Ransomware declared war on hospitals, attackers continued to innovate
A lot has happened since last month when I last wrote about the growing threat of human-operated ransomware attacks. The US Government warned of an imminent threat to hospitals, more organisations fell victim and attackers continued to innovate.
Understanding how these attacks work is crucial to defending against them. So to help, here’s a summary of what happened:
Ransomware operators targeted hospitals, in a continued disregard for human life. Almost two dozen United States hospitals and health care organisations were struck by ransomware attacks. A new height in aggression by attackers in the middle of a global pandemic, with hospitals already on the verge of being overwhelmed. The FBI is investigating.
CHRIS KREBS the Director of CISA warned of the imminent threat “🚨🚨🚨Healthcare and Public Health sector partners — shields up! Assume Ryuk is inside the house. Executives — be ready to activate business continuity and disaster recovery plans.”
‘The facility was functioning on paper after an attack and unable to transfer patients because the nearest alternative was an hour away.” A doctor at one hospital told Reuters. Fortunately, many hospitals impacted have been able to continue to provide almost all patient services.
UNC-1878. Attacks have been attributed to UNC-1878, the group who deploy Ryuk ransomware. FireEye explains everything you need to know about this group, in this video, as well as in the accompanying blog, with indicators.
BazarLoader (aka KEGTAP) has primarily been used by UNC-1878 to gain a foothold into organisations. TrickBot was previously their tool of choice, but recently Microsoft and U.S. Cyber Command have taken action to disrupt it — and TrickBot activity has been decreasing. The banking trojan zLoader has also recently been seen deploying Ryuk.
Evading detection with Google Docs. Attackers have been using Google Docs to deliver BazarLoader and bypass email and web security tooling. Phishing emails (claiming to be bonus payments, redundancy notices etc.) link to a file hosted on Google, where users are persuaded to download a link to a further (often signed) malware payload.
Attackers have continued to exploit weaknesses that can be mitigated through common measures like protecting privileged accounts, configuring built-in security features and upgrading technology. These simple (but often challenging to implement) measures prevent BazarLoader and TrickBot infections, from leading to full-domain compromise and ransomware attacks.
Attacks have spurred the cyber security community to publish lots of new information, including on how to detect attacks, the tools and techniques used and the infrastructure used by attackers.
Readers will be unsurprised to learn the techniques used by these attacks are not new, with tools like ADFIND and Bloodhound being used for reconnaissance, and Cobalt Strike to compromise systems. The good news for organisations is that there are lots of tools that can detect these including Microsoft Defender for Endpoint, also guidance on how to reduce their attack surface.
The DFIR report released a few detailed blogs on the tools and techniques used in Ryuk attacks, that help to bring these attacks to life for defenders. If you monitor one suspicious activity on your network this month, watch out for AdFind.exe executing.
Kerbroasting and ZeroLogon (CVE-2020–1472) continue to be the techniques of choice to escalate privileges. Three things every enterprise organisation should do this month: Use Empire’s Invoke-Kerberoast script to check for service accounts with weak passwords and Service Principal Names. Patch domain controllers. Deploy Microsoft Defender for Identity (formerly known as Azure ATP) to detect these techniques.
As of mid-November, the alert on hospitals stills seems credible, and Ryuk still active.
Hospitals weren’t the only high-profile victims. To name a few: Ragnar Locker attacked the maker of popular games Capom and the drinks manufacture Campari. They demanded $11 million from Capom and threatened to leak 1TB of unencrypted files.
Signed, sealed and delivered to your email inbox. MawareHunterTeam reported that the Ragnar Locker ransomware used in these attacks was not only signed but signed with the same certificate…
Ragnar Locker continued to innovate. Brian Krebs reported that they have used hacked Facebook accounts to run ads pressuring Campari into paying up targeted at their customers.
Ragnar Locker has previously been known for innovation, such as deploying ransomware inside VirtualBox virtual machines to evade security tools and killing remote management software used by managed service providers.
