Last Week in Ransomware: 09.30.2024
Last week in ransomware news... we saw Suffolk County ignored FBI warnings, Mallox Linux Variant based on leaked Kryptina code, MoneyGram cash services disrupted...
Suffolk County Ignored FBI Warnings
In September 2022, Suffolk County, New York, experienced a major ransomware attack that exposed significant gaps in its cybersecurity preparedness and response capabilities.
A special legislative committee released a detailed report revealing that county officials failed to take necessary actions despite repeated warnings about potential cyber threats, ultimately leading to widespread disruptions across critical government services.
The attack, attributed to the BlackCat/ALPHV ransomware group, exploited a vulnerability in the widely used Log4j software. The hackers managed to breach the county’s systems, encrypting sensitive data and demanding a ransom.
The incident had severe repercussions: Suffolk County’s main website remained offline for five months, 911 services were briefly interrupted, and residents were unable to access various services, such as paying traffic fines.
One of the primary issues highlighted in the report was the county’s lack of an organized IT structure and absence of a Chief Information Security Officer (CISO). Multiple IT teams operated in silos, without centralized coordination, leaving the county more vulnerable to sophisticated cyberattacks.
Moreover, despite the FBI issuing warnings about potential threats, Suffolk County officials did not have a formal incident response plan in place, further complicating efforts to contain and mitigate the damage once the attack occurred.
The financial impact of the attack has been staggering, with the county spending over $25 million on remediation efforts and other associated costs.
Suffolk County was also at a disadvantage because it did not have cyber insurance coverage at the time of the attack—an issue that many local governments in the United States face, making them more susceptible to the financial fallout of cyber incidents.
As a result of the attack, Suffolk County has begun the process of hiring a CISO to improve cybersecurity management and incident response coordination. The goal is to prevent future breaches and enhance the county’s overall cyber resilience.
The report’s findings underscore the need for local governments and organizations to develop robust cybersecurity strategies that include proactive threat detection, rapid response capabilities, and comprehensive recovery plans.
Achieving true cyber resilience involves a combination of strong cybersecurity measures and the ability to withstand and recover from cyber incidents. To measure and enhance cyber resilience, organizations must track several key performance indicators (KPIs) and metrics, including:
- Mean Time to Detect (MTTD): MTTD is a crucial metric that measures how quickly an organization can identify a cyber threat. A shorter MTTD reflects better detection capabilities, reducing the likelihood of extensive damage. Investing in tools like real-time monitoring and intrusion detection systems can help improve this metric.
- Mean Time to Respond (MTTR): MTTR measures the time taken to respond to a threat after it has been detected. A lower MTTR means the organization can neutralize the threat more rapidly, minimizing its impact. Regularly updating and refining incident response plans can help improve this metric over time.
- Incident Response Plan Effectiveness: Assessing the effectiveness of an organization’s incident response plan during a cyber event is crucial. This includes evaluating containment times, communication efficiency, and overall team coordination. Regular testing and updates of the plan ensure its relevance and effectiveness.
- Cybersecurity Training and Awareness: Human error is a leading cause of cyber breaches. Monitoring employee awareness levels and the effectiveness of cybersecurity training programs is essential for reducing vulnerabilities. Customized training modules tailored to specific roles can greatly enhance the organization’s overall security posture.
- Cyber Risk Exposure: Quantifying cyber risk exposure through metrics such as vulnerability severity and threat likelihood helps organizations understand their risk posture. This understanding is essential for effective resource allocation and prioritization of security efforts.
- Security Controls Effectiveness: Regularly monitoring the performance of security controls, such as intrusion detection systems and firewalls, is necessary to determine their adequacy and make adjustments as needed.
- Backup and Recovery Metrics: Backup and recovery processes are vital in the face of ransomware attacks. Metrics like recovery time objectives (RTO) and recovery point objectives (RPO) help ensure that an organization can restore critical data and operations swiftly after an incident.
- Business Continuity and Disaster Recovery (BCDR) Metrics: Measuring the effectiveness of BCDR plans helps organizations maintain operations during and after a cyber incident. Regular testing of these plans ensures they remain effective against evolving threats.
Ultimately, achieving cyber resilience requires a holistic approach that combines proactive detection, rapid response, and robust recovery capabilities. By monitoring and optimizing these key metrics, organizations can strengthen their resilience, protect critical assets, and maintain business continuity even in the face of adversity.
Mallox Linux Variant: Kryptina Code
An affiliate of the Mallox ransomware group, also known as TargetCompany, has been observed using a modified version of the Kryptina ransomware to target Linux systems, as reported by Bleeping Computer.
