Ransomware Roundup: 07.24.23

FIN8 Observed Deploying BlackCat/ALPHV Ransomware

FIN8, a more traditional cybercrime gang that emerged in 2016 who typically engages in theft and fraud activity, has been observed delivering the BlackCat/ALPHV ransomware on networks previously backdoored with a known malware family dubbed Sardonic.

FIN8 is known to target the retail, hospitality, healthcare, and entertainment sectors, and is thought responsible for a number of impactful attack campaigns that compromised hundreds of victim organizations.

“The arsenal employed by this threat actor is extensive, encompassing a wide range of tools and tactics, including POS malware strains like BadHatch, PoSlurp/PunchTrack, and PowerSniff/PunchBuggy/ShellTea, as well as the exploitation of Windows zero-day vulnerabilities and spear-phishing campaigns,” Bleeping Computer reports.

“They've also switched from BadHatch to a C++-based backdoor known as Sardonic, which, according to Bitdefender security researchers who discovered it in 2021, can collect information, execute commands, and deploy additional malicious modules as DLL plugins.”

Takeaway: The assessment that cybercriminal group FIN8 is now dabbling in ransomware is not surprising – they are financially motivated, and ransomware is a big money maker. Their operation does underscore a few things worth noting.

First, ransomware operations and other network intrusion operations with the intent to harvest data to be used for financial theft and fraud are not altogether different animals.  

These operations require initial ingress into the targeted network and bypassing of the security apparatus, establishing persistence and command and control (C2), the use of malware and the abuse of legitimate network tooling, the escalation of privileges and lateral movement, the ability to exfiltrate sensitive data, and so on.

The biggest difference is whether or not the attackers decide to drop a ransomware payload at the tail-end of the attack. And as we have seen with some gangs like KaraKurt and BianLian, some ransomware groups have shifted to purely data extortion attacks, foregoing the delivery of the ransomware payload and focusing solely on data exfiltration for ransom.

FIN8’s reuse of malware that has previously been detected in the wild is not groundbreaking, as threat actors often use polymorphic versions of known malware variants, or simply repack code so that they can easily bypass traditional security tools, so this is nothing new.

But the fact that FIN8 includes POS malware in their repertoire in addition to the highly advanced BlackCat/ALPHV ransomware payload should be of particular concern to retailers, as the targeting of POS systems has the potential to severely impact retail operations.

Canadian Centre for Cyber Security: Ransomware Attacks Increasingly Sophisticated

The head of the Canadian Centre for Cyber Security says ransomware attacks are getting more common and sophisticated, with attackers now focused on stealing data and other sensitive information.

“They recognize that over time companies have become a little bit more sophisticated about having backups, so even if they lock the information technology, they can recover it from a backup,” Sami Khoury told Ottawa Citizen.  

“What they’re going after now is information.”

Khoury said just over 300 ransomware attacks were reported to the Canadian Centre for Cyber Security in 2022, about the same number reported from the year before.

“But I can assure you the real number is nowhere near that,” Khoury said. “The real number might be closer to add a zero maybe to it.”

Takeaway: There is an increasing overlap between cybercriminal and nation-state-supported operations, with ransomware attackers adopting more sophisticated TTPs that include leveraging zero-day exploits and advanced techniques like DLL Side-Loading, for example.

It is clear that the majority of ransomware gangs are either loosely affiliated or wholly controlled by the Russian government, with ample overlap between threat actors, tooling, and attack infrastructure.  

The Russians are very careful about how they conduct such attacks so they don't trigger an international incident that would elicit a response from the US or their allies.  

Using ransomware gangs las a proxy to conduct the attacks in order to maintain plausible deniability and thwart attribution is the strategy here. This is one of the key reasons cyber operations have become such an important aspect of larger geopolitical issues - attribution is hard.

While some measures seem to indicate that ransomware attack volumes waned or significantly decreased in 2022, 2023 attack volume thus far shows that the ransomware problem is not going away any time soon.  

Ransomware is still the number one threat to organizations, and the financial impact can be devastating.

As Cyber evolved into a theater of operations militarily, conventional thinking is that a major attack on critical infrastructure would likely only come as part of a larger operation that included traditional kinetic warfare. But this is in the context of nation-to-nation conflicts at the direction of governments.  

Western governments are in a tough position regarding what actions to take to stem this wave of ransomware attacks, namely because there is so much ambiguity in determining root attribution for the attacks.

Ultimately, it's the Russian government that is both providing safe harbor for criminal elements conducting ransomware attacks with impunity and is very likely influencing some of their targeting.  

Until the US and allied government directly sanctions the Putin regime for their direct or tacit support, we will not see this spate of ransomware attacks abate any time soon. It's only a matter of time before we see another massively disruptive attack against a critical infrastructure target.

