Thought leadership. threat analysis, news and alerts.
REvil Ransomware Group Resorts to Auctioning Stolen Data
It's now a known fact that ransomware groups steal data prior to encrypting files and demanding ransom from victims.
The group behind the ransomware called "REvil", also known by the name "Sodinokibi", has recently flaunted its data-stealing capability by auctioning the stolen data of one of its ransomware victims that refuses to pay ransom.
On the dark web, the group behind the REvil ransomware created an e-bay-like auction site, auctioning the files of one of its victims that continued to refuse to pay ransom: a Canadian agricultural production company. The newly created auction site of REvil says that a successful bidder will receive 3 databases and 22,000 files stolen from the agricultural company.
The minimum deposit is set at USD$5,000 in virtual currency Monero, and the starting bidding price is USD$50,000. To date, the Canadian agricultural production company hasn't acknowledged the ransomware attack and the related stolen data.
Ransomware: More than Encryption
Ransomware is a type of malicious software (malware) that encrypts victims' computers or files, rendering these computers or files inaccessible to legitimate users. In a ransomware attack, a ransom note is shown on the victim’s computer screen that the only way to access the computer or files again is by paying a ransom, typically in the form of virtual currency.
In the past, ransomware victims aren't hesitant to acknowledge ransomware attacks. Often though in the victims' cyber incident reports and press releases, they assure affected clients or costumers that there's no need to worry as there's no evidence of data exfiltration.
The ransomware called "Maze" openly exposed the data exfiltration process that comes along in a ransomware attack. Maze ransomware is the first ransomware that publishes online the names of the victims that refused to acknowledge the ransomware attack on their systems and/or continues to refuse to pay the ransom.
The group behind Maze ransomware threatens the "shamed" victims that continued refusal to pay the ransom will result in the publication of the data stolen prior to the data encryption. Publication of stolen data led one of the victims of Maze ransomware to file a case in court against the group behind Maze ransomware.
Close to a dozen of other ransomware groups, including REvil, followed Maze's tactic of naming ransomware victims and threatening to publish victims' stolen data – an open acknowledgment that these ransomware groups steal data prior to encrypting files.
Microsoft Threat Protection Intelligence Team, in the blog post “Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk", said that “while only a few of these [ransomware] groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.”
Getting to Know REvil Ransomware
REvil Ransomware first appeared in the wild in April 2019. Exploiting software vulnerabilities, brute-forcing RDP access and using third-party software are some of the known strategies used by the group behind the REvil ransomware in gaining access to victims’ networks and eventually drop the ransomware.
Researchers at Cisco reported that the group behind the REvil ransomware has been exploiting CVE-2019-2725 since at least April 17, 2019 in installing the ransomware. CVE-2019-2725 is a security vulnerability in Oracle WebLogic. Oracle first patched this vulnerability on April 26, 2019. "This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack," researchers at Cisco said.
Researchers at McAfee Labs, meanwhile, reported that the group behind REvil ransomware initially gains access to victims' networks by brute-forcing RDP access in installing the ransomware. Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that allows a user to access Windows workstations or servers over the internet.
In a related report, McAfee Labs reported that the number of RDP ports exposed to the internet has grown from roughly three million in January 2020 to more than four and a half million in March. "RDP ports are often exposed to the Internet, which makes them particularly interesting for attackers," researchers at McAfee Labs said. "In fact, accessing an RDP box can allow an attacker access to an entire network, which can generally be used as an entry point for spreading malware, or other criminal activities."
Kaspersky Lab, meanwhile, reported that since the beginning of March 2020, the number of Bruteforce.Generic.RDP attacks has rocketed across almost the entire planet. In a brute force attack, attackers systematically try all possible username and password combinations until the correct combination is found.
Aside from exploiting software security vulnerabilities, brute-forcing RDP access, the group behind the REvil ransomware has also been known to install on the victims' networks the ransomware by using third-party software. In August 2019, the mayor of Keene, Texas revealed that the group behind the REvil ransomware managed to install the ransomware on the municipality’s network through a software that a third-party IT company used to manage the municipality’s network.
While the motive behind this new tactic of auctioning ransomware victims' stolen data isn't yet clear, the timing of the launching of this new tactic amid the on-going COVID-19 pandemic and the resulting government-mandated home quarantine could mean that ransomware victims are refusing to pay ransom as they could've hardened their backup systems or that victims are hard-pressed in paying out ransomware attackers due to the economic fallout resulting in the on-going pandemic. Falling in the wrong hands, the auctioned stolen files could be used against victims and the victims’ customers.
Cybercriminals are not playing by rules and are winning in most cases. Protect your organization today by engaging with our expert team. Connect with us today.
Lessons from the First Computer Pandemic: Love Bug
Twenty years ago, the world's first computer pandemic called the "Love Bug", also known as "ILOVEYOU" virus, wreaked havoc worldwide.
On May 4, 2000, in just a span of 24 hours, the Love Bug affected an estimated 45 million computers worldwide, causing an estimated US$10 billion in damages.
Tracking Down the Creator of ILOVEYOU Virus
BBC technology reporter Geoff White tracked down the creator of the ILOVEYOU virus working in a mobile phone repair shop inside a shopping mall in Manila. Onel de Guzman, now 44, admitted to White that he solely created the ILOVEYOU virus.
de Guzman told White that he unleashed the virus to steal passwords so he could access the internet without paying. He claims that he never intended the virus to spread globally and that he regrets the damage that the virus had caused. de Guzman was never charged with a crime as at the time when he unleashed the virus, the Philippines had no laws criminalizing malicious use of computers.
How the ILOVEYOU Virus Caused a Computer Pandemic
The ILOVEYOU virus arrives on the victim's computer via Outlook software. At the time, Outlook was the common means of sending and receiving emails.
The email's subject simply contains "ILOVEYOU", while the email's body contains these few words: "kindly check the attached LOVELETTER coming from me". The email contains an attachment named "LOVE-LETTER-FOR-YOU.TXT". "I figured out that many people want a boyfriend, they want each other, they want love, so I called it that," de Guzman said.
