How to Implement Best Cyber Defense Against BlackMatter Ransomware Attacks

Three U.S. government agencies, the Cybersecurity, and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA), recently issued a cyber security alert and defense tips against BlackMatter ransomware attacks.

What Is BlackMatter Ransomware?

BlackMatter is a relatively new ransomware. It was first observed in the wild in July 2021. This new ransomware exhibits the typical features of a modern-day ransomware, including the double extortion modus operandi.

In double extortion, the ransomware group steals data from victims. After stealing data, the attackers then encrypt victims’ data, preventing victims from accessing their data. After data encryption, attackers demand from victims ransom payment in exchange for a decryption tool that purportedly would unlock the encrypted data.

In double extortion, failure on the part of the victims to pay the ransom payment for the decryption tool leads to the activation of the second ransom demand, that is, victims are named on a leak site as victims of ransomware attacks. These victims are then threatened that their data will be published in case they won’t pay ransom.

Some ransomware actors still demand the second ransom payment – for the non-publication of the stolen data – despite the payment of the first ransom payment, that is, payment for the decryption tool.

Like other modern-day ransomware, BlackMatter ransomware is operated under the scheme called ransomware-as-service (RaaS). In RaaS, the ransomware developer (the one who creates the ransomware custom exploit code) works with affiliates – a different kind of cyberattackers who have existing access to corporate networks.

In a public advertisement posted on the underground forum Exploit, BlackMatter said it wants to buy access to corporate networks in the U.S., Canada, Australia, and Great Britain.

The group further said that it’s willing to pay $3,000 to $100,000 per network, provided the network passed the following criteria:

• Corporate revenue is $100 million or more
• Corporate network contains 500-15,000 devices
• Network hasn’t been previously targeted by other threat actors.

To signify that it's serious about its offer, BlackMatter has deposited 4 bitcoins ($256,000) on the forum Exploit.

“The [BlackMatter] ransomware is provided for several different operating systems versions and architectures and is deliverable in a variety of formats, including a Windows variant with SafeMode support (EXE / Reflective DLL / PowerShell) and a Linux variant with NAS support: Synology, OpenMediaVault, FreeNAS (TrueNAS). According to BlackMatter, the Windows ransomware variant was successfully tested on Windows Server 2003+ x86/x64 and Windows 7+ x64 / x86,” Recorded Future reported. “The Linux ransomware variant was successfully tested on ESXI 5+, Ubuntu, Debian, and CentOs. Supported file systems for Linux include VMFS, VFFS, NFS, VSAN.”

On BlackMatter website, the group said it doesn't attack hospitals, critical infrastructure, oil and gas industry, defense industry, non-profit companies, and government sector.

According to the joint cybersecurity advisory by CISA, FBI, and NSA, since July 2021, BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, including two food and agriculture sector organizations in the U.S., and have demanded ransom payments ranging from $80,000 to $15,000,000 in cryptocurrencies Bitcoin and Monero.

In September 2021, BlackMatter attacked the U.S. farmers cooperative NEW Cooperative and demanded from the victim $5.9 million for the decryptor and for the non-publication of the stolen data. 

"Your website says you do not attack critical infrastructure,” a NEW Cooperative representative told BlackMatter during a negotiation chat (screenshots of the said negotiation chat were shared online). “We are critical infrastructure... intertwined with the food supply chain in the US. If we are not able to recover very shortly, there is going to be very very public disruption to the grain, pork, and chicken supply chain."

BlackMatter Ransomware Tactics, Techniques, and Procedures

The CISA, FBI, and NSA advisory said that sample of BlackMatter ransomware analyzed in a sandbox environment as well from trusted third-party reporting showed that BlackMatter ransomware uses the following tactics, techniques, and procedures:

• BlackMatter harvests credentials from Local Security Authority Subsystem Service (LSASS) memory using procmon.
• BlackMatter uses Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to discover all hosts in the Active Directory (AD).
• BlackMatter uses NtQuerySystemInformation to enumerate running processes.
• BlackMatter uses EnumServicesStatusExW to enumerate running services on the network.
• BlackMatter uses srvsvc.NetShareEnumAll MSRPC function to enumerate and SMB to connect to all discovered shares, including ADMIN$, C$, SYSVOL, and NETLOGON.
• BlackMatter uses legitimate remote monitoring and management software and remote desktop software, often by setting up trial accounts, to maintain persistence on victim networks.
• BlackMatter exfiltrates data.
• BlackMatter remotely encrypts shares via SMB protocol and drops a ransomware note in each directory.
• Rather than encrypting backup systems, BlackMatter wipes or reformats backup data stores and appliances.

Cybersecurity Best Practices

The CISA, FBI, and NSA advisory recommends the following cybersecurity defense tips against BlackMatter ransomware attacks:

• Use strong passwords for service account, admin accounts, and domain admin accounts.
• Use multi-factor authentication (MFA) for vital services, including webmail, virtual private networks (VPNs), and accounts that access critical systems.
• Keep all software up to date.
• Eliminate unnecessary access to administrative shares.
• Use a host-based firewall – a firewall installed on a server to monitor and control incoming and outgoing network traffic.
• Implement network segmentation to prevent the spread of ransomware.
• Disable command-line and scripting activities and permissions.
• Keep all backup data offline, encrypted, and immutable.
• Disable the storage of clear text passwords in LSASS memory.
• Disable or limit New Technology Local Area Network Manager (NTLM) and WDigest Authentication.

Rise of Ransomware Attacks in the Education Sector

The National Cyber Security Centre (NCSC), an organization of the UK Government that provides cybersecurity guidance and support, recently reported that it has continued to respond to an increased number of ransomware attacks against schools, colleges and universities in the UK.

“As of late May/June 2021, the NCSC is investigating another increase in ransomware attacks against schools, colleges and universities in the UK,” NCSC said. The NCSC previously highlighted an increase in ransomware attacks on the UK education sector during August/September 2020 and again in February 2021.

