Thought leadership. Threat analysis. Cybersecurity news and alerts.
More and more hackers are using distributed denial-of-service (DDoS) attacks to hold businesses to ransom.
In June 2021, the Canadian Centre for Cyber Security issued an alert to raise awareness of increased DDoS extortion activity. One notable case occurred in September of that year, with ITWorld Canada reporting that a voice-over-IP provider in Canada had been targeted.
The perpetrator was believed to have demanded one bitcoin (equal to around $45,000) as payment to end the assault. Numerous other companies have been hit since.
With ransom DDoS incidents becoming more common, it’s crucial that organizations understand how serious this threat is, how it could affect them, and what defensive measures they can use to stay safe.
But before we explore what a ransom DDoS attack is and how you can stop it, we’ll cover the basics.
What is a DDoS Attack?
A DDoS attack floods a specific network, server, website, or application with an overwhelming amount of traffic. This disrupts the normal flow of traffic and prevents the target from operating as it should.
Perpetrators tend to use botnets to launch DDoS attacks. A botnet is a network comprising many connected systems, all of which have been infected with malware, to generate disruptive traffic. These devices may be computers, IoT (Internet of things) gadgets, or mobile devices.
A hacker can leverage these “zombie” systems to attack their target with enough traffic to cause serious problems. Attackers may aim to:
But with ransom DDoS attacks, hackers are driven more by greed than anything else.
What is a Ransom DDoS Attack?
A ransom DDoS attack (often referred to as a RDDoS attack) is essentially the same, but with a few key differences. The attacker’s goal is to extort money from the target through threats and even brief demonstrations of their power.
A hacker may launch a DDoS attack against a business then contact the victims to demand payment. They will expect the target to pay the ransom, and if they remain unpaid, the attacker will continue the DDoS assault.
Alternatively, hackers may threaten the target before they begin the attack. Their objective will be to inspire panic in the potential victims and receive money without needing to act.
However, an inexperienced or unequipped perpetrator may lack the resources or knowhow to follow through on their threat. In this case, an organization could emerge from the incident unscathed even if they refuse to pay the ransom.
How Does a Ransom DDoS Attack Disrupt Businesses?
A ransom DDoS attack could disrupt your business in various ways, assuming the perpetrator launches the attack instead of simply issuing a threat.
Preventing an attack, and being prepared to handle one just in case, is vital to reduce your risk of experiencing these issues.
What Can You Do To Prevent a Ransom DDoS Attack?
Keep the following measures in mind to help prevent a ransom DDoS attack against your organization:
Refuse to Pay the Ransom
Your first instinct may be to pay the ransom, but you have no way of knowing whether that will stop the attack. It may continue, or the perpetrator could retarget your business again because they know you’re likely to pay a second time.
Train Employees to Handle Threats Responsibly
Educate your workers on what a ransom DDoS attack involves, how they usually unfold, and what actions to take if they receive a threatening message. They should know who to report an incident to and how to recognize early signs of an attack.
Look Out for Warning Signs of Impending Attacks
Common early signs of a DDoS attack include:
These could indicate other problems, too, such as outdated equipment. However, it may be best to have any of these signs investigated by cybersecurity specialists just in case.
Ensure Your Security Measures are Updated and Effective
If you haven’t updated your firewalls and other IT security measures in a while, review them to identify potential weaknesses. Outdated cybersecurity software may lack the features to protect your business.
Work with Professional Cybersecurity Specialists
Reviewing, updating, and testing your cybersecurity setup is complicated. But it’s critical to reduce your risk of being affected by a ransom DDoS attack. For many companies in Canada, the simplest way to combat threats is to work with a team of cybersecurity professionals.
At The Driz Group, we’re dedicated to providing unparalleled cybersecurity solutions for businesses in all sectors.
Our experienced, trained, reliable team will perform a comprehensive IT audit and vulnerability assessment to accurately determine your unique security requirements. And we’ll implement the best security available to always defend your organization.
Start protecting your business — schedule your free consultation with The Driz Group today.
Ransomware Attack Shuts Down Several Toronto Transit Commission (TTC) Services
Toronto Transit Commission (TTC), the public transport agency that provides public transportation services to commuters in Toronto and from surrounding municipalities, is still reeling days after a ransomware attack hit the agency’s computer network.
In a statement released last October 29th, TTC said that last October 28th, it learned it was the victim of a ransomware attack. The agency said TTC IT staff detected "unusual network activity" and attackers "broadened their strike on network servers."
TTC said the impacted services and systems include:
In the absence of the TTC's Vision system, operators have been forced to communicate with Transit Control with radios. Customers of Wheel Trans van service who couldn’t book online were asked to phone to reserve pickup. And without email service, customers are asked to call.
Shabnum Durrani, TTC head of corporate communications, told IT World Canada that she couldn’t say what ransomware strain attacked TTC. She couldn’t say also if the attackers were able to copy emails of employees, nor could she say if any corporate data was copied. When asked whether TTC has been in contact with the ransomware attackers, Durrani said, “I cannot comment on that at this time.”
As of November 3, TTC spokesperson Stuart Green said that Wheel Trans online booking system is now up and running.
Ransomware Attacks on Public Transport Systems
In December 2020, Metro Vancouver's transportation network TransLink confirmed that it was a victim of a ransomware attack.
“We are now in a position to confirm that TransLink was the target of a ransomware attack on some of our IT infrastructure,” TransLink CEO Kevin Desmond said in a statement. “This attack included communications to TransLink through a printed message.”
