Retargeted Attacks Continue to Rise

Retargeted Attacks Continue to Rise

Once a target, always a target. This seems to be the case in the City of Baltimore in Maryland as the City recently suffered another cyber-attack – the second attack in just over a year.

Last May 7, Baltimore Mayor Bernard Jack Young announcedthat the City’s network was infected with a ransomware. As a precaution, he said the City shut down the majority of its servers. While the City’s essential services such as police and fire departments are operational, the ransomware infection and the resulting shutting down of the majority of the servers resulted in network outage, email outage and phone outage with nearly every other department of the City affected.

Just over a year ago, in March 2018, the City of Baltimore suffered another cyber-attack. The 2018 attack was, however, limited to Baltimore's computer network that supports emergency calls. The attack forced the staff to resort to manual operations to handle calls.

Baltimore Chief Information Officer and Chief Digital Officer Frank Johnson told Ars Technicathat the 2018 cyber-attack which brought down Baltimore's computer-aided dispatch (CAD) system was caused by a ransomware. It wasn’t revealed what was the exact type of ransomware that hit Baltimore’s CAD system.

The point of entry of the ransomware was, however, partially identified. According to Johnson, the Baltimore City Information Technology office determined that "the vulnerability was the result of an internal change to the firewall by a technician who was troubleshooting an unrelated communication issue within the CAD System”.

In a press conference, Baltimore Chief Information Officer and Chief Digital Officer Johnson said that the recent cyber attack on Baltimore’s system was caused by the “very aggressive RobinHood ransomware".

RobinHood Ransomware

Ransomware is a type of malicious software (malware) that locks out computer users by encrypting computer systems or files and demands from victims ransom payment in exchange for the decryption keys that would unlock the encrypted computer systems or files.

RobinHood ransomware is a fairly new malware. In early April last month, the RobinHood ransomware similarly infected the network of the City of Greenville, South Carolina, which prompted the City to shut down the majority of its servers.

In late April last month, security researcher Vitali Kremez reverse engineered a sample of the RobinHood ransomware. Kremez told BleepingComputerthat on execution, this malware stops 181 Windows services associated with antivirus and other software that could keep files open and prevent their encryption. This ransomware also doesn’t spread within the network, which means that every infected computer is individually targeted.

Kremez, meanwhile, told Ars Technica that the RobinHood ransomware attacker or attackers need administrative-level access to a system on the network “due to the way the ransomware interacts with C:\Windows\Temp directory”. It’s still unknown how the RobinHood ransomware gains access to a network and the computers connected toit.

The Robinhood ransomware drops its ransom note on the desktop, informing victims that 3 bitcoins must be paid to get the decryption key of one computer or alternatively send 13 bitcoins for the decryption keys of an entire infected system. The ransom note also states that the cost of payment increases “$10,000 each day after the fourth day.” The value of 1 bitcoin as of May 11, 2019 4PM GMT+7 is $6,312.

Prevalence of Retargeted Cyber Attacks

A study conducted by FireEye Mandiantfound that organizations that have been breached before are much more likely to be targeted again. In 2017, FireEye Mandiant reported that 56% of victims of at least one significant cyber-attack were targeted again by the same or similarly motivated attack group. In 2018, this number has continued to climb, increasing to 64%, FireEye Mandiant reported.

The top 5 retargeted industries in 2018 were finance (18%), education (13%), health (11%), pharmaceutical (9%), retail and hospitality (7%), and telecommunications (7%).

The FireEye Mandiant report further found that in 2018 organizations in the Asia-Pacific (APAC) region were far more likely to succumb to retargeted attacks, with 78% of APAC organizations fell victim to another attack. The said report also found that for the same period, 63% of organizations in the Americas fell victim to another attack. The report also found that for the same period, 57% of the organizations in Europe, Middle East, and Africa (EMEA) fell victim to another attack.

"This data further substantiates the fact that if you’ve been breached, you are much more likely to be targeted again and possibly suffer another breach," FireEye Mandiant said.

How to Prevent Retargeted Attacks

Configuring ordinary workstations not to install software and establishing a separate device or devices exclusively for administrative tasks (for installing and removing software and changing configuration settings) are two preventive measures in reducing the odds of malicious actors gaining access into your organization’s network.

Configuring ordinary workstations not to install software is a proactive means of preventing accidental installation of malicious software by unwittingly downloading malicious attachments or clicking on malicious links contained inside malicious emails.

Devices exclusively used for administrative tasks, meanwhile, should be secured through the following:

• Installing the most recent software and operating system and keeping it up to date;
• Preventing administrative tasks from being executed remotely; and…
• Implementing just-in-time (JIT) privileges, that is, providing users access to these exclusive devices only for a limited time and then removing this access after the lapse of the prescribed time. This ensures that access can't be abused over a period of time.

When you need help preventing cyberattacks and protecting your network and computers against ransomware, connect with our teamand get right advise at the right time.