of Innovation & Technology, the Minnesota Department of Education, and more.

Companies like Sony, PWC and EY – as well as agencies that govern critical infrastructure like the DoE – ostensibly have very mature security programs. Yet, as evidenced by this spate of attacks, having a robust security program does not make you immune from a successful attack.

No one is immune from the fact that one vulnerability in one piece of software can expose the organization to a disruptive and potentially devastating ransomware attack. Even if an organization is prepared and is able to recover systems after a ransomware attack, they still have to contend with being extorted due to sensitive data being infiltrated.

Cl0p has been extremely active this year in campaigns exploiting vulnerabilities in the GoAnywhere and MOVEit file transfer programs, which is strong evidence that these ransomware operators are using automation to identify exposed organizations.

It is likely they have successfully exfiltrated large amounts of confidential information from the victims, and other targets may be experiencing data loss prior to the detonation of the ransomware payload, and they don't even realize they are in the midst of a major attack.

Whether or not Cl0p has been successful in effectively monetizing these compromises to collect the ransom demands is still unclear.  

While the earlier attacks did not elicit much of a response from the US government aside from some FBI/CISA joint alerts, the prospect that Cl0p has trained its sights on critical infrastructure targets - namely the Department of Energy - should prompt Federal authorities to ramp up their efforts against these operators.

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.