The ransomware attack on TransLink led to multi-day transit payment problems.
Back in 2016, the San Francisco Municipal Transportation Agency (SFMTA) confirmed that it was a victim of a ransomware attack. SFMTA said the ransomware attack affected approximately 900 office computers, and SFMTA's payroll system was temporarily affected. The transportation agency said no data was accessed from any of its servers.
What Is Ransomware?
Ransomware is a type of malicious software (malware) that encrypts victims’ files, preventing victims from accessing their files. Ransomware attackers demand ransom payment from victims in exchange for the decryption tool that promises to unlock the encrypted files.
A few years back, there was no transparency on whether ransomware attackers also steal data from victims. Today, ransomware attackers are open that aside from encrypting files, they also steal data from victims. The acknowledgment that ransomware attackers steal data from victims gives rise to double extortion, and lately triple extortion.
In triple extortion, ransomware attackers demand ransom payment for each of these attack tactics:
Ransomware attackers first demand ransom payment for the decryption tool that promises to unlock the encrypted files.
Ransomware attackers now acknowledge that before encrypting files, they exfiltrate or steal data. Many ransomware attackers now maintain a website that names ransomware victims. These victims are threatened that stolen data from their computer networks will be published online if payment for the non-publication of the stolen date won’t be paid.
What used to be a stand-alone attack, Distributed Denial-of-Service (DDoS) has been made part of the whole attack process of some ransomware attackers. Darkside, the group behind the Colonial Pipeline ransomware attack has been known to add DDoS attack to their attack tactics.
In a DDoS attack, attackers overwhelm the target or its surrounding infrastructure with a flood of Internet traffic. One example of a DDoS attack is flooding a corporate website with malicious Internet traffic, preventing legitimate users from accessing the corporate website.
Adding DDoS on top of encryption and stealing data, adds pressure to IT staff who are already overwhelmed with the encryption and stolen data issues.
Security researchers also refer to ransomware triple extortion as an expansion of demand payments to victims’ customers, partners, and other third parties. Vastaamo, a Psychotherapy Center in Finland with nearly 40,000 patients, declared bankruptcy after attackers breached for nearly a year the Center’s computer network.
Attackers demand from Vastaamo to pay nearly half a million US dollars in Bitcoin. Patients’ personally identifiable information, including the actual written notes that therapists had taken, was stolen by the attackers. A few years after the breached period, attackers started sending extortion messages to the patients, asking them to pay a certain amount of money to prevent their data from being published. The attackers already leaked online the private data of hundreds of patients.
Cybersecurity Best Practices
Here are some cybersecurity best practices against ransomware attacks:
How to Implement Best Cyber Defense Against BlackMatter Ransomware Attacks
Three U.S. government agencies, the Cybersecurity, and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA), recently issued a cyber security alert and defense tips against BlackMatter ransomware attacks.
What Is BlackMatter Ransomware?
BlackMatter is a relatively new ransomware. It was first observed in the wild in July 2021. This new ransomware exhibits the typical features of a modern-day ransomware, including the double extortion modus operandi.
In double extortion, the ransomware group steals data from victims. After stealing data, the attackers then encrypt victims’ data, preventing victims from accessing their data. After data encryption, attackers demand from victims ransom payment in exchange for a decryption tool that purportedly would unlock the encrypted data.
In double extortion, failure on the part of the victims to pay the ransom payment for the decryption tool leads to the activation of the second ransom demand, that is, victims are named on a leak site as victims of ransomware attacks. These victims are then threatened that their data will be published in case they won’t pay ransom.
Some ransomware actors still demand the second ransom payment – for the non-publication of the stolen data – despite the payment of the first ransom payment, that is, payment for the decryption tool.
Like other modern-day ransomware, BlackMatter ransomware is operated under the scheme called ransomware-as-service (RaaS). In RaaS, the ransomware developer (the one who creates the ransomware custom exploit code) works with affiliates – a different kind of cyberattackers who have existing access to corporate networks.
In a public advertisement posted on the underground forum Exploit, BlackMatter said it wants to buy access to corporate networks in the U.S., Canada, Australia, and Great Britain.
The group further said that it’s willing to pay $3,000 to $100,000 per network, provided the network passed the following criteria:
To signify that it's serious about its offer, BlackMatter has deposited 4 bitcoins ($256,000) on the forum Exploit.
“The [BlackMatter] ransomware is provided for several different operating systems versions and architectures and is deliverable in a variety of formats, including a Windows variant with SafeMode support (EXE / Reflective DLL / PowerShell) and a Linux variant with NAS support: Synology, OpenMediaVault, FreeNAS (TrueNAS). According to BlackMatter, the Windows ransomware variant was successfully tested on Windows Server 2003+ x86/x64 and Windows 7+ x64 / x86,” Recorded Future reported. “The Linux ransomware variant was successfully tested on ESXI 5+, Ubuntu, Debian, and CentOs. Supported file systems for Linux include VMFS, VFFS, NFS, VSAN.”
On BlackMatter website, the group said it doesn't attack hospitals, critical infrastructure, oil and gas industry, defense industry, non-profit companies, and government sector.
According to the joint cybersecurity advisory by CISA, FBI, and NSA, since July 2021, BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, including two food and agriculture sector organizations in the U.S., and have demanded ransom payments ranging from $80,000 to $15,000,000 in cryptocurrencies Bitcoin and Monero.
