Last Week in Ransomware: 02.05.2024

Last week in ransomware news we saw proxy attacks threaten national security, ransomware/AI/war impacting cyber insurance, and sensitive U.S. government data exfiltrated in ransomware attacks...

Ransomware Attacks Verging on Cyberterrorism

In a recent turn of events, the Kansas City Area Transportation Authority (KCATA) has fallen victim to a ransomware attack orchestrated by the notorious Medusa ransomware gang.  

The attack has disrupted several crucial services, including RideKC, Freedom, and Freedom-On-Demand Paratransit, which caters to customers in need of medical transport.  

The Medusa operators are demanding a staggering $2,000,000, with a ten-day ultimatum for negotiations. Failing to comply could result in the exposure of sensitive data obtained during the attack, a situation that raises significant concerns regarding the privacy and security of KCATA's customers.

The potential exposure of personal and payment details of customers could lead to severe consequences, emphasizing the urgent need for a robust response to ransomware attacks on critical infrastructure and public entities.  

The agency has not clarified whether registered members and pass holders have had their sensitive information compromised. The Medusa operators have also offered an extension to the ransom deadline at a daily cost of $100,000, revealing an alarming escalation in the ransomware landscape.

This incident underscores two critical issues arising from ransomware attacks: the compromise of sensitive data and the subsequent potential for fraud, as well as the heightened risks faced by patients dependent on transportation services for medical appointments.  

A recent study indicates that healthcare professionals experience disruptions in patient care due to ransomware attacks, with impacts on mortality rates and complications in medical procedures.

The lack of government intervention to protect organizations from nation-state-associated threat actors is becoming increasingly evident. The tactics employed by ransomware operators now resemble those seen in state-sponsored operations.  

The U.S. government's reliance on guidelines, best practices, and frameworks is proving insufficient, leaving organizations in both the public and private sectors vulnerable to cyber threats that not only affect their finances but also jeopardize national security.

READ MORE HERE

Cyber Insurance Impacted by Ransomware, AI and Threat of War

As organizations turn to cyber insurance to mitigate the financial impact of cyberattacks, recent trends indicate a growing challenge in quantifying ransomware risk for insurers.  

The cyber insurance market, now valued at $10 billion, faces significant disruptions due to the unpredictability of ransom payments and the increasing prevalence of ransomware attacks.  

The ongoing wars in Ukraine and Gaza have further heightened the alertness of insurers, leading to a reduction in coverage offerings and an anticipated surge in hacking incidents in 2024.

Many cyber insurance policies no longer cover ransom payments, making premiums more unpredictable. Reports suggest that insurers are paying out most or all collected premiums in claims, casting uncertainty over the future viability of cyber insurance.  

Double extortion tactics, including data exfiltration, complicate negotiations, with insurers often negotiating terms favorable to stakeholders rather than the victim organization.  

A proactive approach to security is emphasized, with organizations urged to invest in tools and solutions that prevent successful ransomware attacks.

READ MORE HERE

Sensitive U.S. Government Data Exfiltrated in Ransomware Attacks

Another alarming incident involves Johnson Controls International, a manufacturer of industrial control systems and physical security equipment, confirming sensitive data exfiltration in a ransomware attack.  

The recovery efforts following the attack have incurred losses of $27 million. The breach of 27 TB of confidential data raises concerns about the potential compromise of critical infrastructure security, given Johnson Controls' classified contracts with the Department of Homeland Security.

The growing overlap between cybercriminal activity and nation-state operations poses challenges in attribution, making it difficult for the U.S. and allied governments to take decisive actions against rogue nations supporting ransomware attacks.  

The increasing importance of cyber operations in geopolitical issues and the difficulty in attributing attacks underscore the need for a more robust collective response.

READ MORE HERE

Even More Sensitive U.S. Government Data Exfiltrated

Highlighting this threat is a report that the U.S. Department of Defense is currently investigating claims by a ransomware operator who asserts the exfiltration of sensitive U.S. military data.  

The involvement of ransomware groups as proxies for nation-states raises the stakes, as adversarial nations may risk triggering international incidents that could prompt military responses from the U.S. and its allies.  

The strategy of using seemingly independent actors as proxies for plausible deniability may backfire if adversarial nations fail to maintain good operational security. Attribution challenges persist, with attackers employing various tactics to avoid detection and identification.  

The use of Tor and VPNs, compromise of third-party infrastructure, anonymous payment methods, encryption, polymorphic malware, living-off-the-land techniques, supply chain attacks, fileless malware, counter-forensics, and red herrings all contribute to the difficulty in tracing cybercriminals.

Ultimately, it is imperative for the U.S. government and its allies to address the growing ransomware threat as a national security concern. Until rogue governments providing safe harbor for ransomware operators are held accountable, the wave of ransomware attacks is unlikely to subside.  

As the risk to critical infrastructure and national security intensifies, a shift from law enforcement actions to a proportional military response may become inevitable in the face of a disruptive attack.  

The conversation surrounding ransomware attacks is poised for a significant transformation that demands a collective and decisive approach to safeguarding the nation's security.

‍

Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to fill endpoint protection gaps and defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.