Ransomware and Its Impact

Ransomware is a type of malicious software (malware) that’s traditionally known to encrypt victims’ files, preventing victims to access these files. After file encryption, a ransom note is shown on the compromised computer informing the victim to pay a certain amount, typically in the form of cryptocurrency, for the decryption tool that would unlock the encrypted files.

More recently, ransomware operators threaten victims to release files stolen from the victim’s network in case of refusal to pay the ransom for the decryption tool. More ransomware operators have recently employed the double ransom tactic, in which, a victim is asked to pay two ransom payments.

The first ransom payment is for the decryption tool while the second ransom payment is for the non-publication of the files stolen from the victim’s network. Ransomware operators maintain “name and shame” websites on the darknet to name and shame ransomware victims who continue to refuse to pay ransom.

“In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records …,” NCSC said. According to the NCSC, ransomware attacks in the education sector can have a devastating impact on organizations, with victims requiring a significant amount of recovery time to reinstate critical services, and these events can also be high profile in nature, with wide public and media interest.

Attack Vectors

An attack vector refers to the path or means in which an attacker gains access to an organization’s network to deliver a malware, in this case, a ransomware. According to the NCSC, ransomware attackers can gain access to a victim’s network through remote access systems, phishing emails, and other vulnerable software or hardware.

Remote Access

According to the NCSC, attackers gain access to victims’ networks through remote access systems such as remote desktop protocol (RDP) and virtual private networks (VPN). RDP is a proprietary protocol developed by Microsoft that allows employees working from home to access their office desktop computers or servers from another device over the internet.

The shift towards remote learning over the past year as a result of COVID-19 restrictions resulted in many organizations deploying VPN access as VPN is viewed as a secure way of accessing company networks and private resources. In recent years, multiple security vulnerabilities have been discovered in RDP and in a number of VPN appliances such as Citrix, Fortinet, Pulse Secure and Palo Alto. 

Phishing

According to the NCSC, phishing emails are frequently used by attackers to deploy ransomware. An attacker sends a phishing email – disguised as coming from a legitimate sender – to trick the email receiver to click a link or download an attachment, enabling the deployment of the ransomware into the email receiver’s computer.

Other Vulnerable Software or Hardware

According to the NCSC, unpatched or unsecure devices have commonly been used by ransomware attackers as an easy route into networks. An example of a software vulnerability exploited by ransomware attackers to install ransomware on a network is the vulnerability in Microsoft Exchange Servers.

The NCSC added that ransomware attackers have recently been observed sabotaging backup devices in order to make recovery more difficult; encrypting the entire virtual servers, and using scripting environments, for example, PowerShell, to easily deploy the ransomware.

Cybersecurity Best Practices

Here are some cybersecurity best practices as recommended by the NCSC that can be employed by organizations in the education sector in order to prevent and mitigate the effects of ransomware attacks:

Keep up-to-date and tested offline backups.

As ransomware attackers have been known for sabotaging internet-exposed backup devices in order to make recovery more difficult, it’s important to keep offline backups to recover from a ransomware attack.

Secure remote access systems (RDP and VPN) via strong passwords, multi-factor authentication (MFA), and applying patches in a timely manner.

Implement effective vulnerability management and patching procedures.

Implement the following mechanisms to prevent phishing attacks: making it harder for email from your domains to be spoofed by employing the anti-spoofing controls, filtering or blocking incoming phishing emails, training your users particularly in the form of phishing simulations, and building a culture where users can report phishing attempts.

Cybersecurity Best Practices Against DarkSide Ransomware

The ransomware called “Darkside” wreaked havoc lately, with Colonial Pipeline, which operates the largest fuel pipeline in the U.S., as its latest high-profile victim.

Colonial Pipeline became aware of the ransomware attack last May 7, forcing the company to shut down its operations. The company was able to restart its operations last May 12.

A report from Bloomberg showed that Colonial Pipeline paid within hours after the attack the group behind Darkside ransomware nearly $5 million. According to the Bloomberg report, once nearly $5 million was paid, the group behind Darkside ransomware gave the decryption tool for Colonial Pipeline to restore its disabled computer network.

The decryption tool, however, was so slow that the Colonial Pipeline continued using its own backups to help restore the system, the report said. 

What Is DarkSide Ransomware?

DarkSide ransomware is a ransomware-as-a-service (RaaS) in which the ransomware developers receive a share of the proceeds from the cybercriminal actors who deploy the ransomware, known as “affiliates.”

This ransomware was first observed in the wild in August 2020 and has been known to target high-revenue organizations. Similar to modern ransomware, DarkSide ransomware encrypts victims’ files and demands from victims ransom payment in exchange for the decryption tool that would unlock the encrypted files.

Aside from data encryption and decryption, DarkSide ransomware also carries out data exfiltration and threatening victims that non-payment of ransom could lead to the public exposure of stolen data. In addition, the group behind DarkSide ransomware is also willing to carry out a Distributed Denial of Service (DDoS) attack against victims.

Tactics Used by DarkSide Ransomware Attackers

Researchers at FireEye in the blog post “Shining a Light on DARKSIDE Ransomware Operations” and researchers at McAfee in the blog post “DarkSide Ransomware Victims Sold Short” found that the group behind the DarkSide ransomware employed the following tactics:

. Password Spraying Attack Against Corporate VPN

To gain initial access to their victim’s network, the group behind DarkSide ransomware used password spraying against corporate VPN. In password spraying, an attacker circumvents the account lock-out countermeasures by trying the same password across many accounts before trying another password.

. Exploitation of CVE-2021-20016

To gain initial access to their victim’s network, the attackers exploited CVE-2021-20016, a SQL-Injection vulnerability in the SonicWall product that allows a remote unauthenticated attacker to perform SQL query to access username password and other session-related information.

. Phishing Emails

To gain initial access to their victim’s network, the attackers also used phishing emails to deliver the SMOKEDHAM – a malicious software (malware) that supports keylogging, taking screenshots and executing arbitrary .NET commands.