Once an email receiver clicks on the attached document, the virus makes copies of itself to the Windows System directory and to the Windows directory. It also adds itself to the registry for it to be executed when the system is restarted.
It also replaces the Internet Explorer home page with a link that downloads the program called "WIN-BUGSFIX.exe". This downloaded file is also added to the registry for this program to be executed once the system is restarted.
The downloaded file from the web is a password-stealing malicious software (malware) that calls the WNetEnumCashedPasswords function and sends stolen RAS passwords and all cached Windows passwords to this email address: email@example.com.
This virus spreads to other victims' computers via Outlook. The same email that arrives on the original victim's computer is mass emailed to everyone in the victim's Outlook address book. This virus spreads also via mIRC whenever another person joins an IRC channel where the infected user currently is logged in.
Other than stealing passwords and spreading itself, this virus performs the most destruction function: overwriting files. This virus looks for particular file types from all folders in all local and remote drives and overwrites them.
Similar to modern-day ransomware – malware that prevents victims' from accessing their computers or files, the ILOVEYOU virus denies victims access to their files. Unlike ransomware, where in some cases, the decryption keys given by attackers after ransom payment work in unlocking in locked files, in the ILOVEYOU virus, there's no way to unlock these files.
Many organizations lost a lot of data because of this overwrite function. The mass emailing function of the virus also overloaded many mail systems around the world.
Will There Be Another Computer Pandemic?
Time will tell if there'll be another computer pandemic.
If there'll be one it would be a bit different from de Guzman's creation. An attacker aiming to use a mass emailing virus via Outlook and other mail client software needs to take an extra step to run malicious attachments as current mail client software programs are more cautious in running script files unlike in the days when the ILOVEYOU virus was unleashed.
To date, the damage caused by the ILOVEYOU virus is unprecedented. The virus successfully played on mankind's need to be loved. In today's environment, where many are connected to the internet, another virus could turn into a computer pandemic, exploiting another of mankind's other needs.
The ILOVEYOU virus has taught the online world one thing: Next time, back up your files. Having a working back up prepares your organization for the next computer pandemic similar to the ILOVEYOU virus that overwrites or destroys victims' files.
There's also a need to protect these backups from attackers. In recent months, ransomware attackers have been known to go after victims' backups.
The group behind the ransomware called "DoppelPaymer" published on their leak site the admin username and password for a non-paying ransomware victim who used the Veeam cloud backup software. The group behind the ransomware called "eCh0raix" also went after QNAP NAS backup devices.
Protect your organization's backup devices by keeping it offline. If there's a need to connect these backup devices online, make sure to use strong authentication methods such as multi-factor authentication and to keep the backup device firmware up to date.
It’s also important to follow the time-tested 3-2-1 rule:
3: Keep 3 copies of any important file: 1 primary and 2 backups.
2: Keep the files on 2 different media types to protect against different types of hazards.
1: Store 1 copy offsite (for example, cloud backup).
Another attack scenario could come from a silent operator. The ILOVEYOU virus and the different shades of ransomware are overtly noticeable attacks. The next big thing or even one that we haven't noticed yet, could be one that silently lurks in millions of computers worldwide.
How to Strengthen Cloud Backups Against Ransomware
Cloud backup is an important defense against ransomware attacks. Cloud backups, however, have recently been the target by ransomware attackers.
In a ransomware attack, the computer or the data within is encrypted preventing users’ access to this computer or data. The lack of backups forces many victims to pay ransom in exchange for the decryption keys that would unlock these locked computers or locked data.
As many organizations have migrated their daily operations to the cloud, many have migrated their backups to the cloud as well. For many organizations, cloud backups have given them a false sense of security.
If not configured properly, cloud backups could easily be stolen, deleted and, in a worst-case scenario, used against your organization. The group behind the ransomware called “DoppelPaymer” recently published on their leak website the admin username and password for a Veeam user account owned by one of DoppelPaymer ransomware’s victims who refused to pay ransom.
Switzerland-based Veeam is a software company that develops cloud backup software. DoppelPaymer is the latest addition to the number of ransomware programs that establish leak websites to shame victims who refuse to pay ransom. Stolen data belonging to the victims prior to encryption are published on these leak websites.
"Cloud backups are a very good option against ransom but do not 100% protect as cloud backups are not always good configured, offline backups often outdated – the system of backups is really nice but human factor leaves some options," the group behind DoppelPaymertold Bleeping Computer.
How Cybercriminals Compromise Cloud Backups
Ransomware attackers often initially compromise victims’ computers through phishing campaigns or exposed RDP. In phishing campaigns, attackers trick victims in opening malicious emails containing malicious links or attachments. Opening these malicious links or attachments could lead to the downloading of the actual ransomware into the victims’ computers.
Exposed RDP is another gateway of ransomware attacker to the victims’ networks. RDP, short for remote desktop protocol, is a protocol developed by Microsoft that provides a user with a graphical interface to connect to another computer over a network connection. Exposed RDP, those that used weak passwords and are without multi-factor authentication, virtual private networks (VPNs), and other security measures, are targeted by cybercriminals as an initial entry point to gain access to their victims’ networks.
The group behind the ransomware called “Maze” told Bleeping Computer that cloud backups credentials are used to restore the victims’ data stored in the cloud to the servers under the group’s control. Maze ransomware started the trend among ransomware operators in establishing leak websites in order to shame victims who refuse to pay ransom.
"Yes, we download them [data stored in the cloud],” the group behind Maze ransomware told Bleeping Computer. “It is very useful. No need to search for sensitive information, it is definitely contained in backups. If backups in the cloud it is even easier, you just login to cloud and download it from your server, full invisibility to data breach detection software.”
Operators of the DoppelPaymer and Maze ransomware, however, didn’t elaborate to Bleeping Computer how they were able to gain access to their victims’ cloud backups. In the case of users using the Veeam software for cloud backups, the role of Mimikatz and configuring Veeam to use Windows authentication could have led to the compromise of these cloud backups.