ENISA: 54% of Attacks on Healthcare Providers Involve Ransomware

The European Union Agency for Cybersecurity (ENISA) published its first cyber threat landscape specifically looking at threats to the healthcare sector, finding that “ransomware accounts for 54% of cybersecurity threats in the health sector.”

Key findings in the ENISA report include:

• Healthcare providers accounted for 53% of reported security incidents, with hospitals the target in 42% of incidents, health authorities at 14%, and the pharma at 9%
• Only 27% of organizations in the healthcare sector had a dedicated ransomware defense program
• Patient data, including electronic health records, were targeted in 30% of incidents  
• Attackers intended to steal or leak healthcare data in 46% of incidents
• 80% of healthcare attacks involved exploiting vulnerabilities that resulted in 61% of security incidents

Takeaway: Unfortunately, healthcare providers are a favorite target of some of the most notorious ransomware operators, and the ENISA report highlights how these disruptive ransomware operators are intent on victimizing our fragile healthcare system.

There is no way to argue against the fact that the plague of ransomware attacks on healthcare providers pose a significant threat to human life.

Given how expensive healthcare is to obtain, the perception is that the industry must be very financially stable, but that is not the case. While some doctors and specialists may make a good living, the healthcare system in our nation is largely operated by non-profit entities who work on shoestring margins.

Ransomware attacks are the biggest threat facing organizations today, and healthcare providers have been hit particularly hard. Criminal ransomware groups know that the impact of an attack against healthcare organizations does not just disrupt everyday business; it directly affects the lives of their patients.

Ransomware operators are simply ruthless, heartless criminals with zero conscience, so they continue to victimize healthcare providers simply because they are easy targets. This sector typically lacks the appropriate budgets and staff to maintain a robust security posture despite grant money and technology donations from big companies. These organizations also lack the skilled staff required to properly manage and protect their infrastructure.

The average time it takes for an organization to recover from a ransomware attack has been pegged at three weeks (or more) according to multiple studies. While a private, profitable organization with ample resources may be able to weather a lengthy disruption to operations, patients cannot afford delays in treatment without putting their health or lives at risk.

And if a healthcare organization loses the ability to bill and be reimbursed for services rendered, it cannot sustain operations, pay for medical supplies, make regular payroll dates, and more. Ransomware attacks are extremely disruptive to any victim organization, but for healthcare providers, it can literally mean an end to their mission or worse – loss of life.

Cyber Insurers Struggle to Cover Evolving Ransomware Attacks

Cyber insurance carriers are struggling to provide effective coverage in an evolving ransomware threat landscape where operations are more commonly focused on data theft and extortion and don’t always include a ransomware payload.

Groups like KaraKurt and RansomHouse have focused solely on data extortion for some time, with other traditional ransomware operators like BianLian and more recently Cl0P following suit in many attacks.

“Over the course of 2022, CrowdStrike discovered that 71% of all recorded attacks were malware free. When it came to ransomware activity, the cybersecurity vendor observed a 20% increase in the number of threat actors using data theft and extortion without deploying ransomware,” Tech Target reports.

“For cyber insurance carriers that play a significant role in ransomware response, that means re-examining policy requirements and the incident response process as well as applying increased focus on data security. Even though ransomware attacks that see no encrypted systems are generally less disruptive and costly, enterprises are facing further reductions in coverage and increased costs amid this shift.”

Takeaway: There are so many issues around how best to approach insuring against losses stemming from cyberattacks; it's a difficult subject to encapsulate, especially regarding coverage for ransomware attacks.  

On the macro level, it's about accurately quantifying risk in an area where the risk factor is constantly changing as threat actors constantly improve their capabilities and mature their business models.

As it stands, insurance companies have not been able to put their finger on the magic equation that allows for affordable policies for both the insured and the insurer. Ransomware attacks vary in severity; ransom demands range from tens of thousands to tens of millions of dollars; differing organizations handle different kinds of sensitive data that put them in different liability categories; organizations use a wide range of endless combinations of security solutions, each filling one small gap in protection, all of which need to work together to prevent a disruptive event.  

This is a really complicated ecosystem.

Then there is the issue of being in compliance with the terms of the policy. If an organization practices a checkbox approach to security compliance, they may have all the boxes checked as far as the required controls being in place, but they may be surprised to find that a claim is denied because of common issues like misconfigurations or the inability to patch against vulnerabilities in a timely manner.  

Then there is the data exfiltration issue; most ransomware attacks today include data exfiltration prior to the encryption of systems. The kind of data that was compromised can be a major variable in potential losses to the victim organization.  