In September 2021, BlackMatter attacked the U.S. farmers cooperative NEW Cooperative and demanded from the victim $5.9 million for the decryptor and for the non-publication of the stolen data.
"Your website says you do not attack critical infrastructure,” a NEW Cooperative representative told BlackMatter during a negotiation chat (screenshots of the said negotiation chat were shared online). “We are critical infrastructure... intertwined with the food supply chain in the US. If we are not able to recover very shortly, there is going to be very very public disruption to the grain, pork, and chicken supply chain."
BlackMatter Ransomware Tactics, Techniques, and Procedures
The CISA, FBI, and NSA advisory said that sample of BlackMatter ransomware analyzed in a sandbox environment as well from trusted third-party reporting showed that BlackMatter ransomware uses the following tactics, techniques, and procedures:
Cybersecurity Best Practices
The CISA, FBI, and NSA advisory recommends the following cybersecurity defense tips against BlackMatter ransomware attacks:
Rise of Ransomware Attacks in the Education Sector
The National Cyber Security Centre (NCSC), an organization of the UK Government that provides cybersecurity guidance and support, recently reported that it has continued to respond to an increased number of ransomware attacks against schools, colleges and universities in the UK.
“As of late May/June 2021, the NCSC is investigating another increase in ransomware attacks against schools, colleges and universities in the UK,” NCSC said. The NCSC previously highlighted an increase in ransomware attacks on the UK education sector during August/September 2020 and again in February 2021.
Ransomware and Its Impact
Ransomware is a type of malicious software (malware) that’s traditionally known to encrypt victims’ files, preventing victims to access these files. After file encryption, a ransom note is shown on the compromised computer informing the victim to pay a certain amount, typically in the form of cryptocurrency, for the decryption tool that would unlock the encrypted files.
More recently, ransomware operators threaten victims to release files stolen from the victim’s network in case of refusal to pay the ransom for the decryption tool. More ransomware operators have recently employed the double ransom tactic, in which, a victim is asked to pay two ransom payments.
The first ransom payment is for the decryption tool while the second ransom payment is for the non-publication of the files stolen from the victim’s network. Ransomware operators maintain “name and shame” websites on the darknet to name and shame ransomware victims who continue to refuse to pay ransom.
“In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records …,” NCSC said. According to the NCSC, ransomware attacks in the education sector can have a devastating impact on organizations, with victims requiring a significant amount of recovery time to reinstate critical services, and these events can also be high profile in nature, with wide public and media interest.
An attack vector refers to the path or means in which an attacker gains access to an organization’s network to deliver a malware, in this case, a ransomware. According to the NCSC, ransomware attackers can gain access to a victim’s network through remote access systems, phishing emails, and other vulnerable software or hardware.
According to the NCSC, attackers gain access to victims’ networks through remote access systems such as remote desktop protocol (RDP) and virtual private networks (VPN). RDP is a proprietary protocol developed by Microsoft that allows employees working from home to access their office desktop computers or servers from another device over the internet.
The shift towards remote learning over the past year as a result of COVID-19 restrictions resulted in many organizations deploying VPN access as VPN is viewed as a secure way of accessing company networks and private resources. In recent years, multiple security vulnerabilities have been discovered in RDP and in a number of VPN appliances such as Citrix, Fortinet, Pulse Secure and Palo Alto.
According to the NCSC, phishing emails are frequently used by attackers to deploy ransomware. An attacker sends a phishing email – disguised as coming from a legitimate sender – to trick the email receiver to click a link or download an attachment, enabling the deployment of the ransomware into the email receiver’s computer.
Other Vulnerable Software or Hardware
According to the NCSC, unpatched or unsecure devices have commonly been used by ransomware attackers as an easy route into networks. An example of a software vulnerability exploited by ransomware attackers to install ransomware on a network is the vulnerability in Microsoft Exchange Servers.
The NCSC added that ransomware attackers have recently been observed sabotaging backup devices in order to make recovery more difficult; encrypting the entire virtual servers, and using scripting environments, for example, PowerShell, to easily deploy the ransomware.
Cybersecurity Best Practices
Here are some cybersecurity best practices as recommended by the NCSC that can be employed by organizations in the education sector in order to prevent and mitigate the effects of ransomware attacks:
Keep up-to-date and tested offline backups.
As ransomware attackers have been known for sabotaging internet-exposed backup devices in order to make recovery more difficult, it’s important to keep offline backups to recover from a ransomware attack.
Secure remote access systems (RDP and VPN) via strong passwords, multi-factor authentication (MFA), and applying patches in a timely manner.
Implement effective vulnerability management and patching procedures.
Implement the following mechanisms to prevent phishing attacks: making it harder for email from your domains to be spoofed by employing the anti-spoofing controls, filtering or blocking incoming phishing emails, training your users particularly in the form of phishing simulations, and building a culture where users can report phishing attempts.
Cybersecurity Best Practices Against DarkSide Ransomware
The ransomware called “Darkside” wreaked havoc lately, with Colonial Pipeline, which operates the largest fuel pipeline in the U.S., as its latest high-profile victim.
Colonial Pipeline became aware of the ransomware attack last May 7, forcing the company to shut down its operations. The company was able to restart its operations last May 12.
A report from Bloomberg showed that Colonial Pipeline paid within hours after the attack the group behind Darkside ransomware nearly $5 million. According to the Bloomberg report, once nearly $5 million was paid, the group behind Darkside ransomware gave the decryption tool for Colonial Pipeline to restore its disabled computer network.