Once malicious actors gain access to their victims’ networks, they systematically move through the network, for instance, via the use of Mimikatz – an open-source application that allows attackers to view and save Windows authentication credentials. These stolen Windows authentication credentials are used by the attackers in accessing cloud backups that use the Veeam software as some administrators configure Veeam to use Windows authentication.
Cybersecurity Best Practices in Securing Your Organization’s Cloud Backups
In a white paper released by Veeam, the company said that one of the best practices in securing your organization’s cloud backups is through the use of different credentials for cloud backups. “One of the key characteristics of ransomware is its ability to propagate,” Veeam said. “By using different credentials within the Veeam infrastructure, we can introduce more resiliency by limiting propagation from other operating systems on the network. The best, broadest recommendation is to have at least two credential mechanisms in use. That can include both Windows and Linux accounts, Windows and Veeam Cloud Connect, etc.”
It’s also important to follow the time-tested 3-2-1 rule:
3: Keep 3 copies of any important file: 1 primary and 2 backups.
2: Keep the files on 2 different media types to protect against different types of hazards.
1: Store 1 copy offsite (for example, cloud backup).
Following the 3-2-1 rule, aside from cloud backup, it’s also important to keep a backup on-premise or on-site. This on-premise backup must be kept offline to ward off ransomware attackers. Aside from attacking cloud backups, ransomware attackers have targeted on-premise backups exposed to the internet.
In the past few months, ransomware attackers have targeted Network Attached Storage (NAS) devices. NAS is a storage and backup system that consists of one or more hard drives.
To gain access to NAS devices, attackers use brute force attack, that is, guessing through trial-and-error the correct username and password combination. To gain access to NAS devices, attackers also exploit security vulnerabilities that remained unpatched either through an absence of a vendor’s security update or failure of a NAS device user in installing in a timely manner the vendor’s available security update.
When you need help securing your cloud backups and applications against ransomware attacks, our experts are here to help. Get in touch with us today and protect your valuable assets.
Growing Threat of Ransomware Reinfection
Switzerland's cybersecurity body, the Reporting and Analysis Centre for Information Assurance (MELANI), has cautioned local SMEs and large organizations against paying ransomware attackers due to the risk of ransomware reinfection.
In a recent advisory to local organizations in Switzerland, MELANI said it’s aware of cases in Switzerland and abroad where the same organizations have been victims of ransomware attacks several times within a very short period of time. Ransomware is a type of malicious software (malware) that encrypts victims’ files and forces victims to pay ransom in exchange for the decryption keys that would unlock the encrypted files.
According to MELANI, even if a ransom is paid, there’s no guarantee that the ransomware attacker will decrypt the data. Switzerland's cybersecurity body also cautioned that even when ransom payment is made, leading to the decryption of the encrypted data, the underlying infection of some ransomware will remain active. “As a result, the attackers still have full access to the affected company's network and can, for example, reinstall ransomware,” MELANI said.
Emotet and TrickBot are two of the malware cited by Switzerland's cybersecurity body that could cause ransomware reinfection on victims’ computers even after ransom payment and after decryption.
In October 2019, the Canadian Centre for Cyber Security issued an alert to organizations in Canada about the 3-in-1 infection process involving 3 malware: Emotet, TrickBot and Ryuk. According to the Canadian Centre for Cyber Security, Emotet, TrickBot and Ryuk ransomware are part of the 3-stage infection process, with Emotet as the first malware downloaded, TrickBot as the second malware downloaded, and Ryuk ransomware as the last malware deployed against victims’ networks by an organized and prolific actor or group of actors.
Emotet, first detected in 2014, is a malware that’s distributed through emails containing malicious links or attachments. Victims are tricked into clicking these malicious links or attachments as the group behind Emotet uses branding familiar to the recipients.
According to the US Cybersecurity and Infrastructure Security Agency, once Emotet is downloaded on the victim’s computer, this malware uses a credential enumerator in the form of a self-extracting RAR file. This credential enumerator, the US cybersecurity body said, containstwo components: a bypass component and a service component. The bypass component is used to find writable share drives using SMB or brute force (attempt to crack a password or username using a trial and error method) users’ accounts, including the administrator account.The service component, meanwhile, writes Emotet onto thecompromised computer’s disk.
SMB, short for Server Message Block, is a network protocol used by computers running Microsoft Windows that allows systems within the same network to share files. “Emotet’s access to SMB can result in the infection of entire domains (servers and clients),” US Cybersecurity and Infrastructure Security Agency said.
Once the attacker gains access on the victim’s network via Emotet, the Trickbot malware is then downloaded and distributed to the compromised systems.
Trickbot, first detected in 2016, is a malware that has similar capabilities as Emotet. Similar to Emotet, Trickbot can brute force users’ accounts and spread onto as many computers as possible using SMB.
Analysis of the Trickbot showed that this malware uses PowerShell Empire, a publicly available tool. Designed as a legitimate penetration testing tool in 2015, PowerShell Empire has become a favorite tool among the well-financed threat groups.
PowerShell Empire allows an attacker to escalate privileges, harvest credentials, exfiltrate information, and move laterally across the victim’s network. PowerShell Empire is difficult to detect on a network using traditional antivirus software as it operates almost entirely in memory, and it also uses PowerShell, a legitimate application. Empire also allows an attacker to install Ryuk ransomware on high-value targets.
According to the Canadian Centre for Cyber Security, Trickbot’s capabilities allow it “to map out the network and give the malicious actor a better understanding of the target, including the value of the data.”
Ryuk ransomware first appeared in 2018. On its own, this ransomware doesn’t have the ability to spread onto as many machines as possible within a network, hence the dependency on other malware such as Emotet and Trickbot.
“The Ryuk ransomware itself does not contain the ability to move laterally within a network, hence the reliance on access via a primary infection, but it does, however, have the ability to enumerate network shares and encrypt those it can access,” UK's National Cyber Security Centre said. “This, coupled with the ransomware’s use of anti-forensic recovery techniques (such as manipulating the virtual shadow copy), is a technique to make recovering from backups difficult.”