Regulated data like personally identifiable information (PII) can be especially problematic from a liability perspective, and we are seeing more and more lawsuits following data loss events associated with ransomware attacks.  

The loss of intellectual property that could impact the viability and competitiveness in the market of a business over time is extremely hard to quantify, and likely not covered by cyber insurance.

In short, customers are facing more restrictive policies with add-ons for covering ransomware-related losses, more comprehensive audits of security controls, and ever-increasing premiums, while insurance providers are facing a crunch on pricing the policies accurately to cover the losses they see in the real-world, which are continuing to grow.

More focus needs to be placed "left of boom" - at initial ingress, command & control (C2), lateral movement, data exfiltration, and so on. If we are doing our jobs right, and stop an attack at these earlier stages, then we would not even know it was a ransomware attack, just another run-of-mill intrusion event.

As well, there is not enough focus on what comes after "boom" - how the organization can plan for the failure of security controls and be positioned to respond efficiently and effectively to a future ransomware attack, making the organization and its operations as resilient as possible by reducing the potential for mass disruption.  

Detecting and blocking the ransomware payload is really important, but we know we can't be 100% on this, so if we put more emphasis on detecting and blocking what comes before the ransomware and what steps to take after it, this will go a long way to better quantifying risks and stabilize the very volatile cyber insurance market.

Ransomware Unhinged: A Week of Threats and Extortions

June 24th, 2023 marked a flurry of ransomware attacks around the globe, with various sectors falling prey to vicious cyber criminals.  

Renowned ransomware gangs flexed their criminal muscles on unsuspecting victims, leveraging their nefarious tactics to compromise data and demand exorbitant ransoms.  

Let's dive into these attacks to understand the methods employed and the severity of the threats involved:

Akira Targets Global Finance

Perpetual Limited, a global financial services organization based in Sydney, Australia, faced a brazen attack from the Akira ransomware gang. Having announced their existence only a month ago in May 2023, the Akira gang wasted no time in making their mark.  

They claimed to have stolen a staggering 700GB of highly detailed business information from Perpetual Limited, placing this data under a dire threat of exposure.

Akira operates by using the Windows Restart Manager API, effectively shutting down processes or terminating Windows services in use, allowing the encryption process to proceed unhindered. Upon successfully encrypting the files, Akira places a ransom note in every folder - a chilling warning to its victims.  

The gang's alarming promise to sell the compromised data on the dark market, should negotiations fail, underscores the severity of the threat. The gang's unique retro-themed data leak site serves as an eerie reminder of their thorough planning and significant resources.

Medusa's Menace on Academia

Simultaneously, the Medusa ransomware gang set its sights on the academic world, specifically targeting Matej Bel University in Slovakia. The public research university, with a student population of 6700, was thrust into a state of uncertainty as the gang claimed to have exfiltrated a significant volume of data.

Medusa has earned a reputation as one of the more active Ransomware-as-a-Service (RaaS) platforms, especially since late 2022. The gang leverages sophisticated methods, such as rebooting infected machines in safe mode, disabling recovery options, and deleting shadow copies to avoid detection and thwart recovery attempts.

The ransom demand from Medusa stands at a hefty $500,000, with threats of publishing the exfiltrated data should the university fail to comply by June 3rd. This attack is a reminder of the ever-looming threat of ransomware in the academic sector.

Akira's Second Blow - Galveston College

The same day, the Akira gang struck again, this time against Galveston College in Texas. The public community college faced a daunting threat as Akira claimed to have stolen 99GB of student information.  

Following a similar pattern as their previous attack, Akira threatened to sell the compromised data on the dark market, plunging the institution into a potential crisis.

BianLian's Crane Heist

In a less conventional attack, the BianLian ransomware gang targeted American Crane Rental, a Californian crane company. The gang claims to have stolen a hefty 249GB of data, including accounting and project data, files from user PCs, and information about subcontractors and vendors.  

With threats to publish all stolen data by July 5th if a ransom isn't paid, BianLian has raised the stakes considerably.

BianLian, infamous since June 2022, has repeatedly targeted various critical infrastructure sectors in the United States and Australia, and recently expanded their scope to include professional services and property development sectors.  

The group primarily focuses on data exfiltration-based extortion and uses valid Remote Desktop Protocol (RDP) credentials to gain unauthorized access to victims' systems.

In conclusion, this week's spate of attacks underscores the escalating threat of ransomware. Whether it's finance, academia, or industry-specific companies, no sector is immune.  

These attacks remind us of the importance of robust cybersecurity measures and highlight the need for continuous vigilance against such relentless threats. Stay tuned for more updates on these stories and the world of ransomware.

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.