Ransomware Roundup: 02.06.23

International Law Enforcement Coalition Bricks Hive Ransomware Operations

Authorities – including the US Federal Bureau of Investigation, Europol and partner agencies in 10 countries – coordinated a takedown of the Hive ransomware operation.

“The FBI infiltrated the Hive ‘control panel’ in July 2022, allowing agents to identify victims and obtain decryption keys that allowed victims to recover encrypted files, preventing $130 million in ransom payments,” according to reports. “In addition to seizing the domain associated with Hive’s leak website, law enforcement shut down servers used by the cybercriminals to store data.”

According to Reuters, the US Department of Justice reported last fall that the Hive ransomware syndicate is responsible for attacks against more than 1,300 organizations to the tune of about  $100 million in ransoms.

Hive is a ransomware-as-a-service (RaaS) platform provider, where “affiliates” can rent the attack infrastructure in order to carry out ransomware attacks, wherein the Hive syndicate takes a cut of the illicit proceeds.

Hive employs Double Extortion tactics in which the attackers exfiltrate data from the target prior to detonating the ransomware payload and encrypting systems. The attackers typically set a ransom payment deadline the victim must meet or their sensitive data will be leaked publicly.

Authorities Nab Bitzlato Crypto Exchange Cofounder on Money Laundering Charges

U.S. law enforcement authorities arrested Anatoly Legkodymov, the majority shareholder and cofounder of crypto exchange Bitzlato on charges of laundering over $700 million in illicit funds from criminal activities.

Legkodymov was arrested in Miami on Tuesday on charges that he "in his own words, catered to 'known crooks,'" a U.S. Department of Justice official said.

“Prosecutors said Bitzlato exchanged more than $700 million in cryptocurrency with Hydra Market, which they described as an illicit online marketplace for narcotics, stolen financial information, fraudulent identification documents and money laundering services that U.S. and German law enforcement shut down in April 2022,” reported Reuters.

"Whether you break our laws from China or Europe or abuse our financial system from a tropical island — you can expect to answer for your crimes inside a United States courtroom," Deputy Attorney General Lisa Monaco stated.

Authorities further assert that Bitzlato reaped more than $15 million in proceeds from laundering funds from ransomware attacks, and that Bitzlato has repeatedly facilitated transactions for a number of Russian-affiliated ransomware groups including the notorious Conti gang.

UK Car Retailer Arnold Clark Hit by Ransomware

One of the biggest auto retailers in Europe, UK-based Arnold Clark, alerted customers their personal information was compromised in a ransomware attack, where potentially gigabytes of sensitive information may have been exposed.

A company spokesperson indicated that they were hit in late December and that attackers gained access to customer names, contact information, birth dates, vehicle info, passports and/r driver’s licenses, bank account information and more.

“The investigation is ongoing, with Arnold Clark trying to determine the precise extent and nature of the compromised data, but impacted individuals are already being offered two years of free credit and web monitoring services through Experian,” reported SecurityWeek.

“The hackers have published a significant amount of information allegedly stolen from Arnold Clark and they claim more will be made public if the company refuses to pay up. Currently, they released 31 archive files of 500 Mb each, totaling roughly 15 Gb.”

Play ransomware (aka known as PlayCrypt) was first detected last summer and since has become one of the more prolific ransomware attack groups. These more complex ransomware operations, or RansomOps attacks, are more than random spam email campaigns that include a malicious link or attachment and typically only impact a few assets.

RansomOps attacks are carried out by multiple threat actors including Initial Access Brokers, Ransomware-as-a-Service (RaaS) platforms that provide the attack infrastructure, the RaaS affiliates who actually carry out the attacks, professional ransomware negotiators who broker the ransom payment, and other specialists.

Ransomware Leads to Nantucket Public Schools Shutdown

The public school district in Nantucket, Massachusetts, were closed as administrators worked to remediate the impact of a ransomware attack.

“Nantucket’s five public schools shut its doors to students and teachers after a data encryption and extortion attack prompted staff to shut down the internet along with all student and staff devices — including phones and security cameras,” reported SecurityWeek.

“Out of an abundance of caution, we will be canceling school tomorrow, Wednesday, Feb. 1, for all staff and students,” school superintendent Beth Hallett wrote in a message to the school community. The schools were first closed on Tuesday morning and all 1,700 students and staff were sent home “for the safety and security of all.”

Organizations face a difficult decision whether to pay a ransom demand or not. While the FBI and CISA strongly recommend that orgs not pay a ransom – namely to avoid incentivizing more attacks – there is no clear best practice here as of yet.

If an organization chooses to pay there is no guarantee that the attackers will provide the decryption key, that the data won’t be corrupted upon decryption, and if the organization decides not to pay, they may end up in a situation where data that was exfiltrated during the course of the attacks is leaked publicly as part of a Double Extortion scheme to incentivize the payment of the ransom demand.

Yum Brands Reveals Attack on 300 Locations in the U.K.

Yum Brands disclosed that a ransomware attack disrupted operations at nearly 300 restaurants in the United Kingdom, forcing them to shutter for the day. A company spokesperson said an investigation by law enforcement has commenced.

Yum Brands did not indicate which of its major restaurant brands were affected. Yum operates major chains including Pizza Hut, KFC and Taco Bell, and losses from the suspension of operations at 300 locations for a day could be significant.

“The KFC parent said there was no evidence customer databases were stolen even though data was taken from the company's network,” Reuters reported. “The company said the event was not expected to have a material adverse impact on its business, operations or financial results.”

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time ransomware tracking of attacks, threat actor groups and their victims.