Ransomware Roundup: 07.10.23

Ransomware Attacks Spur Class Action Lawsuits

A Whitworth University student is attempting to establish a class action lawsuit against the college for damages related to a ransomware attack in July 2022 that impacted more than 65,500.

The university first reported the incident as a “sophisticated security issue” before confirming that it was a ransomware attack with the Washington attorney general’s office.

The lawsuit, which seeks damages of more than $5 million, alleges that Whitworth was “negligent in allowing a still-unidentified attacker to access health, financial and personal data of past and present students, staff and faculty.”

Whitworth alerted those impacted that their names, student ID numbers, state ID numbers, passport numbers, Social Security numbers and health insurance information were likely compromised in that attack.

The lawsuit asserts that Whitworth “should have done more to prevent a ransomware attack, a method of online extortion in which a hacker gains access to information then demands payment to prevent it from being released or to return control of the data back to its owners,” the Spokesman-Review reports.

Takeaway: On average, a ransomware attack costs more than $4M. To fully remediate These costs do not include potential losses from lawsuits and other tangential costs like damage to the brand, lost revenue, lost production from downed systems, and other collateral damage, such as Intellectual property and regulated data loss.  

Even if organizations are prepared to respond and recover from a ransomware attack, the fact that sensitive data was stolen or exposed puts them at additional liability risk from lawsuits.

Most ransomware attacks today include data exfiltration prior to the encryption of systems. The stolen data is used as leverage to compel the victim to pay the ransom demand with the threat of releasing or otherwise exposing the data if payment is not made.  

These “double extortion” schemes may also involve the demand for an additional ransom payment to ensure the data is not leaked or sold on the dark web. The exposure of this data in ransomware attacks is more often leading to lawsuits, some reaching class-action status.

The data exfiltration tactic has been so successful that some threat actors even like BianLian and Karakurt skipping the encryption stage and moving to straight-up data extortion

For many organizations, this exposure of customer data has regulatory implications and can lead to lawsuits and fines. Additionally, sensitive data on corporate transactions, patents, etc. can end up in the attackers' hands and be sold to the highest bidder on dark web forums.

There is a lot of focus on the delivery of the ransomware payload, but we have to remember that this occurs at the end of the attack sequence when the damage to the victim organizations has already likely occurred.

Given how much effort goes into laying the groundwork for these attacks, we are not putting enough emphasis on these early stages of the attacks where the threat actors are preparing the environment for delivery of the ransomware payload. There are days, weeks or potentially even months of detectable activity on the network prior to the final payload, and a lot of data is leaving the organization over the course of the attack.

The defense mindset here needs to shift to the left significantly where we are addressing ransomware attacks first as an effort to prevent the attackers from exfiltrating data.  

With an eye on resilience in developing a security posture, organizations can limit the impact of a ransomware payload on operations, but they also need to ensure that sensitive data is not compromised earlier in the attack in order to prevent the potential for costly litigation.

8Base Ransomware Attacks Spike in May and June

The 8Base ransomware gang has displayed a "massive spike in activity" according to reports, with 67 attacks as of May 2023, with about half of targets in the business services, manufacturing, and construction sectors.

Having first emerged around March of 2022, 8Base bears a "strikingly similar” profile to that of the RansomHouse operators, with overlap in the ransom note language and on its data leak portal.

"The verbiage is copied word for word from RansomHouse's welcome page to 8Base's welcome page. This is the case for their Terms of Service pages and FAQ pages," the Hacker News reports.

Researchers noted that a Phobos ransomware sample uses an .8base file extension for encrypted files, raising the prospect that 8Base could be a successor of the Phobos gang, or that “the attackers are simply making use of already existing ransomware strains without having to develop their own custom locker.”

"The speed and efficiency of 8Base's current operations does not indicate the start of a new group but rather signifies the continuation of a well-established mature organization," the researchers said. "Whether 8Base is an offshoot of Phobos or RansomHouse remains to be seen."