. Exploitation of Remote Desktop Protocol (RDP) Vulnerabilities

To gain initial access to their victim’s network, the attackers also exploited RDP, a proprietary protocol developed by Microsoft that allows users the ability to connect to another computer over the internet. In the past few years, a handful of security vulnerabilities on RDP had been identified and patched. Many, however, fail to apply the latest RDP patch.

. Leveraging TeamViewer

To establish persistence within the victim environment, the attackers also leveraged TeamViewer – a legitimate software that allows access to computers and networks remotely.

. Leveraging Mimikatz

To gain more privileges on the victim’s network, the attackers also used Mimikatz for credential harvesting.

. Leveraging NGROK

To bypass firewalls and expose remote desktop service ports, like RDP and WinRM, to the open internet, the attackers used the publicly available NGROK. 

. Leveraging Cobalt Strike BEACON

To maintain a foothold on the victim’s network, the attackers used Cobalt Strike BEACON. Cobalt Strike is a commercially available penetration testing tool. The group behind Cobalt Strike describes BEACON as a tool to “egress a network over HTTP, HTTPS, or DNS.”

Cybersecurity Best Practices

Below are some of the cybersecurity best practices in order to reduce your organization’s vulnerability to ransomware such as DarkSide and reduce the risk of severe business degradation once impacted by ransomware:

Use multi-factor authentication as an added protection to the single-factor authentication: the traditional username and password combination.

Filter emails to prevent malicious executable files from reaching end users.

Filter network traffic to prevent inbound and outbound communications with known malicious IP addresses.

Keep all software up to date by applying the latest patches in a timely manner.

Protect RDP with strong passwords, multi-factor authentication, VPN other security protections.

Implement application allow listing, allowing the systems to execute only software programs that are known and permitted by the security policy.

It’s important to note that the tactics above-mentioned aren’t just used by the group behind DarkSide ransomware. The said tactics are widely used as well by ransomware groups and other malware operators. As such, the cybersecurity best practices above-mentioned also apply to other forms of attacks.

To date, the group behind the Darkside ransomware has gone dark, making it unclear whether the group has ceased, suspended operation, or has changed its operations or maneuvering an exit. Since March 13, all the dark websites used by the group behind Darkside are down. These sites were used by the group to communicate with the public.

Investigation Shows Ryuk Ransomware Attack Caused by Pirated Software, Lack of Network Protection

Sophos recently revealed that a cyberattack involving Ryuk ransomware targeting a European biomolecular research institute was caused by a pirated software and lack of network protection.

According to Sophos, its Rapid Response team was called in to respond to a Ryuk ransomware attack targeting a European biomolecular research institute – an organization that partners with local universities and works with students on various programs.

The Ryuk ransomware attack on the European biomolecular research institute, Sophos reported, costs the institute a week’s worth of vital research data, as even though the institute had backups, these backups weren’t up to date. The operation of the institute was also impacted since all computer and server files were required to be rebuilt before the data could be restored.

Initial Compromise

A review of logs and historical data available traced the initial compromise of the Ryuk ransomware attack on the European biomolecular research institute to the moment when one of the institute’s partners, an external university student, installed a pirated data visualization software on the said student’s laptop.

The investigating team found that the institute allowed people outside the organization to access its network, with partners such as university students allowed to access the institute’s network via remote Citrix sessions without the need for two-factor authentication using their own personal computers.

The investigating team found that the partner-student of the institute who installed the pirated software posted a question on an online research forum asking if anyone knew of a free alternative of the data visualization software, of which an original software costs hundreds of dollars a year. When the partner-student of the institute didn’t find a free version, a pirated version was used instead.

According to Sophos’ Rapid Response team, the pirated software was a pure malicious software (malware) that immediately triggered a security alert from Windows Defender. In order to install the pirated software, the partner-student of the institute disabled Windows Defender as well disabled Windows Security Firewall.

The installed pirated software-malware capabilities include logging keystrokes, stealing browser, cookies and clipboard data. The pirated software-malware also enabled the attackers to steal the student’s access credentials for the institute’s network.

According to Sophos’ Rapid Response team, 13 days after the installation of the pirated software-malware, a remote desktop protocol (RDP) connection was registered on the institute’s network using the student’s credentials, and 10 days after this connection was made the Ryuk ransomware was launched. The investigating team added that the institute’s RDP connection triggers the automatic installation of a printer driver, enabling users to print documents remotely.

“It is unlikely that the operators behind the ‘pirated software’ malware are the same as the ones who launched the Ryuk attack,” said Peter Mackenzie, manager of Rapid Response at Sophos. “The underground market for previously compromised networks offering attackers easy initial access is thriving, so we believe that the malware operators sold their access on to another attacker. The RDP connection could have been the access brokers testing their access.”

Cybersecurity Best Practices

The Ryuk ransomware attack that targeted the European biomolecular research institute is a hard-earned lesson for the community.

While the partner-student of the institute is clearly at fault for using pirated software, the said cyberattack exposed the institute’s network weaknesses. Here are some of the cybersecurity best practices in order to fortify your organization’s network against cyberattacks such as Ryuk ransomware attack:

• Use two factor-authentication as this is an added layer of security
• Enable Windows Defender as well Windows Security Firewall
• Keep backups up to date
• Practice Network Segmentation
• In network segmentation, your organization’s network is divided into sub-networks so that in case one sub-network is compromised, the other sub-networks won’t be affected.
• Implement Least Privilege Access
• The least privilege concept restricts access to your organization’s network to only those who are required to perform routine, legitimate activities.
• Secure Remote Desktop Protocol (RDP) Connection

RDP is a proprietary protocol developed by Microsoft that allows users the ability to connect to another computer over the internet. In the blog post "Cybercriminals Actively Exploiting RDP to Target Remote Organizations", McAfee Labs said that as a result of the COVID-19 restrictions, organizations wanting to maintain operational continuity have allowed their employees to access networks remotely via RDP with minimal security checks in place, giving cyber attackers easy access to these networks.