Preventive and Mitigating Measures Against Ransomware
Every so often malware programs such as Emotet, Trickbot and Ryuk are able to access victims’ networks as a result of ignoring basic cybersecurity measures. Here are some basic cybersecurity measures in order to protect your organization’s network against malware such as Emotet, Trickbot and Ryuk:
In the case of Ryuk infection, it’s important to note that cleaning up the affected computers isn’t enough as these “cleaned” computers could still be reinfected as the associate malware used by Ryuk, Emotet and Trickbot, could be lurking on networked systems that were not initially affected by the ransomware.
Researchers Warn Windows EFS Could be Abused by Ransomware Attackers
Researchers at Safebreach Labs have warned that EFS, a feature in Microsoft Windows, could be abused for ransomware attacks.
What Is EFS?
EFS, short for Encrypted File System, is a feature on Windows operating system, starting with Windows 2000, for its business users. This feature allows users to encrypt specific folders and files. In encryption, data is converted into secret code, allowing only authorized users to access the specific folders and files and, in theory, denying access to unauthorized users.
EFS shouldn’t be confused with another encryption feature on Microsoft Windows called “BitLocker”. While EFS encrypts specific folders and files, BitLocker is a full disk encryption feature.
In EFS, to access the encrypted specific folders and files, an authorized user doesn’t need to provide a password as access is via the user’s account password. In BitLocker, to access the BitLocker-encrypted drive, a user needs to type the password or plug in a USB key or have BitLocker use Trusted Platform Module (TPM) if the Windows operating system has one.
Proof of Concept of Ransomware Attack Scenario Exploiting Windows EFS
Ransomware is a type of malicious software (malware) that encrypts victims’ computers or data, denying legitimate users access to their computers or data. In ransomware attacks, attackers demand from their victims to pay ransom in exchange for the decryption keys that, in theory, unlock the encrypted computers or data. Recent ransomware attacks, meanwhile, steal computer files prior to encryption and threaten the publication of these stolen files for victims who refuse to pay the ransom.
Researchers at Safebreach Labs recently disclosed that they’ve developed a proof-of-concept of a ransomware that abuses Windows EFS. The EFS-based ransomware developed by Safebreach Labs encrypts files, rendering these files unreadable to users and even to the Windows operating system. Safebreach Labs said that the encrypted files can only be made readable using the ransomware attacker’s decryption key and have the EFS-based ransomware restore the encrypted files into their original position, and only then that the Windows operating system can once again read the user files.
Safebreach Labs said that EFS-based ransomware is an “alarming concept and a possible new threat in the ransomware horizon” due to the following reasons:
Safebreach Labs said that EFS-based ransomware works on Windows 10 64-bit versions 1803, 1809 and 1903, and should also work on Windows 32-bit operating systems, and on earlier versions of Windows such as Windows 8.x, Windows 7 and Windows Vista.
Safebreach Labs said it tested its EFS-based ransomware on 3 anti-ransomware solutions from well-known vendors, and all 3 anti-ransomware solutions failed to protect against this new threat. Thereafter, Safebreach Labs notified 17 major anti-malware and anti-ransomware vendors for Windows endpoints and provided them with the EFS-based ransomware proof-of-concept. Safebreach Labs also found that many of these major anti-malware and anti-ransomware vendors for Windows endpoints failed to protect against this threat.
Prevention and Mitigating Measures Against EFS-Based Ransomware
Below are some of the responses of the major anti-malware and anti-ransomware vendors for Windows endpoints that were notified by Safebreach Labs regarding the EFS-based ransomware.
Avast/AVG email to Safebreach Labs dated September 26, 2019: “We implemented a workaround for version 19.8.”
Bitdefender email to Safebreach Labs dated January 10, 2020: “As of today, the fix started rolling out on Bitdefender Antivirus, Bitdefender Total Security and Bitdefender Internet Security on version 18.104.22.168. On Bitdefender Free Edition the fix is in reporting mode only, being necessary for fine tuning in the future.”
Check Point email to Safebreach Labs dated January 20, 2020: “Check Point has resolved the issue and the fix is currently available with the latest Corporate Endpoint Client E82.30 and will be available in the latest release of Zone Alarm Anti-Ransomware in the next couple of days.”
McAfee email to Safebreach Labs dated January 17, 2020: “McAfee released protection against the sample code provided by the reporter in the Anti-Virus (AV) DATs released on 10th January. This covers both our Enterprise and Consumer products. The AV DATs are automatically updated and Customers can check the version of the DATs through the product User Interface.
“Enterprise Customers using MVision EDR have a detection rule available from 10th January which will trigger when some variations of this Proof of Concept are executed. Through EDR the administrator can scan their machines for other instances of the malware and then block execution or delete the malware. Enterprise Customers using ENS can configure an Endpoint Protection Access Protection rule which will prevent the sample deleting the keys it generates to encrypt the files. By preventing the deletion of the keys the files remain accessible to that user. Other users on the same machine would not have access to the files.”
Microsoft email to Safebreach Labs dated October 7, 2019: "Microsoft considers Controlled Folder Access a defense-in-depth feature. We assessed this submittal to be a moderate class defense in depth issue, which does not meet the Microsoft Security Servicing Criteria for Windows (https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria?rtc=1). Microsoft may consider addressing this in a future product".
In the absence of a Windows update, according to Safebreach Labs, one of the workarounds against EFS-based ransomware is by turning off EFS on the affected Windows operating system. The cybersecurity research lab, however, said that turning off EFS can disable legitimate encryption of the operating system.
Ransomware attacks are becoming more and more prominent. Turn to our experts to mitigate the ransomware infection risks and protect your organization. Contact us today for a no-obligation consultation.
Valuable Lessons from Recent Cyber Extortions
The recent data breach at LifeLabs, which affected nearly half of Canada’s population, and the recent data breach at the City of Pensacola highlight the growing danger of cyber extortions.