Standing strong. It looks like both companies have yet to pay the ransom… With Ragnar Locker claiming for both “they checked our page with proofs [of stolen data] but even this didn’t help them to make a right decision and save data from leakage”. Hopefully, the consequences aren’t too painful for them and their customers, with Giga-bytes of data already leaked.
Cencosud. A Chilean-based retail conglomerate with operations throughout Latin America was hit by an Egregor ransomware attack. Point of sale terminals started frantically printing out the ransomware note, as Egregor ransomware automatically prints this after files have been encrypted.
Egregor has been active since September 2020, allegedly breaching over 53 companies. They are aggressive on the data they leak, including leaking Active Directory database files — causing a nightmare for incident response teams. Interestingly the ransomware can only be decrypted if the correct activation key is provided as a command-line argument.
Extortion without ransom. Egregor has also taken a targeted approach to data extortion, threatening to leak the source code upcoming Ubisoft game due to be released. In a shift in tactics, they said to ZDNet they had only stolen files from the Ubisoft network and did not encrypt any of the company’s files. Is this the future of extortion attacks?
Ransomware-as-a-service and affiliate schemes. The cyber crime ecosystem continues to organise to make more money from these attacks. Intel471 reports they have tracked over 25 different groups the past year who use these schemes to maximise profits. The most prolific being DopplePaymer, Egregor/Maze, Netwalker, REvil and Ryuk, who have collectively pulled in hundreds of millions of dollars in ransoms.
Unanswered questions. Intel471 also highlight one of the key points hindering our ability to collectively defend against these attacks, we lack even basic data. With no good data sources on the: number of attacks happening, cost of remediation, amount of ransoms paid, impact on organisations…
How do we stop this continued rise in attacks? Companies need to stop paying million-dollar ransoms. Another month has continued to show that vast profits are driving attackers to become more capable, aggressive and organised. With money going straight back into R&D and attracting more hackers to join their groups.
More committees, please. To have any real impact, we need a coordinated whole of government response that includes measures that make it illegal or at least far harder for companies to pay. Also, that mobilise law enforcement, diplomacy and offensive cyber capabilities, to stop criminals from being able to carry out these attacks with limited consequences and personal risk.
Million-dollar fines, our only hope? We also need to fix the lack of commercial incentives organisations have to prioritise security improvements. Europe's new data protection regime (GDPR) hasn’t yet been used to fine a company after a ransomware attack. But it's likely only a matter of time…
£39.5 million. This month, we saw the UK’s data protection regulator issued its first three fines for a cyber security breach since GDPR came into force, with a total of £39.5 issued to British Airways, Marriott and Ticketmaster.
Over in Düsseldorf… After a terrible ransomware attack back in September, widely said to have caused a death. Wired reported prosecutors have determined there wasn’t enough evidence to prove the attack was directly to blame for someone losing their life and prosecute for negligent manslaughter.
But the prosecutor believed it was only a matter of time before ransomware does directly cause someone's death. Interestingly, he also said that if a direct link was made, exposure for criminal prosecution stretches beyond the hackers, potentially including the culpability of the hospital’s own IT staff.
Who can we even trust anymore? Coveware published their quarterly report, dashing the hopes of companies thinking they could trust criminals. They outline cases where attackers haven’t kept their word after ransoms have been paid to prevent the leak of data:
“Almost 50% of ransomware cases included the threat to release exfiltrated data along with encrypted data”, the Coveware report also highlighted the increase in data extortion. We should all be concerned about what cyber criminals are doing with the ever-growing terabytes of stolen data they are rapidly amassing from these attacks.
And finally…
Bigger and better things? The ransomware group Maze has announced they are shutting down its operations. Maze is well-know for being the first group to operationalise data extortion attacks. Back in December 2019, they created the first dedicated leak website. We’ll wait to see where the individuals and groups behind Maze will go next? Or have already gone? Egregor…
Until next month.
For more information about human-operated ransomware attacks check out my last blog, the PwC Whitepaper I co-wrote last month, or this Microsoft blog.
For any corrections or additions, please DM me on twitter. Thanks.