In the past few years, a handful of RDP security vulnerabilities have been identified and patched by Microsoft. Organizations that lagged behind in applying these RDP patches are vulnerable to attacks.

In the blog post “Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks,” Microsoft said that RDPs that are not protected by strong passwords, multi-factor authentication, virtual private networks (VPNs), and other security protections are vulnerable to brute force attack – a type of cyberattack that uses the trial-and-error method in guessing the correct username and password combination.

1 in 4 Cyberattacks in 2020 Caused by Ransomware, IBM Report Shows

IBM’s latest report, X-Force Threat Intelligence Index 2021, found 1 in 4 real cyberattacks worldwide in 2020 was caused by ransomware.

Double Extortion Tactic

Ransomware is a malicious software (malware) that encrypts victims’ computer files. File encryption prevents legitimate users from assessing their files. Ransomware attackers are publicly coming out that they’re also stealing victims’ data prior to encrypting these files. 

IBM's X-Force Threat Intelligence Index 2021, which the company said is based on billions of data points collected from its customers and public sources between January and December 2020, showed that a number of the ransomware attacks in 2020 involved double extortion – a tactic in which the attackers demand ransom two ransoms. Aside from demanding from victims to pay ransom in exchange for the decryption key that would unlock the encrypted files, attackers also demand a second ransom payment, this time, as payment to stop the attackers from selling or auctioning the victims’ stolen files.

According to IBM, in 2020, 36% of the data breaches that X-Force (IBM’s cloud-based threat intelligence platform) tracked came from ransomware attacks that also involved alleged data theft, suggesting that “data breaches and ransomware attacks are beginning to collide.”

Sodinokibi Ransomware

According to IBM, Sodinokibi, also known as REvil, was the most active ransomware in 2020, accounting for 22% of all ransomware incidents.

IBM estimated that the group behind the Sodinokibi ransomware earned at least $123 million in 2020 and stole about 21.6 terabytes of data from victims. IBM added that nearly two-thirds of the victims of Sodinokibi paid ransom, and nearly 43% had their stolen data leaked to the public.

Sodinokibi was first observed in the wild in April 2019. When it first came out, Sodinokibi was observed spreading itself by exploiting a vulnerability in Oracle’s WebLogic server.

Ransomware-as-a-Service Cartels

According to IBM, Sodinokibi and other successful ransomware groups in 2020 were focused on stealing and leaking data, as well as creating ransomware-as-a-service cartels. 

One of the reasons behind the notoriety and the resulting success of ransomware groups is that these groups operate in what is known as ransomware-as-a-service. In ransomware-as-a-service, one group maintains the ransomware code and another group, known as affiliates, spreads the ransomware.

Affiliates in ransomware-as-a-service are allowed to spread the ransomware in any way they like. In the blog post "McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us," McAfee Labs found that some affiliates prefer mass-spread attacks, while other affiliates adopt a more targeted approach.

Examples of mass-spread attacks are phishing and exploit kits. Phishing is the fraudulent way of obtaining sensitive information such as passwords and credit card details by impersonating a trusted individual or entity. Exploit kits, meanwhile, refer to threats that use automated tools to scan for vulnerable browser-based applications, compromised sites to divert web traffic, and run malware.

Cyberattacks that employ a targeted approach, meanwhile, refer to attacks targeting specific individuals or specific entities. Examples of targeted approaches include brute-forcing Remote Desktop Protocol (RDP) access.

RDP is a proprietary protocol developed by Microsoft that allows a Windows-based user to connect to a remote Windows personal computer or server over the internet. After brute-forcing RDP access, attackers then upload tools in order to gain more rights and run the ransomware inside the internal network of a victim.

“We have investigated several campaigns spreading Sodinokibi, most of which had different modus operandi but we did notice many started with a breach of an RDP server,” McAfee Labs said.

Cost of a Ransomware Attack

In its latest report, Universal Health Services said the company incurred $67 million as a result of an “Information Technology Incident” that occurred from September 27, 2020 up to October 2020.

TechCrunch reported the Universal Health Services information technology incident as ransomware attack. BleepingComputer, meanwhile, reported that the specific name of the ransomware behind the Universal Health Services information technology incident is Ryuk – a ransomware first discovered in the wild in August 2018.

Universal Health Services said there’s no evidence of unauthorized access, copying, or misuse of any patient or employee data.

“Given the disruption to the standard operating procedures at our facilities during the period of September 27, 2020 into October, 2020, certain patient activity, including ambulance traffic and elective/scheduled procedures at our acute care hospitals, were diverted to competitor facilities,” Universal Health Services said. “We also incurred significant incremental labor expense, both internal and external, to restore information technology operations as expeditiously as possible. Additionally, certain administrative functions such as coding and billing were delayed into December, 2020, which had a negative impact on our operating cash flows during the fourth quarter of 2020.”

Security researchers aren’t certain about the infection vector of Ryuk ransomware. It’s suspected that this ransomware uses the targeted attack approach by brute-forcing RDP access and malicious use of Cobalt Strike.

Cobalt Strike is a commercial penetration testing tool that markets itself as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors." This commercial penetration testing tool uses tools such as Mimikatz – a tool that’s capable of obtaining plaintext Windows account logins and passwords.

Cybersecurity Best Practices Against Ransomware Attacks

Below are some of the cybersecurity best practices against ransomware attacks:

• Keep all software up to date
• Use strong passwords
• Use multi-factor authentication (MFA)
• Use Virtual Private Network (VPN)
• Use network Firewall
• Educate users to help lessen the threat of phishing attacks by enforcing secure practices such as the policy against clicking external email links.
• Implement the 3-2-1 backup rule: 3 copies of critical data must be kept with 2 copies in different media and one copy offsite for disaster recovery.