What Is Cyber Extortion?
Extortion – the act of using threats to gain something from someone – has been given a new form in the cyber world.
In the case of the data breach at LifeLabs, cybercriminals gained access to the company’s computer systems, stole data and thereafter demanded ransom payment from the company in exchange for the stolen data. In a joint statement, the Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia said, “LifeLabs advised our offices that cyber criminals penetrated the company's systems, extracting data and demanding a ransom.”
"Retrieving the data by making a payment," said Charles Brown, President and CEO of LifeLabs, was one of the several measures taken by the company to protect customer information.
The recent cyber extortion at the City of Pensacola, meanwhile, involved a headline-grabbing method: ransomware – a malicious software (malware) that encrypts computer files, locks out users and demands from victims ransom payment in exchange for the decryption keys that would unlock the encrypted files. The group behind the ransomware called “Maze” claimed responsibility for the ransomware attack at the City of Pensacola. The group demanded that the City pay $1 million ransom to decrypt the encrypted files.
Ten percent or 2GB of the data stolen before encrypting the computer files of the City was recently published online by the group behind Maze ransomware. When asked by BleepingComputer if the group intends to release the rest of the stolen data, the group said, "It depends".
The group behind Maze ransomware similarly published online 10% or 700 MB of data stolen from another victim, the Allied Universal after the victim failed to pay the group’s demand of 300 bitcoins then valued at nearly $2.3 million. The group told BleepingComputer that the rest of the stolen data will be leaked online if the increased ransom of $3.8 million won’t be paid.
How Cyber Extortion Works?
How the attackers penetrated the LifeLabs’ computer systems, how the data was extracted data and how the ransom demand was made haven’t been made public. For Maze ransomware, however, there’s a handful of data online.
Security researcher Jérôme Segura first observed in May of this year Maze ransomware in the wild initially infecting victims’ computers via the Fallout exploit kit through a fake cryptocurrency exchange site. Fallout exploit kit exploits the security vulnerabilities in Microsoft Windows and Adobe Flash Player. In October of this year, security researcher JAMESWT observed Maze ransomware infecting victims in Italy through a phishing campaign that tricks victims into opening the attached document in an email pretending to be from the Italian Revenue Agency.
Researchers from Cisco Talos reported that they’ve also observed Maze ransomware in the wild. In a Maze ransomeware attack, the researchers said that after obtaining access to a network, CobaltStrike is used. CobaltStrike is a commercial penetration testing tool that markets itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike uses well-known tools, including Mimikatz – a tool that’s capable of obtaining plaintext Windows account logins and passwords.
According to Cisco Talos researchers, once the adversary behind Maze ransomware has access to the victim’s network, at least a week is spent moving around the network and gathering data along the way. The researchers added that the gathered data is extracted by using “PowerShell to dump large amounts of data via FTP out of the network”. After data extraction, Maze ransomware is then deployed on the compromised computers, the researchers at Cisco Talos said.
The researchers at Cisco Talos added that the observed Maze ransomware attacks also involved interactive logins via Windows Remote Desktop Protocol and remote PowerShell execution achieved via Windows Management Instrumentation Command-Line (WMIC).
In its 2020 Threats Predictions Report, McAfee Labs said that for 2020, it predicts that targeted penetration of corporate networks will continue to grow and ultimately give way to two-stage extortion attacks, with the first stage of attack involving a crippling ransomware attack and the second stage of attack involving the threat to disclose the data stolen before the ransomware attack.
Preventive and Mitigating Measures Against Cyber Extortion
While having a working backup system is still a must to protect your organization’s sensitive data, as shown in the recent cyber extortions, brushing off cyber-attacks through better backup systems will prove to be not enough in 2020 as attackers are aiming for data theft and leveraging this stolen data to get what they want.
Here are some of the preventive and mitigating measures against cyber extortion:
- Keep All Software Up to Date
Keeping all your organization’s software up to date stops attackers at their tracks as the latest software security updates typically fix security vulnerabilities.
- Apply the Principle of Least Privilege
The principle of least privilege promotes minimal user privileges on computers based on user’s job necessities. For instance, if the user’s work isn’t IT-related, his or her computer access shouldn’t allow administrative rights, referring to the right to install software, change the operating systems configuration settings and other higher-level access.
- Disable Windows Remote Desktop Protocol (RDP)
There have been many document cases whereby Windows Remote Desktop Protocol (RDP) had been used by attackers as a gateway to their victims’ networks. It’s advisable to disable RDP when this service isn’t used.
- Keep Backups Offline
Over the past few months, attackers have specifically targeted backup systems. It’s advisable to keep your organization’s backup systems offline.
Cyber extortions has become a new norm and many organizations have already fell victim. Connect with our team of cybersecurity experts today to understand you weakest links better and mitigate the risk of cyber extortion.
LifeLabs Reveals It Paid Ransom in Exchange for Stolen Data
LifeLabs, the largest provider of general diagnostic and specialty laboratory testing services in Canada, has announced that it paid an undisclosed amount of ransom in exchange for the stolen data of 15 million customers.
Charles Brown, President and CEO of LifeLabs, in a statement, said that the company’s computer systems were illegally accessed resulting in the theft of data belonging to approximately 15 million customers. Stolen data includes name, address, email, login, passwords, date of birth and health card number. The vast majority of the affected customers are from Ontario and British Columbia.
Brown added that laboratory test results of 85,000 customers from Ontario for the period 2016 or earlier were part of the stolen data. The President and CEO of LifeLabs further said that health card information of customers for the period of 2016 or earlier was also stolen.
"Retrieving the data by making a payment,” Brown said was one of the measures that the company took in order to protect customer information. “Personally, I want to say I am sorry that this happened,” he said.
While the President and CEO of LifeLabs said that risk to customers in connection with this cyber attack is “low and that they have not seen any public disclosure of customer data,” he called on affected customers to avail of the company’s one free year of protection that includes dark web monitoring and identity theft insurance.
