Ransomware Roundup: 09.11.23

August Sees Ransomware Attacks on Education Sector Spike

The education sector has long been a favorite target of ransomware operators, and August attack volumes spiked just as schools were getting ready for the fall term.

“Attacks spanned K-12 schools and universities and were consistent with ransomware gang behavior. Operators increasingly targeted the sector in June prior to the school year wrapping up for the summer,” TechTarget reports.

“Despite data indicating that the majority of schools don't give in to ransom demands, attacks have typically increased as classes resume in August and September."

Takeaway: Ransomware operators have zero conscience, and they seek out weakness in their target selection. They continue to victimize organizations in education (and healthcare) simply because they are easy targets.  

These sectors often lack the appropriate budgets to maintain a sound security posture, and likely lack the staff to properly manage and protect their infrastructure.  

Even if the attack itself is resolved, students whose personal information was stolen will continue to be at risk of identity theft and financial fraud into the unforeseeable future.  

Ransomware attacks and data exfiltration will continue unabated until profit motives are eliminated.  To protect themselves, EDU organizations must reevaluate what kinds of data they collect and store, for how long and pinpoint where it’s stored.  

Institutions continue to maintain legacy student data that includes financial and personally identifiable information that attackers can leverage to compel a ransom payment or sell on the black market.

Eliminating the storage of unnecessary data will help make EDU organizations a less attractive target to attackers, thus, minimizing potential threats to operations, staff and students.

Targeted Attacks on Microsoft SQL Deliver Ransomware

Ransomware operators are again targeting exposed Microsoft SQL Server (MSSQL) databases with brute-force credential attacks that seek to deliver Cobalt Strike and ransomware payloads.

"The typical attack sequence observed for this campaign begins with brute forcing access into the exposed MSSQL databases. After initial infiltration, the attackers expand their foothold within the target system and use MSSQL as a beachhead to launch several different payloads, including remote-access Trojans (RATs) and a new Mimic ransomware variant called FreeWorld," DarkReading reports.

“The attackers also establish a remote SMB share to mount a directory housing their tools, which include a Cobalt Strike command-and-control agent (srv.exe) and AnyDesk; and they deploy a network port scanner and Mimikatz, for credential dumping and to move laterally within the network.”

Researchers noted that the techniques are more advanced than typically seen in ransomware operations, noting that "what truly sets this attack sequence apart is the extensive tooling and infrastructure used by the threat actors.”

Takeaway: Today's ransomware attacks highlight the continued blurring of the lines between nation-state supported operations and those of cybercriminal elements, particularly where ransomware attacks are concerned.

Criminal elements have increased capabilities by adopting what were until recently usually only seen in nation-state espionage operations, and nation-state actors like Russia are enjoying some additional level of plausible deniability by making some of their attacks appear to be conducted by cybercriminal syndicates.

One thing these groups have in common is their propensity to hit targets in key critical infrastructure sectors. A wide variety of industries fall under the critical infrastructure umbrella, some with the potential to cause widespread disruptions if successfully targeted by these threat actors.

The US government is in a tough position regarding what actions to take to stem this wave of ransomware attacks, namely because there is so much ambiguity in determining root attribution for the attacks.  

Ultimately, it's rogue nations that are providing safe harbor for criminal elements conducting ransomware attacks with impunity - and are very likely influencing some of their targets.

Until the US government directly sanctions these rogue regimes for their direct or tacit support for this onslaught of ransomware attacks, we will not see attacks abate any time soon. It's only a matter of time before we see another massively disruptive attack against a critical infrastructure target.

US-UK Sanction Conti-Trickbot Ransomware Gang Members

The U.S. and U.K. announced sanctions against eleven suspected members of the Russia-based Conti-Trickbot cybercrime group. Russia has long been a safe haven for cybercriminals, including the Trickbot gang.  

The Conti-Trickbot gang is assessed to have direct ties to Russian intelligence services and has extensively targeted private companies and critical infrastructure sectors including healthcare providers.