The decryption tool, however, was so slow that the Colonial Pipeline continued using its own backups to help restore the system, the report said.
What Is DarkSide Ransomware?
DarkSide ransomware is a ransomware-as-a-service (RaaS) in which the ransomware developers receive a share of the proceeds from the cybercriminal actors who deploy the ransomware, known as “affiliates.”
This ransomware was first observed in the wild in August 2020 and has been known to target high-revenue organizations. Similar to modern ransomware, DarkSide ransomware encrypts victims’ files and demands from victims ransom payment in exchange for the decryption tool that would unlock the encrypted files.
Aside from data encryption and decryption, DarkSide ransomware also carries out data exfiltration and threatening victims that non-payment of ransom could lead to the public exposure of stolen data. In addition, the group behind DarkSide ransomware is also willing to carry out a Distributed Denial of Service (DDoS) attack against victims.
Tactics Used by DarkSide Ransomware Attackers
Researchers at FireEye in the blog post “Shining a Light on DARKSIDE Ransomware Operations” and researchers at McAfee in the blog post “DarkSide Ransomware Victims Sold Short” found that the group behind the DarkSide ransomware employed the following tactics:
. Password Spraying Attack Against Corporate VPN
To gain initial access to their victim’s network, the group behind DarkSide ransomware used password spraying against corporate VPN. In password spraying, an attacker circumvents the account lock-out countermeasures by trying the same password across many accounts before trying another password.
. Exploitation of CVE-2021-20016
To gain initial access to their victim’s network, the attackers exploited CVE-2021-20016, a SQL-Injection vulnerability in the SonicWall product that allows a remote unauthenticated attacker to perform SQL query to access username password and other session-related information.
. Phishing Emails
To gain initial access to their victim’s network, the attackers also used phishing emails to deliver the SMOKEDHAM – a malicious software (malware) that supports keylogging, taking screenshots and executing arbitrary .NET commands.
. Exploitation of Remote Desktop Protocol (RDP) Vulnerabilities
To gain initial access to their victim’s network, the attackers also exploited RDP, a proprietary protocol developed by Microsoft that allows users the ability to connect to another computer over the internet. In the past few years, a handful of security vulnerabilities on RDP had been identified and patched. Many, however, fail to apply the latest RDP patch.
. Leveraging TeamViewer
To establish persistence within the victim environment, the attackers also leveraged TeamViewer – a legitimate software that allows access to computers and networks remotely.
. Leveraging Mimikatz
To gain more privileges on the victim’s network, the attackers also used Mimikatz for credential harvesting.
. Leveraging NGROK
To bypass firewalls and expose remote desktop service ports, like RDP and WinRM, to the open internet, the attackers used the publicly available NGROK.
. Leveraging Cobalt Strike BEACON
To maintain a foothold on the victim’s network, the attackers used Cobalt Strike BEACON. Cobalt Strike is a commercially available penetration testing tool. The group behind Cobalt Strike describes BEACON as a tool to “egress a network over HTTP, HTTPS, or DNS.”
Cybersecurity Best Practices
Below are some of the cybersecurity best practices in order to reduce your organization’s vulnerability to ransomware such as DarkSide and reduce the risk of severe business degradation once impacted by ransomware:
Use multi-factor authentication as an added protection to the single-factor authentication: the traditional username and password combination.
Filter emails to prevent malicious executable files from reaching end users.
Filter network traffic to prevent inbound and outbound communications with known malicious IP addresses.
Keep all software up to date by applying the latest patches in a timely manner.
Protect RDP with strong passwords, multi-factor authentication, VPN other security protections.
Implement application allow listing, allowing the systems to execute only software programs that are known and permitted by the security policy.
It’s important to note that the tactics above-mentioned aren’t just used by the group behind DarkSide ransomware. The said tactics are widely used as well by ransomware groups and other malware operators. As such, the cybersecurity best practices above-mentioned also apply to other forms of attacks.
To date, the group behind the Darkside ransomware has gone dark, making it unclear whether the group has ceased, suspended operation, or has changed its operations or maneuvering an exit. Since March 13, all the dark websites used by the group behind Darkside are down. These sites were used by the group to communicate with the public.
Investigation Shows Ryuk Ransomware Attack Caused by Pirated Software, Lack of Network Protection
Sophos recently revealed that a cyberattack involving Ryuk ransomware targeting a European biomolecular research institute was caused by a pirated software and lack of network protection.
According to Sophos, its Rapid Response team was called in to respond to a Ryuk ransomware attack targeting a European biomolecular research institute – an organization that partners with local universities and works with students on various programs.
The Ryuk ransomware attack on the European biomolecular research institute, Sophos reported, costs the institute a week’s worth of vital research data, as even though the institute had backups, these backups weren’t up to date. The operation of the institute was also impacted since all computer and server files were required to be rebuilt before the data could be restored.
A review of logs and historical data available traced the initial compromise of the Ryuk ransomware attack on the European biomolecular research institute to the moment when one of the institute’s partners, an external university student, installed a pirated data visualization software on the said student’s laptop.
The investigating team found that the institute allowed people outside the organization to access its network, with partners such as university students allowed to access the institute’s network via remote Citrix sessions without the need for two-factor authentication using their own personal computers.
The investigating team found that the partner-student of the institute who installed the pirated software posted a question on an online research forum asking if anyone knew of a free alternative of the data visualization software, of which an original software costs hundreds of dollars a year. When the partner-student of the institute didn’t find a free version, a pirated version was used instead.