Takeaway: With a precipitous decline in attacks over 2022, some researchers supposed that ransomware 2023 attack volumes would also show a decline, but the fact is thar ransomware is still the number one threat to organizations, with dozens of new groups emerging.‍

The lull in attacks in 2022 does not reflect a move by threat actors away from ransomware, but instead is evidence that these malicious actors can be diverted from their criminal activities to support state-sponsored operations as directed by the Russian regime.  

March 2023 will go down in the books as the most prolific period so far for the volume of ransomware attacks observed, with research indicating there were 459 successful attacks, up 91% from February volume and up 62% year-over-year.

Ransomware is big business, and criminal threat actors will only move away from extortion attacks if they become unprofitable, which given the pace of successful attacks seems unlikely in the near future.

It is more than apparent that the majority of ransomware gangs are either loosely affiliated or wholly controlled by the Russian government, with ample overlap between threat actors, tooling, and attack infrastructure.  

The observed overlap between threat groups, their code base, TTPs and other indicators of compromise makes the task of tracking these groups even more difficult. We typically had RaaS providers who typically use the same moniker as their ransomware variant.  

Then we have seen these groups disband and rebrand or form other attack groups using a combination of ransomware and TTPs previously seen in use by other groups. We have also seen affiliate groups who had previously been lumped in with the RaaS providers who have branded and may use a variety of RaaS platforms for attacks.

As well, we have seen multiple threat groups developing new variants to target Linux and at least one put forth a MacOS variant, as well as increasing encryption speeds and adopting more exploit automation and bespoke tools for bypassing security and more efficient data exfiltration.

Groups like 8Base demonstrate that we have not even begun to see an abatement of the ransomware problem, and it is only a matter of time before we see some really big, disruptive attacks against our critical infrastructure providers.

We will never be able to stop ransomware attacks, but we can stop them from being successful by arresting the attack at ingress or lateral movement; by preventing data exfiltration; by blocking execution of the ransomware payload; by rapidly recovering systems and minimizing downtime.

MoveIT Exploits: Why Don’t They Just Patch?

Ransomware gangs are actively exploiting a vulnerability in Progress Software’s MOVEit file transfer app, which is used by thousands of organizations around the world.  

A number of organizations whose supply chains include the MOVEit application have suffered a data breach as a result, with customer and/or employee data being exfiltrated.

Progress (the vendor who produces the MOVEit software) has issued updated advice on mitigating this vulnerability, which includes a new patch for additional vulnerabilities that could be exploited.  

MOVEit customers should apply the latest vulnerabilities fixes, as described in the MOVEit Transfer Knowledge Base Article (Updated 15th June).

Takeaway: Many are wondering, why didn't these organizations who are getting hit by ransomware gangs taking advantage of the MoveIT vulnerability – and others like the bug in GoAnywhere – jump into action and patch vulnerable applications?

In many cases, patching is not as easy as just downloading the most current version of a vulnerable software, it can be a highly complex task for some organizations.  

In order to avoid breaking critical business systems, patches often need to be applied in a development environment and tested prior to introducing the updates in the production environment.  

Even then, some issues prevent patching due to legacy systems/software or internal (home-brewed) scripts/applications that will break if the patch is applied haphazardly. Thus, there can be months or more of work to do before they can be protected.  

Assessing risk exposure is not always a simple process either if the organization does not have good visibility into all the systems and software running in their environment.  

For example, when the Log4Shell exploit emerged organizations had to scramble to assess where their exposure was because the Log4J utility is so widely used with little in the way of documentation as to where the look for it - hence the pish for a Software Bill of Materials (SBOM) to make this task easier.  

Then of course, unfortunately there are bug fixes releases all the time, and in many cases timely patching is simply not a high priority for some organizations because their IT and security staffing and resources are minimal, especially in sectors that are predominantly non-profit or run on thin margins like healthcare, education, retail and others.