How the LifeLabs Data Breach Unfolded?
The President and CEO of LifeLabs said that the data breach was discovered as a result of "proactive surveillance” and added that the company “fixed the system issues” related to the cyber-attack.
In a joint statement, the Office of the Information and Privacy Commissioner of Ontario (IPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC) said that LifeLabsinformed the two offices on November 1, 2019 about the data breach. The IPC and OIPC said that they will conduct a joint investigation into the data breach at LifeLabs. Among the things to be investigated, the two offices said, will include the scope of the breach and the circumstances leading to it.
“They advised us that cyber criminals penetrated the company's systems, extracting data and demanding a ransom,” IPC and OIPC said in a joint statement. “LifeLabs paid the ransom to secure the data.”
"An attack of this scale is extremely troubling,” said Brian Beamish, Information and Privacy Commissioner of Ontario. “I know it will be very distressing to those who may have been affected. This should serve as a reminder to all institutions, large and small, to be vigilant."
“I am deeply concerned about this matter,” said Michael McEvoy, Information, and Privacy Commissioner for British Columbia. “The breach of sensitive personal health information can be devastating to those who are affected."
While ransom or payment was made, there was no mention that the attack was due to a ransomware – a type of malicious software (malware) that encrypts data and the group or individual behind the malware then demands ransom payment in exchange for decryption key or keys that would unlock the encrypted files.
Cyber Attackers New Modus Operandi
While cyber attackers have been known to steal data from their victims, there’s a scarcity of information showing victims paying ransom in order to get back the stolen data. The latest cyber incident at LifeLabs shows an alarming cyber-attack trend, that is, penetrating the victim's systems, extracting data and then demanding a ransom.
Ransomware attackers, meanwhile, over the past few weeks have openly employed a new tactic in order to force their victims to pay ransom: threatening ransomware victims that failure to pay the ransom will result in the publication of stolen data. This latest modus operandi by ransomware attackers confirms what has been widely known in the cyber security community that ransomware attackers don’t merely encrypt data but they also have ways to snoop and even steal data prior to the data encryption.
In late November of this year, the group behind the ransomware called “Maze” published online the stolen data from one of its victims, Allied Universal after Allied failed to pay 300 bitcoins, then valued nearly $2.3 million USD, within the period set by the malicious group. The group behind the Maze ransomware told BleepingComputer, “We gave them time to think until this day, but it seems they [Allied Universal] abandoned payment process.”
The group behind the Maze ransomware further said that before encrypting any of the victims’ files, these files are first exfiltrated or stolen to serve as further leverage for the victims to pay the ransom.
The group behind the ransomware called “REvil”, also known as Sodinokibi ransomware, recently announced in a hacker forum that it will also leak online the stolen data from ransomware victims who refuse to pay ransom. Other than leaking the stolen data online, the group behind REvil ransomware also said the stolen data from ransomware victims who refuse to pay could be sold.
Maze ransomware initially infects victims’ computers via phishing campaigns or via Fallout exploit kit – a hacking tool that exploits the security vulnerabilities in Adobe Flash Player and Microsoft Windows. REvil ransomware, meanwhile, also initially infects victims’ computers via phishing campaigns and exploit kits, as well as by exploiting a security vulnerability in Oracle’s WebLogic server and by brute-forcing Remote Desktop Protocol (RDP) access.
Ransomware Attacks Now Targeting Your Backups
Backups have traditionally been regarded as the last line of defence against ransomware attacks. Over the past few months, however, backups have been specifically targeted by ransomware attacks.
In the "IT threat evolution Q3 2019" report, Kaspersky researchers found that ransomware attacks on backups, specifically NAS backups, are gaining ground.
What Is NAS?
NAS, short for network attached storage, is a storage and backup system that consists of one or more hard drives. This storage and backup system can be connected to home or office network or the internet. In case a NAS device is connected to the internet, data stored on this device can be accessed using a web browser or mobile app.
Ransomware Targeting NAS
Researchers at Anomali in July of this year reported about eCh0raix, a ransomware that specifically targets QNAP network attached storage (NAS) devices. According to the researchers, the source code of eCh0raix has less than 400 lines, with functionalities that are typical to a ransomware, including checking if data in the infected system has already been encrypted, going through the file system for files to encrypt, encrypting the files, and producing the ransom note.
Researchers at Anomali noted that eCh0raix ransomware isn’t designed for mass distribution as the samples with a hardcoded public key appear to be compiled for the target with a unique key for each target.QNAP Systems, the manufacturer of QNAP network attached storage (NAS) devices, for its part, acknowledged that QNAP devices using weak passwords and outdated QTS firmware are vulnerable to eCh0raixransomware.
In July of this year, another NAS device manufacturer Synologyreported that several of Synology NAS devices were under ransomware attacks as a result of brute-forcing administrator login details. In a brute-force attack, a malicious actor submits a number of passwords in the hope of eventually guessing the correct one.
According to Synology, its investigation related to the ransomware attacks found that the attacks were due to dictionary attacks – the use of words in the dictionary in brute-forcing login details – instead of specific system vulnerabilities. Synology added that the large-scale ransomware attacks were targeted at various NAS models from different NAS vendors. Ken Lee, Manager of Security Incident Response Team at Synology, said that NAS attackers used “botnet addresses to hide their real source IP”.
Just last month, another NAS device manufacturer D-Linkacknowledged that the following D-Link network attached storage (NAS) models are vulnerable to a different ransomware called “Cr1ptT0r” ransomware: DNS-320 Ax/Bx, DNS-325, DNS-320L, DNS-327L, DNS-323 Ax/Bx/Cx, DNS-345, DNS-343 and DNS-340L. According to D-Link, Cr1ptT0r encrypts stored information and then demands payment to decrypt the information.