Ransomware Attacks on Healthcare Organizations Globally Increase by 45%, Study Shows

A recent report from Check Point showed that since November 2020, ransomware attacks targeting healthcare organizations globally has increased by 45%.

In the report "Attacks targeting healthcare organizations spike globally as COVID-19 cases rise again," Check Point said that the spike in the ransomware attacks targeting healthcare organizations globally more than double the overall increase in cyberattacks across all industry sectors worldwide seen during the same period. According to Check Point, the main ransomware variant used in the ransomware attacks was Ryuk, followed by Sodinokibi.

What Is Ransomware?

Ransomware is a type of malicious software (malware) that blocks victims from assessing their computer systems or files and demands from the victims ransom payment for victims to re-gain access to the computer systems or files. Ransomware attackers also demand a separate ransom payment in exchange for the non-publication of data stolen in the course of the ransomware attack.

Ryuk and Sodinokibi Ransomware

Ryuk ransomware is a cyber threat that has been targeting organizations, specifically hospitals, businesses, and government institutions since 2018. This ransomware was first observed in the wild in August 2018.

Code comparison analysis of Ryuk ransomware and Hermes ransomware showed that both are generally equal, giving credence to the theory that the developer of Ryuk has access to the Hermes source code. Hermes ransomware was responsible for the money heist of a Taiwanese bank in October 2017.

Hermes is called a “pseudo-ransomware” – referring to ransomware that uses a ransomware attack as a cover to distract its main goal: stealing money. In the money heist of a Taiwanese bank in 2017, the Hermes ransomware attack was perfectly timed at the time when money was stolen from the bank.

The group behind Ryuk ransomware demands that the ransom payment should be in the form of the cryptocurrency bitcoin. After tracing bitcoin transactions for the known addresses attributable to Ryuk, researchers from HYAS and Advanced Intelligence reported that the group behind Ryuk earned more than $150,000,000.

“Ryuk receives a significant amount of their ransom payments from a well-known broker that makes payments on behalf of the ransomware victims,” researchers from HYAS and Advanced Intelligence said. “These payments sometimes amount to millions of dollars and typically run in the hundreds of thousands range.”

Sodinokibi, also known as REvil, meanwhile, is a type of ransomware that was first observed in April 2019. Code comparison analysis of Sodinokibi and another ransomware called “GandCrab” showed that the two shared a lot of similarities, indicating the developer of Sodinokibi had access to the GandCrab source code.

Ransomware Similarities

Both Ryuk and Sodinokibi encrypt important files in the compromised computer, locking out users from their files. These two demand a ransom to decrypt or unlock these files.

It’s now a known fact that during the course of the ransomware attack, Ryuk and Sodinokibi also steal victims’ files before encrypting them. Stolen data is then used for “double-extortion” attempt, that is, in addition to ransom payment to unlock the locked files, attackers demand from victims to pay another ransomware payment for the stolen files, threatening victims that failure to pay this second ransom payment would lead to the publication of the stolen files.

In November 2020, K12 Inc., now known as Stride, Inc., a company that provides online education, admitted that it was a victim of a ransomware attack. Open-sourced reports showed that Ryuk ransomware hit K12 Inc.

In a statement, K12 Inc. said, “We have already worked with our cyber insurance provider to make a payment to the ransomware attacker, as a proactive and preventive step to ensure that the information obtained by the attacker from our systems will not be released on the Internet or otherwise disclosed.”

Ryuk and Sodinokibi are part of the ransomware families called “Ransomware-as-a-Service (RaaS)”. In RaaS, one group maintains the ransomware code, and another group, known as affiliates, spreads the ransomware.

Cybersecurity Best Practices Against Ransomware Attacks

Both Ryuk and Sodinokibi are commonly spread via very targeted means such as RDP and spear phishing.

RDP, short for Remote Desktop Protocol, is a proprietary protocol developed by Microsoft which provides Windows user to connect to another Windows computer. In the blog post "Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks," Microsoft Defender Security Research Team said that RDP is an attractive target for threat actors as this presents a simple and effective way to gain access to a network, and conduct many follow-on activities such as ransomware attack.

Microsoft Defender Security Research Team said that threat actors often gain access to RDP through brute-force attack – referring to the trial-and-error method of guessing the correct username and password combination. Spear phishing, meanwhile, weaponizes an email against specific and well-researched targets. A spear-phishing email masquerades as coming from a trustworthy source.

Traditional spear-phishing emails attached malicious documents, for instance, a zip file. Modern-day spear-phishing emails come with malicious documents that are hosted on legitimate sites such as Dropbox, OneDrive, or Google Drive.

To protect RDP from brute-force attacks and ultimately ransomware attacks, use strong passwords, multi-factor authentication, virtual private networks (VPNs), and other security protections. Spear phishing prevention, meanwhile, includes phishing simulation tests, and an established process for users to report suspicious emails to the IT security team.

It’s also important to implement the 3-2-1 backup rule and network segmentation in case attackers breach your organization’s network.

The 3-2-1 backup rule means that at least 3 copies of critical data must be kept, with 2 copies in different media and one copy offsite. Network segmentation, meanwhile, refers to the practice of dividing your organization’s network into sub-networks so that in case something happens to one sub-network, the other sub-networks won’t be affected. 

How to prevent ransomware attacks: Best practices guide

Ransomware attacks are becoming common. The city of Saint John in New Brunswick recently fell victim to a ransomware attack.

What Is Ransomware Attack?

Ransomware attack is a type of cyberattack in which victims’ files are locked and held for ransom. In a ransomware attack, an attacker promises that in exchange for a ransom payment, the key or keys that would unlock the lock files would be released.

Ransom payment isn’t a guarantee that your organization will get back your files as some keys given by attackers don’t work by design or through errors in coding. Today’s ransomware attackers demand two ransom payments, one for unlocking the locked files, and another ransom payment to prevent them from publishing stolen data. This second ransom payment shows that today’s ransomware attackers, not just lock victims’ files but also steal data.