Akira Ransomware Gang Adds Linux Machines to Addressable Targets

While there is constant change in the ransomware economy, what has not changed is the fact that these criminal organizations continue to be profitable.  

Also, the increase in data exfiltration associated with ransomware attacks is presenting a whole other problem for victim organizations.

A ransomware gang known as Akira has recently become very active and has expanded its addressable target range in developing a Linux version.

“The Akira ransomware specifically targeted a wide range of industries during its attacks, encompassing sectors including Education, Banking, Financial Services and Insurance (BFSI), Manufacturing, Professional Services, and more” noted GBHackers.

“The group has already compromised 46 publicly disclosed victims, most of whom are in the United States."

Takeaway: More ransomware gangs have been developing Linux versions over the last year, but not much attention has been paid to what this trend means for the ransomware threat landscape. We should be concerned – very concerned.

While Linux has a much smaller footprint than Windows systems overall, Linux runs the most important systems including the vast majority of web servers, most embedded and IoT devices used in manufacturing and energy, almost every smartphone and supercomputer, almost all of the US government and military, and pretty much all of the critical backbone systems in any large network.

Yet, we barely see discussion around ransomware advancements in targeting Linux systems in the media. Groups like LockBit, IceFire, Black Basta, Cl0p – and now Akira and others – have all developed Linux targeting capabilities, which makes the likelihood we will see widespread, really disruptive ransomware attacks in the near future a distinct possibility.

The takeaway here is that any organization running critical Linux distributions should start preparing to defend these systems – but defending them is a challenge. Linux systems have very few security solution options available, and virtually none that focus on stopping specifically ransomware.

The targeting of Linux systems has the potential to cause a serious disruption beyond the scale of what we saw in the Colonial Pipeline attack. The consequences of not redoubling our efforts to defend Linux systems could prove catastrophic.

‍LockBit Hits Semiconductor Giant TSMC with $70 Million Ransom Demand

The world’s biggest computer chip maker, Taiwan Semiconductor Manufacturing Company (TSMC), fell victim to the LockBit ransomware gang, reporting that data was exfiltrated but that operations were not disrupted.

“The Russia-linked LockBit ransomware gang listed TSMC on its dark web leak site on Thursday,” TechCrunch reports.

“The gang is threatening to publish data stolen from the company, which commands 60% of the global foundry market, unless the company pays a $70 million ransom demand. This is one of the largest known ransom demands in history...”

Takeaway: Ransomware is a multi-billion-dollar business that rivals and even exceeds many legitimate market segments.  

We have witnessed ransomware attacks evolve from nuisance attacks with little impact on business operations and minimal ransom demands to become one of the biggest threats to businesses and our critical infrastructure with ransom demands now well into the tens of millions.  

There really is no limit to the disruptive power and financial impact from ransomware attacks. New RaaS groups are emerging all the time, and they are introducing new tactics, techniques, and procedures including automation of aspects of the attacks - like exploiting vulnerable software like MoveIT and GoAnywhere - and custom tooling for more efficient data exfiltration.  

They have also been expanding their addressable target range by introducing Linux versions, which put at risk the most critical of systems, and at least one group has now developed a MacOS version.  

It likely won't be long before the $70M ransom demand record is exceeded - the only constraints being an organization's ability to pay. If all or a good portion of the demand is paid to the attackers, it will certainly incentivize the RaaS groups and their affiliates to continue advancing their attacks.  

Initial analysis of attack trends in the first half of 2023 show that we are on pace to smash records for the volume of attacks, so it won't be a surprise to see other measures exceed previous levels, including ransom demands amounts.

Authorities are sufficiently motivated to address the growing ransomware problem but like with any emerging threat it takes time to determine what tactics will be effective, what actions will be legal under international law, and then to establish the channels for collaboration with our international partners to stand up an effective strategy to address ransomware attacks.  