Historically focused on Windows systems, Mallox has now expanded its operations to include Linux and VMware ESXi environments. This shift signifies a significant change in the group’s tactics and target range.
The new Linux variant, dubbed "Mallox Linux 1.0," leverages the core source code of Kryptina, a ransomware-as-a-service (RaaS) platform that launched in late 2023 but failed to gain popularity.
In February 2024, Kryptina’s source code was leaked online by its administrator, known as “Corlys,” making it available for modification by other cybercriminal groups. Mallox Linux 1.0 retains Kryptina’s encryption and decryption routines (AES-256-CBC), with only minor changes such as rebranding and altered ransom notes.
Researchers found that the Mallox ransomware group had additional malicious tools on their server, including privilege escalation exploits, payload droppers, and data folders indicating potential victims.
The extent of the new Linux variant’s deployment—whether by a single or multiple affiliates—remains unclear. However, this development points to a resurgence of Mallox’s ransomware activities after a period of low activity in early 2024.
Mallox’s move to include Linux systems reflects a broader trend among ransomware operators. Once predominantly a Windows-centric threat, ransomware has evolved to increasingly target Linux environments.
This shift is significant because many organizations have focused their defenses on Windows systems, underestimating the vulnerabilities inherent to Linux platforms. The lack of ransomware-specific defenses for Linux environments makes them an attractive and lucrative target for cybercriminals.
Linux systems often serve as entry points for establishing persistence within a network, facilitating lateral movement and data exfiltration while blending in with normal network traffic. Weak SSH configurations, exposed ports, outdated software, and system misconfigurations are common vulnerabilities that attackers exploit to gain access.
Additionally, because Linux servers are typically “always on,” they provide an ideal environment for attackers to remain undetected, exfiltrating data or preparing for future ransomware deployment.
The increased targeting of Linux systems by ransomware groups presents a significant risk to organizations that rely on these systems for critical operations. A successful ransomware attack on a Linux environment can result in operational paralysis, data loss, and financial damage.
Organizations must strengthen their defenses and apply robust security measures uniformly across all platforms, including Linux, to mitigate these growing threats. Proactive protection of Linux systems is no longer an option but a necessity to ensure business continuity and resilience against ransomware attacks.
MoneyGram Cash Services Disrupted
MoneyGram International Inc., a global payments and wire transfer company, faced a major disruption following a suspected ransomware attack that began on Friday, September 20. Customers initially reported service access issues, and by Saturday, the company confirmed on X (formerly Twitter) that it was dealing with a "network outage" impacting multiple systems. By Monday, MoneyGram acknowledged the situation as a cybersecurity incident and engaged external cybersecurity experts and law enforcement to mitigate the attack, according to reports by Silicon Angle.
In response to the breach, MoneyGram took proactive steps, such as taking systems offline to prevent further spread of the malware—an action commonly used in ransomware incidents. While the company successfully restored some systems, many disruptions persisted, affecting its global customer base, particularly those outside the United States who rely on MoneyGram for essential financial services.
The incident highlights the increasing threat of ransomware attacks on critical service providers and the potential for significant business disruption. Ransomware can bring operations to a standstill, lock up sensitive data, and have long-lasting effects on revenue, reputation, and customer trust. The immediate financial impact, including costs for incident response, legal consultations, and regulatory compliance, can be immense. Moreover, indirect costs such as loss of consumer confidence and increased cyber insurance premiums can create long-term financial burdens.
The consequences of such attacks are often more severe for small and medium-sized enterprises (SMEs), which may lack the resources to recover from prolonged downtime. Unlike large corporations, SMEs may not have the financial reserves or technical capabilities to deal with weeks of recovery, making ransomware a potential existential threat.
Ransomware attacks also pose a significant risk to intellectual property and regulated data. Attackers often steal data before encrypting it and then threaten to release it unless a ransom is paid, creating additional pressure on the victim. Organizations dealing with sensitive customer information can face lawsuits, regulatory fines, and severe reputational damage if data is exposed.
Paying the ransom does not guarantee data recovery, as attackers may still choose to leak or sell stolen information. Furthermore, ransomware operators have evolved their tactics, targeting not only the initial victim but also their partners, vendors, and customers to extract multiple payments.
Organizations must adopt a holistic approach to cybersecurity, emphasizing prevention, strong encryption protocols, access controls, and employee training. Developing a robust incident response plan and regularly testing recovery procedures are essential to minimize damage and maintain business continuity when an attack occurs.
Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.
Related Posts
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!