According to Kaspersky researchers, the growing ransomware attacks on NAS devices involve attackers scanning the internet for internet-connected NAS devices. Kaspersky researchers said that a number of NAS devices have vulnerabilities in the firmware, which enables attackers via an exploit to install on the compromised device a Trojan – a type of malicious software (malware) that’s often disguised as legitimate software – that encrypts all data on the NAS device. “This is a particularly dangerous attack, since in many cases the NAS is used to store backups, and such devices are generally perceived by their owners as a reliable means of storage, and the mere possibility of an infection can come as a shock,” Kaspersky researchers said.
Preventive and Mitigating Measures
Here are some of the preventive and mitigating measures against ransomware attacks targeting NAS backups:
Manufacturers of NAS devices, QNAP Systems, Synology and D-Link, asked users to apply the latest software or firmware version.
In the case of D-Link NAS devices, D-Link said that DNS-320 Ax/Bx, DNS-323 Ax/Bx, DNS-325 Ax and DNS-345 Ax have passed their end of service date, which means that these models are no longer supported by the company through customer support and no longer receive software or firmware updates. For the said models that have passed their end of service date, D-Link asked users to "remove the Internet access of NAS on your router by disabling the port forwarding and DMZ setting".
One thing is common to these NAS ransomware attacks: They victimized only those devices that are connected to the internet. To protect backups from this type of ransomware, it’s important to disable internet connection to these devices.
Generally, an internet-connected NAS device can only be accessed via a web or mobile app interface and this interface is protected by an authentication page, where a user has to authenticate oneself before logging in. As acknowledged by NAS manufacturers, some users use weak passwords, making it easy for attackers to brute-force or guess the passwords.
When there’s a need for these NAS devices to be accessible via the internet, it’s important to use strong passwords and, if possible, to use multi-factor authentication to add another layer of defence.
Here are some of the additional defences to protect backups from ransomware attacks:
As shown in the number of ransomware attacks in recent months, this type of cyber-attack doesn’t seem to slow down.
Organizations that have shown to be financially capable of paying ransom, including government agencies, as well as organizations in the healthcare and education sectors are particularly targeted by this attack.
You don’t have to be a victim of a ransomware attack. Stop cybercriminals before they get the leverage.
Speak with our cybersecurity experts today and stop worrying about ransomware.
Hospitals in Different Parts of the World Hit by Ransomware Attacks
Michael Garron Hospital, formerly Toronto East General Hospital, recently confirmed that it was a victim of the ransomware called “Ryuk”, turning the spotlight on this ransomware and on ransomware in general.
Sarah Downey, President and CEO of Michael Garron Hospital, in a statement, said that last September 25th, the hospital became aware of a malicious software (malware), later identified as Ryuk, had infected the hospital’s servers. As a result of the ransomware attack, Downey said that “some data has been damaged” and for the first time in many years, the hospital’s clinical teams were forced to revert back to paper processes and using the telephone to call codes, access porters and check dietary orders.
The President and CEO of Michael Garron Hospital said that as a result of the attack, some of the hospital’s outpatient services were affected, with some appointments canceled and rescheduled. Downey added that the affected servers are being cleansed and it may take a few weeks for some of the hospital’s systems that are less critical to operations to be fully restored. Downey further said that the hospital hasn’t been in contact with anyone about ransom payment.
What Is a Ransomware?
Ransomware is a type of malware that’s designed to deny access to a computer system or data until a ransom is paid. In denying access to a system or data to legitimate users, attackers encrypt the system or data, turning this into a code that’s only accessible by the attackers using decryption keys.
In ransomware attacks, these decryption keys are typically handed over to the victims in exchange for a ransom payment. All too often ransomware attackers victimized organizations that can’t tolerate any downtime, making ransom payment all the more compelling.
Paying the ransom, however, doesn’t guarantee that victims can recover their encrypted systems or data as the decryption keys could simply be designed to not work at all.
What Is Ryuk Ransomware?
Ryuk ransomware was first observed in the wild in August 2018. In June 2019, UK's National Cyber Security Centre (NCSC) issued a Ryuk advisory, warning organizations globally about this ransomware.
Ryuk is often linked with two other malware: Emotet and Trickbot. Emotet was first observed in the wild in 2014, while Trickbot in 2016. In a Ryuk attack, the Emotet malware is used to drop the Trickbot malware. Trickbot, for its part, deploys hacking tools that facilitate the remote monitoring of the victim’s computer, credential harvesting and allowing the attackers to move to other computers within a network.
When ransomware opportunity is present, only then that Ryuk is deployed. It’s, therefore, possible that an organization is initially infected even without visible signs of a ransomware attack.
Prior to installing itself into the affected computer, Ryuk will first attempt to disable certain antimalware or antivirus software. Ryuk has the ability to spread to other computers within the same network as it is designed to enumerate network shares and encrypt those it can access.
According to the NCSC, it’s possible that Ryuk could be deployed through an infection chain other than using Emotet and Trickbot. NCSC added that in a Ryuk attack, it’s difficult to recover the infected computer’s backup as this malware uses anti-forensic recovery techniques such as manipulating the virtual shadow copy.
Other Cases of Ransomware Attacks
Hospitals and healthcare providers are targeted by ransomware attackers as these establishments cannot withstand IT downtime. In recent weeks, in addition to the Michael Garron Hospital, two other hospitals in Canada belonging to the Listowel Wingham Hospitals Alliance (LWHA), Listowel Memorial Hospital and Wingham and District Hospital, had been hit by ransomware.
In a statement, Listowel Wingham Hospitals Alliance said that since last September 26th its IT system has been shut down as a result of a ransomware attack. As a result of the attack, the Alliance said, “Manual and paper downtime procedures remain in place.” The Alliance hasn’t named the specific type of ransomware that hit the two hospitals.
A number of hospitals and health services in Gippsland and south-west Victoria, Australia, meanwhile, has been impacted by a ransomware attack. Victoria's Department of Premier and Cabinet, in a statement, said that the ransomware was uncovered last September 30th.