City of Saint John Ransomware Attack

A few weeks ago, the city of Saint John in New Brunswick fell victim to a ransomware attack. Last November 17, Don Darling, the Mayor of the city of Saint John, confirmed that the city’s IT system was hit by ransomware.

To protect the city’s IT system, the Mayor of Saint John said the city’s website, servers, and email system have been disabled. Due to the nature of the attack, the Mayor said the city won’t comment on the ransom demand. Saint John city manager John Collin, meanwhile, said that as of November 17, there was no indication that personal information was accessed or transferred in the ransomware attack.

Weeks after the ransomware attack, the Saint John city manager said that the city departments' phone lines, email to most city hall employees, and online payments are still unavailable. Saint John city manager said that taking the systems offline was an "immediate and proactive" response to contain the attack. "Our network will be back online only once we are sure that it is safe to do so," he said.

In the case of the city of Saint John, it wasn’t revealed how the ransomware attacker or attackers’ initially compromised the city’s IT system.

Exposure via Third-Party Software

The recent ransomware attack on the city of Saint John isn’t the first time that the city fell victim to a cyberattack.

In December 2018, Stas Alforov, director of research and development for Gemini Advisory, said the firm discovered nearly 300,000 payment records in underground marketplaces that specialize in the sale of compromised payment card data. According to Alforov, the payment records were stolen from 46 confirmed compromised US locations and one Canadian location, with 6,000 payment records from Canada. That one Canadian location is the city of Saint John.

Alforov said the breach of nearly 300,000 payment records is part of the larger hacking operation conducted by the same hacking group. Analysis of the card data, Alforov said, found that payment records have likely been stolen from municipal government services that used the software called “Click2Gov,” a payment software primarily used by local governments to receive various payments.

In the case of the city of Saint John, the Click2Gov payment software was used for paying parking tickets through the city's website. Alforov told Huffington Post Canada that he received a call from the city of Saint John after the publication of his report. The city, he said, wasn't aware of the data breach. Alforov added that the city’s parking ticket payment system appeared to have been breach back in September 2017.

To date, there’s no information on whether the past data breach on the city of Saint John’s parking ticket system is related to the recent ransomware attack.

Other victims of ransomware attacks such as the city of Keene, Texas, were able to establish the link between the compromised third-party software and the resulting ransomware attack. In August 2019, Keene Mayor Gary Heinrich told NPR that ransomware attackers compromised the software used by the city. This software, the mayor said, was managed by a third-party company. Said software was also used by close to two dozen local governments in Texas, which also fell to a collective ransomware attack.

"They got into our software provider, the guys who run our IT systems," Heinrich said. "Well, just about everything we do at City Hall is impacted.”

The ransomware attack on the local governments of Texas, including the City of Keene, showed a gateway by which ransomware attackers initially compromise their victims, that is, through third-party software.

Cybersecurity Best Practices

Here are some of the best cybersecurity practices against ransomware attacks:

Properly Vet Third-Party Software

Third-party software, which your organization has no control over the source code, should be properly vetted in the cybersecurity area.

Keep All Software Up to Date

Apply in a timely manner software updates, also known as patches, that are released by software vendors. These patches not only contain feature upgrades but also updates fixing known security vulnerabilities.

Ransomware attackers have been known to initially compromise victims by exploiting a known security vulnerability, in which the software vendor already released a patch but the software users failed to apply the patch in a timely manner.

Practice the 3-2-1 Backup Rule

The 3-2-1 backup rule is your organization’s best defense against the first type of ransom demand: ransom demand to unlock files. The 3-2-1 backup rule states that three backup copies should be kept, two in different formats, and one of these copies should be kept offsite.

This isn’t, however, the answer to the second type of ransom demand: ransom demand to prevent stolen data publication.

When you need help, our team of cybersecurity and IT experts is a phone call away. Connect with us today, and take a proactive approach to cybersecurity.

Threat Focus: WastedLocker Ransomware

Garmin, an American multinational company that markets GPS navigation and wireless devices and applications, has reported a global outage on its systems since last July 23.

Last July 23, Garmin announced that it was experiencing an outage that affected Garmin Connect – a service that syncs users' activity and data to the cloud and other devices. Garmin also announced that the outage affected the company's call centers, cutting off the company's ability to respond to any calls, emails and online chats.

Last July 26, Garmin followed up its July 23 announcement. The statement said the company "has no indication that this outage has affected your data, including activity, payment or other personal information."

flyGarmin, Garmin's service that offers navigational software to pilots, in a separate statement said that last July 23 it also experienced a similar outage in which users couldn't access flyGarmin's website and call centers. flyGarmin specified that its Connext services, in particular, weather, data from the on-board Central Maintenance Computer (CMC), position reports were down; and Garmin Pilot apps, in particular, flight plan filing (unless connected to FltPlan, account syncing, database concierge) were down.

Based on its July 26 update, flyGarmin said that its website and mobile app are now operational, and that customer support can handle limited calls, but emails and chat supports are still unavailable.

WastedLocker Ransomware

While Garmin remains silent on what caused the global outage of its systems, BleepingComputer and TechCrunch reported that sources familiar with the Garmin outage investigation and company employees point to the direction that Garmin fell victim to WastedLocker ransomware.

A Garmin employee told BleepingComputer that they first learned of the attack when they arrived at their office last Thursday morning. As devices were being encrypted, employees were told to shut down any computer on the network, including computers used by remote workers that were connected via virtual private network (VPN), to prevent additional devices from being encrypted. As shown by the photo sent by a Garmin employee to BleepingComputer, the ".garminwasted" extension was appended to the file name of every encrypted file.

WastedLocker ransomware was first tracked in the wild in May of this year. This ransomware was named after the filename it creates which includes an abbreviation of the victim’s name and the word "wasted".

