Last Week in Ransomware: 02.19.2024

Last Week in ransomware news we saw attacks on Fulton County in Georgia, against Trans-Northern Pipelines, and against healthcare providers – all of these attacks should be classified as terrorism...

Ransomware Attacks on Healthcare are Terrorism

Fulton County, Georgia, recently fell victim to a ransomware attack perpetrated by the LockBit gang, disrupting critical county services for weeks. While county officials assert the attack isn't related to the upcoming election, the incident underscores the dual nature of many ransomware operations, which aim to generate profit while potentially serving the geopolitical interests of adversarial nations.

The attackers' primary objective appears to be financial gain, as indicated by the disruption of critical systems to pressure the victim into paying a ransom. However, the timing of the attack, coinciding with the upcoming election and Fulton County's recent prominence in the news due to election-related litigation, suggests a potentially broader agenda.

Ransomware operators seek to maximize pain, publicity, and frustration to increase their illicit gains. However, there's evidence that some attacks align with larger geopolitical strategies, serving the interests of rogue regimes like Russia, China, Iran, and North Korea.  

These nations may influence or directly control ransomware targets to further their geopolitical objectives, leveraging the plausible deniability afforded by cybercriminal activity.

Designating ransomware attacks against critical infrastructure as terrorism unlocks additional response options beyond traditional law enforcement measures. By recognizing these attacks as state-sponsored terrorism, nations can deploy offensive cyber and even kinetic military responses, addressing the broader geopolitical implications.

The interconnected nature of ransomware attacks and geopolitical interests necessitates a shift in approach, moving beyond viewing them solely as criminal matters. Instead, it's imperative to acknowledge the terrorism inherent in targeting critical infrastructure and to confront the involvement of state actors directly sponsoring such attacks.

Categorizing ransomware attacks against critical infrastructure as state-sponsored terrorism acknowledges their broader implications and enables a more comprehensive and effective response to safeguard national security and protect against future attacks.

READ MORE HERE

Ransomware Attacks Threaten National Security

Ransomware attacks have evolved beyond mere disruptions to IT systems; they now pose a serious threat to human lives and national security. The recent attack on hospitals in Romania highlights the severity of these incidents, with patient data and critical procedures compromised. Such attacks should be recognized for what they are: terrorism.

Considering the potential harm and fear instilled by ransomware attacks on healthcare providers, it's clear they transcend typical cybercrime. Attacks that jeopardize human lives should be classified as acts of terrorism. Nations harboring or supporting such threat actors should be held accountable as state sponsors of terror.

Currently, ransomware attacks are treated primarily as criminal acts, falling under the jurisdiction of law enforcement. However, as these attacks increasingly target critical infrastructure, they become national security threats.  

For instance, Russian-based ransomware groups have targeted not only healthcare providers but also contractors for the U.S. Department of Defense, blurring the lines between cybercrime and state-sponsored aggression.

Despite occasional arrests, law enforcement efforts have failed to curb the rising tide of ransomware attacks, which are setting new records in frequency and cost of recovery. With ransom payments exceeding $1 billion in 2023, ransomware operators are well-funded and continuously improving their capabilities.

Complicating matters further, ransomware activities often intersect with nation-state interests, allowing hostile governments to disavow involvement while indirectly supporting attacks. This lack of accountability perpetuates the cycle of ransomware assaults.

To effectively combat this threat, a paradigm shift is needed. Ransomware attacks must be reclassified as state-sponsored terrorism, enabling the imposition of sanctions on rogue regimes. Additionally, leveraging the military's cyber capabilities, as designated in the National Military Strategy, is essential to defend against and engage with hostile actors in cyberspace.

Ultimately, the stakes are high: lives are at risk, and national security is compromised. It's imperative to adopt a more robust approach, utilizing all available tools to address this pervasive and evolving threat.  

By recognizing ransomware attacks as acts of terrorism and leveraging military capabilities, nations can better protect their citizens and critical infrastructure from this scourge.

READ MORE HERE

Ransomware Attacks on Critical Infrastructure are Terrorism

Trans-Northern Pipelines (TNPI) recently disclosed an investigation into a cybersecurity incident that occurred in November 2023, potentially involving a ransomware attack claimed by the ALPHV/BlackCat gang. The attack targeted critical Linux systems, raising concerns due to the increasing trend of ransomware groups targeting Linux platforms.

Linux, which powers a significant portion of critical infrastructure and sensitive operations globally, has become a prime target for ransomware attacks. Its prevalence in web servers, IoT devices, government and military networks, financial systems, and more makes it an attractive target for threat actors. Moreover, Linux's "always on, always available" nature and the lack of comprehensive security offerings for it further exacerbate the challenge of defending against such attacks.

Attackers are drawn to Linux servers due to the potential for inflicting substantial disruption, leading to higher ransom demands. Additionally, the open-source nature of Linux provides attackers with insights for customizing attacks, amplifying the potential impact of compromises. Targeting Linux systems could result in catastrophic disruptions surpassing those seen in previous ransomware attacks.  

To mitigate these risks, organizations must redouble their efforts to defend Linux systems and prepare for potential ransomware attacks. However, relying solely on government intervention for preventative protection is not viable, as the responsibility largely falls on individual organizations to ensure resilience against such threats.

In summary, the targeting of critical Linux systems by ransomware groups poses significant risks to global infrastructure and operations. Organizations must take proactive measures to enhance defenses and resilience, as the consequences of not addressing these vulnerabilities could be catastrophic.

READ MORE HERE

Vulnerability Exploits Rule

Planet Home Lending recently fell victim to a LockBit ransomware attack exploiting a known vulnerability in Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliance. This breach compromised personal data of over 200,000 customers, including sensitive information like Social Security numbers and financial account details. Despite implementing multiple security layers, Planet Home's defenses were circumvented by the exploit.

The LockBit gang has actively targeted CVE-2023-4966, also known as Citrix Bleed, impacting thousands of organizations globally. Although patches were released in early October to address the vulnerability, many organizations have yet to upgrade to secure versions. This delay raises questions about why vulnerable organizations haven't implemented fixes for known bugs, such as those affecting GoAnywhere and MOVEit applications, exploited by ransomware operators throughout the year.

The reasons behind organizations' failure to patch or upgrade can be divided into two categories: those who could patch but chose not to, and those who wanted to patch but faced obstacles. While some organizations neglect patching despite having the capability, others struggle due to complexities involved in the process. Patching often requires testing in a development environment before deployment in production, and compatibility issues with legacy systems or internal applications may further impede the process.

Research indicates that a significant portion of ransomware-related exploits target known vulnerabilities disclosed between 2010 and 2019, many of which have available patches. However, these vulnerabilities are often of low to medium severity, making them low priority for patching or neglected entirely. Attackers exploit these vulnerabilities, leveraging automated tools to identify and compromise vulnerable systems.

Despite the challenges, organizations have a responsibility to prioritize patching and upgrading vulnerable systems to mitigate the risk of exploitation. Automation tools can aid in identifying exposed systems, helping organizations stay vigilant against potential threats. Ultimately, there's no excuse for organizations to remain unaware of, or unprepared for, known vulnerabilities that could compromise their security.

READ MORE HERE

‍

Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to fill endpoint protection gaps and defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.