Last month, a U.S. healthcare provider Wood Ranch Medical announced that will permanently close its practice on December 17, 2019 as a direct result of a ransomware attack. Wood Ranch Medical, in a statement, said that on August 10, 2019, it suffered a ransomware attack on its computer systems. The health provider said that the ransomware, although not naming the specific type of ransomware, encrypted its servers and backup hard drives containing patients’ electronic health records.
“Unfortunately, the damage to our computer system was such that we are unable to recover the data stored there and, with our backup system encrypted as well, we cannot rebuild our medical records,” Wood Ranch Medical said. “We will be closing our practice and ceasing operations on December 17, 2019.”
Last October 1st, DCH Health System, which runs 3 hospitals: DCH Regional Medical Center in Tuscaloosa, Northport Medical Center and Fayette Medical Center, announced that it suffered a ransomware attack that impacted its systems. The specific type of ransomware wasn’t disclosed.
Last October 6th, DCH Health System said that it “obtained a decryption key from the attacker to restore access to locked systems.” The organization didn’t specify whether ransom was paid. There are reports, however, that indicate that DCH Health System paid the attacker ransom.
Organizations large and small fall victims to ransomware too often. Contact us to speak with our cybersecurity experts today to develop a solid protection and mitigation strategy reducing your stress and protecting your organization.
The Importance of Facing Up to Cybersecurity Risks
A cybersecurity emergency has been declared across Louisiana, USA, after three public school districts were struck by a malware attack.
The cybersecurity danger hit Sabine, Morehouse and Ouachita, in North Louisiana, causing widespread concern. The Governor’s Office of Homeland Security and Emergency Preparedness put its crisis action team into motion quickly to handle the attack.
Sabine School District issued a statement, addressing the nature of the cybersecurity breach and their actions to fix it:
“The Sabine Parish School System was hit with an electronic virus [...[ this virus has disabled some of our technology systems and our central office phone system.”
According to the principal of Sabine Parish’s Florien High School, a ransomware virus had infiltrated their system and caused disruptions. The alarm was raised when the school’s technology supervisor noticed ‘unusually high bandwidth usage’.
Fortunately, Jones believes no sensitive information has been exposed during the attack, though everything stored on the School District’s servers was lost. This amounts to documents from across 17 years of Jones’s hard work, including schedules, speeches and more.
Taking Action, Addressing Issues Fast
While this is certainly a challenging situation for the three school districts, it appears the end result is nowhere near as terrible as it could have been. It’s clear everyone involved took decisive action when the suspicious activity was noticed, and the proper authorities were informed.
Plans for future protection and security measures are, apparently, being devised by state officials (in coordination with the FBI). But this case indicates just how important it is to face up to cybersecurity risks and take proper action to minimize the threat to systems.
Simply hoping hackers will miss or choose to ignore your business, organization, school etc. is simply not enough. Implementing effective defenses is the best way to safeguard your critical data, client information and financial details.
If any of these, and other types of vital data, become exposed by nefarious individuals, the clean-up could be a long, time-consuming, difficult process. The worst thing you can do in the event of a breach is sweep it under the carpet and try to contain any damage without raising the alarm.
Those involved in the Louisiana case alerted the proper parties and are dealing with the situation as best they can.
Yes, acknowledging that a cybersecurity attack took place does have the potential to affect your reputation and the trust people place in you. Yet it’s far better to be transparent and admit your cybersecurity measures may not have been quite as efficient as they should be than to lie.
The Problem of Ransomware and Preparing Your Team
Ransomware is, as our regular readers may know, a common choice of cyberattack for hackers. The Louisiana case is just one example of many.
The first ransomware was distributed by a biologist (Dr. Joseph Popp) in 1991: he sent floppy disks containing PC Cyborg Trojanto researchers, in an attempt to extort money.
Ransomware has come a long way since then, but while it has evolved in various ways, the aim remains the same.
Other notorious ransomware attacks include WannaCry, which was detected more than 250,000 times across 116 countries in 2017. This was designed to take advantage of a simple software defect, encrypting hard drive files to make them inaccessible — with the attackers only unlocking them after a bitcoin payment had been made.
The issue is, of course, that agreeing to pay a ransom doesn’t actually guarantee the people responsible will stick to their end of the deal. After all, why should they? If they’re willing to disrupt your daily processes, cost you money, damage your reputation and more, there’s no reason to believe they will do as they promise.
Prevention is, as the saying goes, better than cure. And that means taking steps to prepare your team for potential cybersecurity threats in their day-to-day work.
How can you do this?
Taking Steps to Protect Your System
Implementing security measures and processes to protect your system against breaches can be daunting, especially if you have no experience or real knowledge of this area.
It’s essential that you embrace the most cutting-edge cybersecurity software available and consult with experts. Professionals specializing in security measures and reinforcing systems will be able to identify the biggest dangers you face, how to defend against them and advise your team to be more vigilant.
In terms of training your staff, there are certain things you can try.
Raise cybersecurity issues and trends in regular meetings
Keep your employees updated on the latest cybersecurity hazards and techniques: make sure they understand what suspicious activities they should be aware of when responding to emails, downloading software or visiting websites.
Try to cultivate a more vigilant workforce and boost recognition of effective ‘safety first’ procedures. Get them into the habit of questioning links, emails and other potentially-infected elements when they’re not sure how safe they are.
Find time in a day to run a test exercise for your team. Act as if a cybersecurity attack has struck your system and have staff go through the motions of responding appropriately.
Do they know what to do if they spot the warning signs of an impending threat? Can they work as a cohesive team even when they’re not completely sure what’s happening? Work to make the answer to both a firm ‘yes’.
Everyone should know what role they have in the event of a cybersecurity breach. Perhaps they’re required to do nothing but sit tight and wait for business to resume as normal. Maybe they have to take an active part in informing clients of the situation or coordinating with security experts.
Having a formal plan means everyone involved can leap into action in the event of a crisis, saving valuable time and minimizing further disruption.
Knowing how to handle cybersecurity risks and attacks is fundamental for any business, organization or institution today. If you want to know more about protecting your system and taking effective action,contact our specialistsnow!
Steve E. Driz, I.S.P., ITCP