According to Sophos’ Rapid Response team, the pirated software was a pure malicious software (malware) that immediately triggered a security alert from Windows Defender. In order to install the pirated software, the partner-student of the institute disabled Windows Defender as well disabled Windows Security Firewall.
The installed pirated software-malware capabilities include logging keystrokes, stealing browser, cookies and clipboard data. The pirated software-malware also enabled the attackers to steal the student’s access credentials for the institute’s network.
According to Sophos’ Rapid Response team, 13 days after the installation of the pirated software-malware, a remote desktop protocol (RDP) connection was registered on the institute’s network using the student’s credentials, and 10 days after this connection was made the Ryuk ransomware was launched. The investigating team added that the institute’s RDP connection triggers the automatic installation of a printer driver, enabling users to print documents remotely.
“It is unlikely that the operators behind the ‘pirated software’ malware are the same as the ones who launched the Ryuk attack,” said Peter Mackenzie, manager of Rapid Response at Sophos. “The underground market for previously compromised networks offering attackers easy initial access is thriving, so we believe that the malware operators sold their access on to another attacker. The RDP connection could have been the access brokers testing their access.”
Cybersecurity Best Practices
The Ryuk ransomware attack that targeted the European biomolecular research institute is a hard-earned lesson for the community.
While the partner-student of the institute is clearly at fault for using pirated software, the said cyberattack exposed the institute’s network weaknesses. Here are some of the cybersecurity best practices in order to fortify your organization’s network against cyberattacks such as Ryuk ransomware attack:
RDP is a proprietary protocol developed by Microsoft that allows users the ability to connect to another computer over the internet. In the blog post "Cybercriminals Actively Exploiting RDP to Target Remote Organizations", McAfee Labs said that as a result of the COVID-19 restrictions, organizations wanting to maintain operational continuity have allowed their employees to access networks remotely via RDP with minimal security checks in place, giving cyber attackers easy access to these networks.
In the past few years, a handful of RDP security vulnerabilities have been identified and patched by Microsoft. Organizations that lagged behind in applying these RDP patches are vulnerable to attacks.
In the blog post “Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks,” Microsoft said that RDPs that are not protected by strong passwords, multi-factor authentication, virtual private networks (VPNs), and other security protections are vulnerable to brute force attack – a type of cyberattack that uses the trial-and-error method in guessing the correct username and password combination.
1 in 4 Cyberattacks in 2020 Caused by Ransomware, IBM Report Shows
IBM’s latest report, X-Force Threat Intelligence Index 2021, found 1 in 4 real cyberattacks worldwide in 2020 was caused by ransomware.
Double Extortion Tactic
Ransomware is a malicious software (malware) that encrypts victims’ computer files. File encryption prevents legitimate users from assessing their files. Ransomware attackers are publicly coming out that they’re also stealing victims’ data prior to encrypting these files.
IBM's X-Force Threat Intelligence Index 2021, which the company said is based on billions of data points collected from its customers and public sources between January and December 2020, showed that a number of the ransomware attacks in 2020 involved double extortion – a tactic in which the attackers demand ransom two ransoms. Aside from demanding from victims to pay ransom in exchange for the decryption key that would unlock the encrypted files, attackers also demand a second ransom payment, this time, as payment to stop the attackers from selling or auctioning the victims’ stolen files.
According to IBM, in 2020, 36% of the data breaches that X-Force (IBM’s cloud-based threat intelligence platform) tracked came from ransomware attacks that also involved alleged data theft, suggesting that “data breaches and ransomware attacks are beginning to collide.”
According to IBM, Sodinokibi, also known as REvil, was the most active ransomware in 2020, accounting for 22% of all ransomware incidents.
IBM estimated that the group behind the Sodinokibi ransomware earned at least $123 million in 2020 and stole about 21.6 terabytes of data from victims. IBM added that nearly two-thirds of the victims of Sodinokibi paid ransom, and nearly 43% had their stolen data leaked to the public.
Sodinokibi was first observed in the wild in April 2019. When it first came out, Sodinokibi was observed spreading itself by exploiting a vulnerability in Oracle’s WebLogic server.
According to IBM, Sodinokibi and other successful ransomware groups in 2020 were focused on stealing and leaking data, as well as creating ransomware-as-a-service cartels.
One of the reasons behind the notoriety and the resulting success of ransomware groups is that these groups operate in what is known as ransomware-as-a-service. In ransomware-as-a-service, one group maintains the ransomware code and another group, known as affiliates, spreads the ransomware.
Affiliates in ransomware-as-a-service are allowed to spread the ransomware in any way they like. In the blog post "McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us," McAfee Labs found that some affiliates prefer mass-spread attacks, while other affiliates adopt a more targeted approach.
Examples of mass-spread attacks are phishing and exploit kits. Phishing is the fraudulent way of obtaining sensitive information such as passwords and credit card details by impersonating a trusted individual or entity. Exploit kits, meanwhile, refer to threats that use automated tools to scan for vulnerable browser-based applications, compromised sites to divert web traffic, and run malware.
Cyberattacks that employ a targeted approach, meanwhile, refer to attacks targeting specific individuals or specific entities. Examples of targeted approaches include brute-forcing Remote Desktop Protocol (RDP) access.