Thwarting attackers is extremely difficult - first there is the attribution issue. Attack infrastructure used by ransomware operators may include public cloud providers or compromised networks of otherwise uninvolved entities, obfuscating who the actual culprits are.  

As well, many of these threat actors operate out of nations like Russia and other former Soviet bloc nations where they have no fear of reprisal as long as they don't interfere with the objective of their nation-state hosts.  

In fact, there is plenty of evidence that many of these attack groups are also directly controlled or deeply influenced by Russian and Russian-aligned nations.  

This complicates the task of pursuing the attackers and bringing them to justices, as well as crating the potential that a cybercrime incident could rise to the level of warfare, which would trigger an entirely different set of laws and rules of engagement while raising the potential geopolitical stakes significantly.  

While law enforcement actions are commendable, the only way we can end these operations is to make ransomware attacks unprofitable, and unfortunately, we are far from achieving this goal.  

Resilience planning can go a long way to achieve this though, where organizations have the capabilities in place to detect attacks earlier, to prevent the exfiltration of sensitive data that can be leveraged for extortion, and ensuring they can quickly mitigate the attack and return to normal without a major disruption to operations or the need to pay the attacker's ransom demands.  

These are achievable goals, but they require a willingness on the part of the organization to make the required investments in their security and business continuity posture, and then stress test these policies and procedure regularly through tabletop exercises that simulate a successful ransomware attack.  

Preparation is critical here if we want to counter this scourge of attacks.

Ransomware Operators Are Exposing Children’s Most Sensitive Information

Minneapolis Public Schools were facing a March 17 deadline to pay a $1 million ransom demand after attackers posted sensitive data that was exfiltrated as leverage in a ransomware attack.

Noe the district and the families they serve are facing the exposure online of the most intimate details of some student’s lives as more confidential documents are dumped online by ransomware gangs.

The data includes descriptions of sexual assaults against students, psychiatric diagnosis, abuse, truancy, suicide attempts, and more.

“Complete sexual assault case folios containing these details were among more than 300,000 files dumped online in March after the 36,000-student Minneapolis Public Schools refused to pay a $1 million ransom,” the Associated Press reports.

“Other exposed data included medical records, discrimination complaints, Social Security numbers and contact information of district employees.”

Takeaway: We are seeing record-setting attack levels against schools in recent months causing more than disruptions to operations - these attacks are impacting the lives of some of the most vulnerable children.  

The exposure of such intimate details of abuse, of student mental health status, and other extremely sensitive information is just heartbreaking.  

Unfortunately, that's the strategy of the attackers: the more pain they can inflict, the more money they can potentially make. Ransomware operators are ruthless and will continue to victimize the education sector simply because they are easy targets.  

The targeted schools are in a difficult position, where authorities like the FBI advise them not to pay the ransom demand, but now they have some culpability for further damaging the lives of these children and their families for having not paid.  

There are no easy choices here. There is no way to put a price tag on the lasting impact this will have on these kids.

Schools lack the needed funding to maintain even basic security programs, so they cannot be expected to defend adequately against well-funded, highly skilled threat actors. The legacy security tools that are affordable to schools are simply not capable of addressing the unique threat that ransomware presents.  

Ransomware operators and other threat actors routinely bypass, blind, evade or otherwise circumvent these defenses with little effort.

The exposing of these students' most private affairs will continue to put them at risk of discrimination, extortion, identity theft and financial fraud well into the unforeseeable future.  

Schools need more resources to protect vulnerable students, but they cannot do this without adequate funding. Guidelines are good, but they cannot implement the guidelines if they do not have the resources and skilled personnel.

If we are concerned about protecting children and preventing school closures, we need to make sure they have the funding they need to be successful against these well-resourced attackers.  

It comes down to a choice, and thus far we have not collectively made the choice as a society to adequately invest in protecting our students and schools from the most nefarious of international criminal organizations.

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.