“The United States is resolute in our efforts to combat ransomware and respond to disruptions of our critical infrastructure,” said Under Secretary of the Treasury Brian E. Nelson.  

“In close coordination with our British partners, the United States will continue to leverage our collective tools and authorities to target these malicious cyber activities.”

Takeaway: The announcement that the US and UK governments are sanctioning additional members of the Conti-Trickbot Ransomware Gang is welcome news. We hope to see more such actions taken to help stem this ransomware epidemic.

But will these actions diminish the threat from ransomware attacks? No, not at all. Not even a little bit.

While we have seen some scattered arrests of affiliates and other low-level threat actors in the ransomware space here and there, overall law enforcement has had very little impact in regard to disrupting ransomware operations.

That’s because the one thing the most notorious ransomware gangs have in common is their ties to Russia and the Putin regime. We know that groups like Conti are closely aligned - if not directly controlled to a degree – by the Russian government and its intelligence apparatus.

This weird overlap of cybercriminal activity with nation-state-supported operations we see with the Russian ransomware model – which conveniently allows for plausible deniability for Russia - means we have elements acting that are not necessarily under the direct control of a government but are closely aligned.

The Russians need to be very cautious about how they conduct such attacks so they don't trigger an international incident that would elicit a direct response from the US or their allies.  

Using ransomware gangs like Conti as a proxy to conduct the attacks in order to maintain plausible deniability and thwart attribution is the strategy here. This is one of the key reasons cyber operations have become such an important aspect of larger geopolitical issues - attribution is hard.

The US and allied governments are in a tough position regarding what actions to take to stem this wave of ransomware attacks, namely because there is so much ambiguity in determining root attribution for the attacks.  

These actions against Conti-Trickbot members are necessary, but even if they are arrested, there will quickly be someone to take their place. Ultimately, it's the Russian government that is both providing safe harbor for criminal elements conducting ransomware attacks with impunity and is very likely even influencing some of their targeting.

Until the US government directly sanctions the Putin regime for their direct or tacit support, we will not see this spate of ransomware attacks abate any time soon. It's only a matter of time before we see another massively disruptive attack against a critical infrastructure target, and by then it will be too late to act.

Monti Ransomware Remerges with New Evasion and Linux Capabilities

The Monti ransomware gang has resurfaced after a lull with a new Linux version and evasions techniques leveraging the leaked Conti code base.

"It's likely that the threat actors behind Monti still employed parts of the Conti source code as the base for the new variant, as evidenced by some similar functions, but implemented significant changes to the code — especially to the encryption algorithm," researchers said.

"Furthermore, by altering the code, Monti's operators are enhancing its ability to evade detection, making their malicious activities even more challenging to identify and mitigate."

Takeaway: Multiple ransomware gangs have developed Linux versions over the last year, but not much attention has been paid to what this trend means for the ransomware threat landscape. We should be concerned – very concerned.

With more than a dozen ransomware groups now targeting Linux environments, we can expect future attacks to potentially cause widespread disruptions across several key sectors that will impact a large number of collateral victims.

Like any business, ransomware attackers have finite resources and have to make strategic decisions on where to focus those resources based on anticipated ROI, so they traditionally targeted Windows systems because it has the most desktop market share.  

While Linux is lesser known to the average person, they may be surprised to learn that Linux runs approximately 80% of web servers, most smartphones, most supercomputers, and many embedded and IoT devices used in manufacturing.  

Linux is also favored for large network applications, and data centers and drives most of the U.S. government and military networks, our financial systems, and the backbone of the internet.

Attacks on Linux systems are potentially devastating. These attacks could have a broad impact like the disruption experienced from the Colonial Pipeline attack.  

The "always on" nature of Linux systems not only provides a strategic beachhead for moving laterally throughout the network, but attacks on Linux systems would also disrupt the most critical parts of an organization's network which allows attackers to demand even higher ransoms.

While attacks on Windows systems can be extremely disruptive to business operations, attacks on Linux systems could produce disruptions to critical systems on a level we have not even come close to experiencing, so we should all be monitoring this trend closely.

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.