RDP is a proprietary protocol developed by Microsoft that allows a Windows-based user to connect to a remote Windows personal computer or server over the internet. After brute-forcing RDP access, attackers then upload tools in order to gain more rights and run the ransomware inside the internal network of a victim.
“We have investigated several campaigns spreading Sodinokibi, most of which had different modus operandi but we did notice many started with a breach of an RDP server,” McAfee Labs said.
Cost of a Ransomware Attack
In its latest report, Universal Health Services said the company incurred $67 million as a result of an “Information Technology Incident” that occurred from September 27, 2020 up to October 2020.
TechCrunch reported the Universal Health Services information technology incident as ransomware attack. BleepingComputer, meanwhile, reported that the specific name of the ransomware behind the Universal Health Services information technology incident is Ryuk – a ransomware first discovered in the wild in August 2018.
Universal Health Services said there’s no evidence of unauthorized access, copying, or misuse of any patient or employee data.
“Given the disruption to the standard operating procedures at our facilities during the period of September 27, 2020 into October, 2020, certain patient activity, including ambulance traffic and elective/scheduled procedures at our acute care hospitals, were diverted to competitor facilities,” Universal Health Services said. “We also incurred significant incremental labor expense, both internal and external, to restore information technology operations as expeditiously as possible. Additionally, certain administrative functions such as coding and billing were delayed into December, 2020, which had a negative impact on our operating cash flows during the fourth quarter of 2020.”
Security researchers aren’t certain about the infection vector of Ryuk ransomware. It’s suspected that this ransomware uses the targeted attack approach by brute-forcing RDP access and malicious use of Cobalt Strike.
Cobalt Strike is a commercial penetration testing tool that markets itself as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors." This commercial penetration testing tool uses tools such as Mimikatz – a tool that’s capable of obtaining plaintext Windows account logins and passwords.
Cybersecurity Best Practices Against Ransomware Attacks
Below are some of the cybersecurity best practices against ransomware attacks:
Ransomware Attacks on Healthcare Organizations Globally Increase by 45%, Study Shows
A recent report from Check Point showed that since November 2020, ransomware attacks targeting healthcare organizations globally has increased by 45%.
In the report "Attacks targeting healthcare organizations spike globally as COVID-19 cases rise again," Check Point said that the spike in the ransomware attacks targeting healthcare organizations globally more than double the overall increase in cyberattacks across all industry sectors worldwide seen during the same period. According to Check Point, the main ransomware variant used in the ransomware attacks was Ryuk, followed by Sodinokibi.
What Is Ransomware?
Ransomware is a type of malicious software (malware) that blocks victims from assessing their computer systems or files and demands from the victims ransom payment for victims to re-gain access to the computer systems or files. Ransomware attackers also demand a separate ransom payment in exchange for the non-publication of data stolen in the course of the ransomware attack.
Ryuk and Sodinokibi Ransomware
Ryuk ransomware is a cyber threat that has been targeting organizations, specifically hospitals, businesses, and government institutions since 2018. This ransomware was first observed in the wild in August 2018.
Code comparison analysis of Ryuk ransomware and Hermes ransomware showed that both are generally equal, giving credence to the theory that the developer of Ryuk has access to the Hermes source code. Hermes ransomware was responsible for the money heist of a Taiwanese bank in October 2017.
Hermes is called a “pseudo-ransomware” – referring to ransomware that uses a ransomware attack as a cover to distract its main goal: stealing money. In the money heist of a Taiwanese bank in 2017, the Hermes ransomware attack was perfectly timed at the time when money was stolen from the bank.
The group behind Ryuk ransomware demands that the ransom payment should be in the form of the cryptocurrency bitcoin. After tracing bitcoin transactions for the known addresses attributable to Ryuk, researchers from HYAS and Advanced Intelligence reported that the group behind Ryuk earned more than $150,000,000.
“Ryuk receives a significant amount of their ransom payments from a well-known broker that makes payments on behalf of the ransomware victims,” researchers from HYAS and Advanced Intelligence said. “These payments sometimes amount to millions of dollars and typically run in the hundreds of thousands range.”
Sodinokibi, also known as REvil, meanwhile, is a type of ransomware that was first observed in April 2019. Code comparison analysis of Sodinokibi and another ransomware called “GandCrab” showed that the two shared a lot of similarities, indicating the developer of Sodinokibi had access to the GandCrab source code.
Both Ryuk and Sodinokibi encrypt important files in the compromised computer, locking out users from their files. These two demand a ransom to decrypt or unlock these files.
It’s now a known fact that during the course of the ransomware attack, Ryuk and Sodinokibi also steal victims’ files before encrypting them. Stolen data is then used for “double-extortion” attempt, that is, in addition to ransom payment to unlock the locked files, attackers demand from victims to pay another ransomware payment for the stolen files, threatening victims that failure to pay this second ransom payment would lead to the publication of the stolen files.
In November 2020, K12 Inc., now known as Stride, Inc., a company that provides online education, admitted that it was a victim of a ransomware attack. Open-sourced reports showed that Ryuk ransomware hit K12 Inc.
In a statement, K12 Inc. said, “We have already worked with our cyber insurance provider to make a payment to the ransomware attacker, as a proactive and preventive step to ensure that the information obtained by the attacker from our systems will not be released on the Internet or otherwise disclosed.”
Ryuk and Sodinokibi are part of the ransomware families called “Ransomware-as-a-Service (RaaS)”. In RaaS, one group maintains the ransomware code, and another group, known as affiliates, spreads the ransomware.