One of the known methods used by the group behind the WastedLocker ransomware is the use of fake software update that shows up on the users' computer screen when visiting certain legitimate websites. Malicious code is inserted by the group behind the WastedLocker ransomware on vulnerable websites, prompting unsuspecting users to click on the fake software updates that show up on their trusted websites.

Once a user clicks on this fake software update, the WastedLocker ransomware activates CobaltStrike – a commercial penetration testing tool that can be used by ethical security researchers as well as by malicious actors. This commercial penetration testing tool uses tools such as Metasploit and Mimikatz.

Metasploit is an open-source tool for probing vulnerabilities on networks and servers. It can easily be customized and used with most operating systems.

Mimikatz, meanwhile, is another open-source tool that gives out passwords as well as hashes and PINs from memory. This tool makes it easy for attackers to conduct post-exploitation lateral movement within a victim's network.

After exploring the weak spots and access credentials, the WastedLocker ransomware is then dropped into the victim's network or server. With WastedLocker ransomware, it isn't possible to get backup copy on the affected computer as this malicious software deletes shadow copies – the default backups made by Windows operating systems.

Security researchers, including those from Malwarebytes and Fox-IT, named Evil Corp Group as the group behind WastedLocker ransomware. Most of today's ransomware groups openly admit that they steal victims' data prior to encrypting files. These ransomware groups publish or auction the data belonging to victims that are unwilling to pay the ransom.

According to Malwarebytes, the group behind the WastedLocker ransomware "does not exfiltrate stolen data and publish or auction the data that belong to 'clients' that are unwilling to pay the ransom".

Fox-IT, meanwhile, said that the group behind WastedLocker ransomware “has not appeared to have engaged in extensive information stealing or threatened to publish information about victims”. "We assess that the probable reason for not leaking victim information is the unwanted attention this would draw from law enforcement and the public," Fox-IT said.

The group behind WastedLocker ransomware demands ransom payment ranging from US$500,000 to over $10 million in Bitcoin. One of the sources of BleepingComputer said that the ransom demand in exchange for decryption keys that could unlock the encrypted files of Garmin is priced at US$10 million.

In December 2019, the U.S. Treasury Department, sanctioned Evil Corp by way of prohibiting U.S. persons in dealing with the group. The U.S. Treasury Department said that "U.S. persons are generally prohibited from engaging in transactions with them [Evil Corp]." Engagement, in this case, could be mean that US individuals or organizations are prohibited in engaging with Evil Corp, such as via ransom payment.

The sanction of the U.S. Treasury Department’ came after leaders and members of the Evil Corp were charged for developing and distributing the malicious software (malware) called "Dridex". The U.S. Treasury Department said that Dridex infected computers and harvested login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than US$100 million in theft.

‘Wiping & Ransom’ Attack Targets Cloud Data Stored in MongoDB Databases

Data stored in the cloud isn't off limits to cybercriminals. A new report showed that a malicious actor held for ransom nearly half of all MongoDB databases exposed online.

A recent ZDNet report showed that a malicious actor has uploaded ransom notes on 22,900 MongoDB databases left exposed online without a password. This nearly 23,000 MongoDB databases represents nearly 47% of all MongoDB databases exposed online.

MongoDB is a document database in which documents can be searched by their field’s key, making this type of database flexible. This database can be deployed, operated and scaled in the cloud via cloud hosting services.

The report showed that the attacker scanned the internet using an automated script to search for exposed MongoDB databases; contents of the exposed databases were then wiped out; and victims were asked to pay 0.015 bitcoin (approximately USD 136 as of July 4, 2020).

The attacker then gave victims 2 days to pay the ransom to get back their wiped data and further threatened to leak victims' data in case of non-payment of the ransom. The attacker also threatened victims that the data leak will be reported to the local General Data Protection Regulation (GDPR) enforcement authority.

Under GDPR, organizations that are found to have failed to protect customers’ private data and such failure lead to a data breach could receive a hefty fine from local enforcement authority. In July 2019, UK’s Information Commissioner’s Office (ICO) announced its intention to fine British Airways £183.39m under GDPR for data breach. In July 2019 also the ICO similarly announced its intention to fine Marriott International, Inc. more than £99 million under GDPR for data breach.

Victor Gevers, a security researcher at the GDI Foundation, told ZDNet that the initial attacks didn't include the data wiping step. The wiping feature, Gevers said, was later added to the malicious actor's arsenal in attacking MongoDB databases. The ZDNet report said that the series of attacks on MongoDB databases started back in December 2016.

In a January 2017 blog post, Andreas Nilsson, Director of Product Security at MongoDB, acknowledged the attacks on unsecured MongoDB databases running openly on the internet. Said attacks, Nilsson said, erased database content and demanded from victims to pay ransom before the content can be restored.

In September 2017, Davi Ottenheimer, who leads the Product Security at MongoDB, in a blog post said that the company is aware of a new wave of attacks searching for misconfigured and unmaintained MongoDB databases. Ottenheimer said that the compromised MongoDB databases were left unsecured and connected to the internet with no password on their administrator account. This new wave of attacks, Ottenheimer said, doesn't indicate a new risk, just new targets.

"This [wiping and ransom of MongoDB databases] is not ransomware. Database does not get encrypted. It only gets replaced," Gevers told Bleeping Computer. "This is someone who does [this] manually or with a simple Python script."

According to Gevers, thousands of MongoDB databases are left exposed without a password online as these MongoDB instances used the old version of the MongoDB software in which the default configuration left the database open to external connections via the internet. "The most open and vulnerable MongoDBs can be found on the AWS platform because this is the most favorite place for organizations who want to work in a devops way," Gevers said. "About 78% of all these hosts were running known vulnerable versions."

How to Secure Data Stored in the Cloud

Unsecured and misconfigured data stored in the cloud isn't limited to MongoDB databases. In February 2018, BBC reported that security researchers have posted "friendly warnings" to users of Amazon's cloud data storage service whose private content has been made public to correct their settings that exposed data. "Please fix this before a bad guy finds it," one message left by security researcher said.

