Last Week in Ransomware: 01.15.2024

Last week in ransomware news we saw a ransomware gang threaten patients with swatting, the debate over banning ransom payments rages, and Mimic ransomware gang exploiting misconfigured MSSQL servers...

Debating a Ransom Payment Ban

The debate over whether to ban ransom payments has intensified, with proponents arguing that it could deter cybercriminals. However, the issue is far from black and white, as the proposed ban fails to consider the intricacies of the evolving landscape of ransomware attacks.  

The U.S. government's push for a blanket ban on ransom payments aims to reduce the financial incentives driving ransomware attacks. While the intention is clear, critics argue that such a ban oversimplifies a multifaceted problem.  

The potential impact of a ransomware attack varies, and the government's stance implies that organizations should bear the burden of attacks rather than relying on government protection.

The central argument supporting ransom payments is the expeditious recovery of valuable data. Those in favor believe that paying the ransom is often more cost-effective than restoring data from backups or incurring financial losses due to delayed recovery.  

However, paying a ransom creates legal liabilities and increases the likelihood of future attacks.

The recent summit hosted by the Biden administration, where security leaders pledged to adopt non-payment policies, may seem like a proactive step. However, it highlights the difficult decisions organizations face, with potential repercussions regardless of their choice.  

The lack of one-size-fits-all solutions underscores the government's struggle to address the growing threat of ransomware and data extortion attacks.  

While paying ransoms may seem like a quick fix, it fails to address the root cause of the problem – vulnerabilities in organizations' systems. The focus should shift towards implementing preventative and resilience measures, including early detection capabilities and mitigation plans.

READ MORE HERE

Crazy Double Extortion Tactics

Ransomware operators have evolved their tactics to include double extortion, which at first consisted of threatening the release of sensitive data if they refuse to pay. This not only adds pressure on organizations but also exposes additional risk.  

As the double extortion tactic was deemed effective, ransomware operators ramped up the threats to include submitting a U.S. Securities and Exchange Commission (SEC) complaint, the exposure of clinical photographs of breast cancer patients, and even threats to leak very intimate details of abuse and mental health status of vulnerable students.

Ransomware operators and data extortionists are now threatening patients whose data has been exposed in an attack with swatting. Swatting is a harassment tactic that involves calling in bomb threats or other false threats to law enforcement to prompt an armed response to the victim's home.

The escalating nature of these threats necessitates a comprehensive approach to detection and prevention.

READ MORE HERE

Exploiting MSSQL Vulnerabilities

Ransomware operators are becoming more proficient at exploiting vulnerabilities, as seen in the case of Turkish threat actors targeting misconfigured MSSQL servers.  

Automation plays a key role in these attacks, with threat actors identifying and targeting organizations that have not patched known vulnerabilities. The mass exploitation of vulnerabilities underscores the urgency for organizations to prioritize patching and bolster their cybersecurity measures.

The bad news is that as attackers are getting more proficient at automating aspects of the attack progression by exploiting known vulnerabilities for initial access, improving stealthy payload delivery, fine tuning evasion techniques, and exponentially improving encryption speeds, we will likely continue to see an escalation in attacks.

The good news is that given these attacks leverage exploits for well-documented vulnerabilities, which means we have a chance to detect and stop these ransomware operations earlier in the attack sequence.

READ MORE HERE

‍

Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to fill endpoint protection gaps and defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.