Cybersecurity Best Practices Against Ransomware Attacks
Both Ryuk and Sodinokibi are commonly spread via very targeted means such as RDP and spear phishing.
RDP, short for Remote Desktop Protocol, is a proprietary protocol developed by Microsoft which provides Windows user to connect to another Windows computer. In the blog post "Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks," Microsoft Defender Security Research Team said that RDP is an attractive target for threat actors as this presents a simple and effective way to gain access to a network, and conduct many follow-on activities such as ransomware attack.
Microsoft Defender Security Research Team said that threat actors often gain access to RDP through brute-force attack – referring to the trial-and-error method of guessing the correct username and password combination. Spear phishing, meanwhile, weaponizes an email against specific and well-researched targets. A spear-phishing email masquerades as coming from a trustworthy source.
Traditional spear-phishing emails attached malicious documents, for instance, a zip file. Modern-day spear-phishing emails come with malicious documents that are hosted on legitimate sites such as Dropbox, OneDrive, or Google Drive.
To protect RDP from brute-force attacks and ultimately ransomware attacks, use strong passwords, multi-factor authentication, virtual private networks (VPNs), and other security protections. Spear phishing prevention, meanwhile, includes phishing simulation tests, and an established process for users to report suspicious emails to the IT security team.
It’s also important to implement the 3-2-1 backup rule and network segmentation in case attackers breach your organization’s network.
The 3-2-1 backup rule means that at least 3 copies of critical data must be kept, with 2 copies in different media and one copy offsite. Network segmentation, meanwhile, refers to the practice of dividing your organization’s network into sub-networks so that in case something happens to one sub-network, the other sub-networks won’t be affected.
How to prevent ransomware attacks: Best practices guide
Ransomware attacks are becoming common. The city of Saint John in New Brunswick recently fell victim to a ransomware attack.
What Is Ransomware Attack?
Ransomware attack is a type of cyberattack in which victims’ files are locked and held for ransom. In a ransomware attack, an attacker promises that in exchange for a ransom payment, the key or keys that would unlock the lock files would be released.
Ransom payment isn’t a guarantee that your organization will get back your files as some keys given by attackers don’t work by design or through errors in coding. Today’s ransomware attackers demand two ransom payments, one for unlocking the locked files, and another ransom payment to prevent them from publishing stolen data. This second ransom payment shows that today’s ransomware attackers, not just lock victims’ files but also steal data.
City of Saint John Ransomware Attack
A few weeks ago, the city of Saint John in New Brunswick fell victim to a ransomware attack. Last November 17, Don Darling, the Mayor of the city of Saint John, confirmed that the city’s IT system was hit by ransomware.
To protect the city’s IT system, the Mayor of Saint John said the city’s website, servers, and email system have been disabled. Due to the nature of the attack, the Mayor said the city won’t comment on the ransom demand. Saint John city manager John Collin, meanwhile, said that as of November 17, there was no indication that personal information was accessed or transferred in the ransomware attack.
Weeks after the ransomware attack, the Saint John city manager said that the city departments' phone lines, email to most city hall employees, and online payments are still unavailable. Saint John city manager said that taking the systems offline was an "immediate and proactive" response to contain the attack. "Our network will be back online only once we are sure that it is safe to do so," he said.
In the case of the city of Saint John, it wasn’t revealed how the ransomware attacker or attackers’ initially compromised the city’s IT system.
Exposure via Third-Party Software
The recent ransomware attack on the city of Saint John isn’t the first time that the city fell victim to a cyberattack.
In December 2018, Stas Alforov, director of research and development for Gemini Advisory, said the firm discovered nearly 300,000 payment records in underground marketplaces that specialize in the sale of compromised payment card data. According to Alforov, the payment records were stolen from 46 confirmed compromised US locations and one Canadian location, with 6,000 payment records from Canada. That one Canadian location is the city of Saint John.
Alforov said the breach of nearly 300,000 payment records is part of the larger hacking operation conducted by the same hacking group. Analysis of the card data, Alforov said, found that payment records have likely been stolen from municipal government services that used the software called “Click2Gov,” a payment software primarily used by local governments to receive various payments.
In the case of the city of Saint John, the Click2Gov payment software was used for paying parking tickets through the city's website. Alforov told Huffington Post Canada that he received a call from the city of Saint John after the publication of his report. The city, he said, wasn't aware of the data breach. Alforov added that the city’s parking ticket payment system appeared to have been breach back in September 2017.
To date, there’s no information on whether the past data breach on the city of Saint John’s parking ticket system is related to the recent ransomware attack.
Other victims of ransomware attacks such as the city of Keene, Texas, were able to establish the link between the compromised third-party software and the resulting ransomware attack. In August 2019, Keene Mayor Gary Heinrich told NPR that ransomware attackers compromised the software used by the city. This software, the mayor said, was managed by a third-party company. Said software was also used by close to two dozen local governments in Texas, which also fell to a collective ransomware attack.
"They got into our software provider, the guys who run our IT systems," Heinrich said. "Well, just about everything we do at City Hall is impacted.”
The ransomware attack on the local governments of Texas, including the City of Keene, showed a gateway by which ransomware attackers initially compromise their victims, that is, through third-party software.
Cybersecurity Best Practices
Here are some of the best cybersecurity practices against ransomware attacks:
Properly Vet Third-Party Software
Third-party software, which your organization has no control over the source code, should be properly vetted in the cybersecurity area.