Here are some of the cybersecurity best practices in securing MongoDB databases deployed in the cloud via cloud hosting services and other data stored in different cloud platforms:

1. Use Strong Authentication Methods

Like any online accounts, MongoDB databases deployed in the cloud and other data stored in the cloud via other cloud platforms need strong authentication methods. At the very least, protect the database with strong authentication method such as a strong password. These days cyberattacks often start with simple internet scanning. It’s important to protect cloud databases at its basic level with a strong password. It's also important to add extra layer of protection via multi-factor authentication.

2. Practice the Principle of Least Privilege

The principle of least privilege is a security concept that limits access to the bare minimum to perform a task. For instance, a user is granted access only to specific database resources and operations and outside these defined role assignments, the user has no access to the other components of the database.

3. Limit Network Exposure

Use Firewall to control inbound and outbound traffic to your organization's databases. Use IP whitelisting to allow access only from trusted IP addresses.

4. Backup

It's important to keep a backup copy of the critical data stored in the cloud offline in case something happens beyond your organization's control that could prevent access to data stored in the cloud.

5. Audit System Activity

It's also important to audit data stored in the cloud, keeping track of the access and changes made to settings and data. A reliable audit system records these access and changes which can later on be used for forensic analysis and to make proper adjustments and controls.

REvil Ransomware Group Resorts to Auctioning Stolen Data

It's now a known fact that ransomware groups steal data prior to encrypting files and demanding ransom from victims.

The group behind the ransomware called "REvil", also known by the name "Sodinokibi", has recently flaunted its data-stealing capability by auctioning the stolen data of one of its ransomware victims that refuses to pay ransom.

On the dark web, the group behind the REvil ransomware created an e-bay-like auction site, auctioning the files of one of its victims that continued to refuse to pay ransom: a Canadian agricultural production company. The newly created auction site of REvil says that a successful bidder will receive 3 databases and 22,000 files stolen from the agricultural company.

The minimum deposit is set at USD$5,000 in virtual currency Monero, and the starting bidding price is USD$50,000. To date, the Canadian agricultural production company hasn't acknowledged the ransomware attack and the related stolen data.

Ransomware: More than Encryption

Ransomware is a type of malicious software (malware) that encrypts victims' computers or files, rendering these computers or files inaccessible to legitimate users. In a ransomware attack, a ransom note is shown on the victim’s computer screen that the only way to access the computer or files again is by paying a ransom, typically in the form of virtual currency.

In the past, ransomware victims aren't hesitant to acknowledge ransomware attacks. Often though in the victims' cyber incident reports and press releases, they assure affected clients or costumers that there's no need to worry as there's no evidence of data exfiltration.

The ransomware called "Maze" openly exposed the data exfiltration process that comes along in a ransomware attack. Maze ransomware is the first ransomware that publishes online the names of the victims that refused to acknowledge the ransomware attack on their systems and/or continues to refuse to pay the ransom.

The group behind Maze ransomware threatens the "shamed" victims that continued refusal to pay the ransom will result in the publication of the data stolen prior to the data encryption. Publication of stolen data led one of the victims of Maze ransomware to file a case in court against the group behind Maze ransomware.

Close to a dozen of other ransomware groups, including REvil, followed Maze's tactic of naming ransomware victims and threatening to publish victims' stolen data – an open acknowledgment that these ransomware groups steal data prior to encrypting files.

Microsoft Threat Protection Intelligence Team, in the blog post “Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk", said that “while only a few of these [ransomware] groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.”

Getting to Know REvil Ransomware

REvil Ransomware first appeared in the wild in April 2019. Exploiting software vulnerabilities, brute-forcing RDP access and using third-party software are some of the known strategies used by the group behind the REvil ransomware in gaining access to victims’ networks and eventually drop the ransomware.

Researchers at Cisco reported that the group behind the REvil ransomware has been exploiting CVE-2019-2725 since at least April 17, 2019 in installing the ransomware. CVE-2019-2725 is a security vulnerability in Oracle WebLogic. Oracle first patched this vulnerability on April 26, 2019. "This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack," researchers at Cisco said.

Researchers at McAfee Labs, meanwhile, reported that the group behind REvil ransomware initially gains access to victims' networks by brute-forcing RDP access in installing the ransomware. Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that allows a user to access Windows workstations or servers over the internet.

In a related report, McAfee Labs reported that the number of RDP ports exposed to the internet has grown from roughly three million in January 2020 to more than four and a half million in March. "RDP ports are often exposed to the Internet, which makes them particularly interesting for attackers," researchers at McAfee Labs said. "In fact, accessing an RDP box can allow an attacker access to an entire network, which can generally be used as an entry point for spreading malware, or other criminal activities."

Kaspersky Lab, meanwhile, reported that since the beginning of March 2020, the number of Bruteforce.Generic.RDP attacks has rocketed across almost the entire planet. In a brute force attack, attackers systematically try all possible username and password combinations until the correct combination is found.

Aside from exploiting software security vulnerabilities, brute-forcing RDP access, the group behind the REvil ransomware has also been known to install on the victims' networks the ransomware by using third-party software. In August 2019, the mayor of Keene, Texas revealed that the group behind the REvil ransomware managed to install the ransomware on the municipality’s network through a software that a third-party IT company used to manage the municipality’s network.

While the motive behind this new tactic of auctioning ransomware victims' stolen data isn't yet clear, the timing of the launching of this new tactic amid the on-going COVID-19 pandemic and the resulting government-mandated home quarantine could mean that ransomware victims are refusing to pay ransom as they could've hardened their backup systems or that victims are hard-pressed in paying out ransomware attackers due to the economic fallout resulting in the on-going pandemic. Falling in the wrong hands, the auctioned stolen files could be used against victims and the victims’ customers.

Cybercriminals are not playing by rules and are winning in most cases. Protect your organization today by engaging with our expert team. Connect with us today.