Keep All Software Up to Date
Apply in a timely manner software updates, also known as patches, that are released by software vendors. These patches not only contain feature upgrades but also updates fixing known security vulnerabilities.
Ransomware attackers have been known to initially compromise victims by exploiting a known security vulnerability, in which the software vendor already released a patch but the software users failed to apply the patch in a timely manner.
Practice the 3-2-1 Backup Rule
The 3-2-1 backup rule is your organization’s best defense against the first type of ransom demand: ransom demand to unlock files. The 3-2-1 backup rule states that three backup copies should be kept, two in different formats, and one of these copies should be kept offsite.
This isn’t, however, the answer to the second type of ransom demand: ransom demand to prevent stolen data publication.
When you need help, our team of cybersecurity and IT experts is a phone call away. Connect with us today, and take a proactive approach to cybersecurity.
Threat Focus: WastedLocker Ransomware
Garmin, an American multinational company that markets GPS navigation and wireless devices and applications, has reported a global outage on its systems since last July 23.
Last July 23, Garmin announced that it was experiencing an outage that affected Garmin Connect – a service that syncs users' activity and data to the cloud and other devices. Garmin also announced that the outage affected the company's call centers, cutting off the company's ability to respond to any calls, emails and online chats.
Last July 26, Garmin followed up its July 23 announcement. The statement said the company "has no indication that this outage has affected your data, including activity, payment or other personal information."
flyGarmin, Garmin's service that offers navigational software to pilots, in a separate statement said that last July 23 it also experienced a similar outage in which users couldn't access flyGarmin's website and call centers. flyGarmin specified that its Connext services, in particular, weather, data from the on-board Central Maintenance Computer (CMC), position reports were down; and Garmin Pilot apps, in particular, flight plan filing (unless connected to FltPlan, account syncing, database concierge) were down.
Based on its July 26 update, flyGarmin said that its website and mobile app are now operational, and that customer support can handle limited calls, but emails and chat supports are still unavailable.
While Garmin remains silent on what caused the global outage of its systems, BleepingComputer and TechCrunch reported that sources familiar with the Garmin outage investigation and company employees point to the direction that Garmin fell victim to WastedLocker ransomware.
A Garmin employee told BleepingComputer that they first learned of the attack when they arrived at their office last Thursday morning. As devices were being encrypted, employees were told to shut down any computer on the network, including computers used by remote workers that were connected via virtual private network (VPN), to prevent additional devices from being encrypted. As shown by the photo sent by a Garmin employee to BleepingComputer, the ".garminwasted" extension was appended to the file name of every encrypted file.
WastedLocker ransomware was first tracked in the wild in May of this year. This ransomware was named after the filename it creates which includes an abbreviation of the victim’s name and the word "wasted".
One of the known methods used by the group behind the WastedLocker ransomware is the use of fake software update that shows up on the users' computer screen when visiting certain legitimate websites. Malicious code is inserted by the group behind the WastedLocker ransomware on vulnerable websites, prompting unsuspecting users to click on the fake software updates that show up on their trusted websites.
Once a user clicks on this fake software update, the WastedLocker ransomware activates CobaltStrike – a commercial penetration testing tool that can be used by ethical security researchers as well as by malicious actors. This commercial penetration testing tool uses tools such as Metasploit and Mimikatz.
Metasploit is an open-source tool for probing vulnerabilities on networks and servers. It can easily be customized and used with most operating systems.
Mimikatz, meanwhile, is another open-source tool that gives out passwords as well as hashes and PINs from memory. This tool makes it easy for attackers to conduct post-exploitation lateral movement within a victim's network.
After exploring the weak spots and access credentials, the WastedLocker ransomware is then dropped into the victim's network or server. With WastedLocker ransomware, it isn't possible to get backup copy on the affected computer as this malicious software deletes shadow copies – the default backups made by Windows operating systems.
Security researchers, including those from Malwarebytes and Fox-IT, named Evil Corp Group as the group behind WastedLocker ransomware. Most of today's ransomware groups openly admit that they steal victims' data prior to encrypting files. These ransomware groups publish or auction the data belonging to victims that are unwilling to pay the ransom.
According to Malwarebytes, the group behind the WastedLocker ransomware "does not exfiltrate stolen data and publish or auction the data that belong to 'clients' that are unwilling to pay the ransom".
Fox-IT, meanwhile, said that the group behind WastedLocker ransomware “has not appeared to have engaged in extensive information stealing or threatened to publish information about victims”. "We assess that the probable reason for not leaking victim information is the unwanted attention this would draw from law enforcement and the public," Fox-IT said.
The group behind WastedLocker ransomware demands ransom payment ranging from US$500,000 to over $10 million in Bitcoin. One of the sources of BleepingComputer said that the ransom demand in exchange for decryption keys that could unlock the encrypted files of Garmin is priced at US$10 million.
In December 2019, the U.S. Treasury Department, sanctioned Evil Corp by way of prohibiting U.S. persons in dealing with the group. The U.S. Treasury Department said that "U.S. persons are generally prohibited from engaging in transactions with them [Evil Corp]." Engagement, in this case, could be mean that US individuals or organizations are prohibited in engaging with Evil Corp, such as via ransom payment.
The sanction of the U.S. Treasury Department’ came after leaders and members of the Evil Corp were charged for developing and distributing the malicious software (malware) called "Dridex". The U.S. Treasury Department said that Dridex infected computers and harvested login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than US$100 million in theft.
Steve E. Driz, I.S.P., ITCP