Ransomware Roundup: 02.20.23

Israel’s Technion Institute Hit by Ransomware Attack

Technion Institute of Technology, one of Israel's leading public research universities, has been hit by a ransomware attack and is currently in the midst of incident response to determine the scope and impact of the event.

"The Technion is under a cyber attack. The scope and nature of the attack are under investigation," a university spokesperson said. "To carry out the process of collecting the information and handling it, we use the best experts in the field, both within The Technion and outside, and coordinate with the relevant authorities. The Technion has proactively blocked all communication networks at this stage."

A previously undocumented ransomware gang dubbed DarkBit has claimed responsibility for the attack on the university's systems and issued a ransom demand of 80 Bitcoin (~ US$ 1.75M).

“Ransomware operators continue to prioritize the education sector continues because it’s a treasure trove of personally identifiable (PII) and financial information that can be leveraged for identity theft and other crimes. These gangs use double extortion schemes by encrypting the network as well as exfiltrating and threatening to leak data to put more pressure on their targets to pay even higher ransoms,” said Jon Miller, CEO and Co-founder at ransomware prevention specialist Halcyon.

“Even with a robust cyber program and data backups to assist in recovery efforts, organizations face additional risk from the exposure of internal communications, trade secrets, R&D assets, intellectual property and more.”

Takeaway: The fact that legacy antivirus, NGAV and EDR tools, while still very useful, were simply not designed to address the unique threat that ransomware presents. This is why we keep seeing destructive ransomware attacks circumvent these general application solutions. 

During a ransomware attack, the malicious code may perform multiple checks before executing to avoid analysis or victimizing unintended targets. These features can be exploited by aggravating the payload and forcing the ransomware to react defensively to avoid detection and reveal itself.

Remember, the encryption routine that disrupts victims' systems occurs at a late stage in the attack. There are potentially weeks of detectable activity on the network where the attack can be arrested if the security apparatus is specifically tuned to detect and respond to these early signals rather than focusing only on detecting and blocking the ransomware payload at the end of an attack where you only get one chance for success.

‍

Ransomware Attack on California Healthcare Provider Impacts 3.3 Million

A ransomware attack against California healthcare provider Regal Medical Group potentially exposed the personally identifiable (PII) and protected health information (PHI) of more than 3.3 million patients.

The attack took place in December and affected the systems at the Regal Medical Group and affiliates Lakeside Medical Organization, Affiliated Doctors of Orange County, and the Greater Covina Medical Group.

“Affected PII and PHI includes names, addresses, birth dates, phone numbers, Social Security numbers, diagnosis and treatment information, health plan member numbers, laboratory test results, prescription details, and radiology reports,” according to SecurityWeek.

Takeaway: Ransomware attacks are the biggest threat facing organizations today, and healthcare providers have been hit particularly hard. Criminal ransomware groups know that the impact of an attack against healthcare organizations doesn’t just disrupt everyday business; it directly affects the lives of their patients, which puts tremendous pressure on the targeted provider to pay up for swift recovery.

The threat from ransomware is very real, and the fact that nation-state sponsored or directed operators are getting more active in conducting ransomware attacks is concerning. Last year CISA's Shields Up advised organizations to remain vigilant with respect to an increased risk from ransomware and destructive data attacks as a result of the Russian invasion of Ukraine and the likelihood that ransomware attacks against Western targets are likely to escalate.

As well, a joint alert was just issued (PDF) from CISA, the FBI, NSA, HHS, and several South Korean law enforcement agencies to be wary of ransomware attacks coming from North Korea targeting healthcare providers. Criminal elements have significantly advanced their ability to quietly infiltrate large portions of a target's network in order to demand a higher ransom payout and exfiltrate sensitive data to be used as additional leverage to get the victims to pay. 

This is a big-money game, and we continue to see healthcare and other critical infrastructure providers be a favorite target, given they typically have the least amount of resources to dedicate to securing these sensitive systems.

‍

2022: ICS Attacks on US Energy Sector Decreased While Ransomware Surged

The latest ICS/OT Cybersecurity Year in Review report for 2022 found that while the overall trend in ICS-focused attacks on the U.S. energy sector showed a decrease in volume, the report also found that ICS attacks employing ransomware grew 87 percent year over year.

The researchers say they are tracking 57 distinct attacker groups and that 39 of those groups conducted attacks in 2022, a year-over-year increase of 30 percent compared to 2021 figures, according to reporting from SecurityWeek.

“While the latest report includes some indication of improvement in the IOT space, the general trend has remained largely the same: IOT/OT devices remain vulnerable to attacks, and the attacks they are facing are getting more complex, growing the scope of impact on the targeted organizations,” said Jon Miller, CEO and Co-founder at ransomware prevention specialist Halcyon.

“Attackers are growing particularly fond of ransomware because they understand that bricking production means the organization is losing money by the second, adding pressure on the victim to pay in order to recover and prevent additional lost earnings.”

SecurityWeek points out further highlights from the report which include: over 70% of the attacks targeted the manufacturing sector, followed by the food and beverage, energy, pharmaceuticals, and the oil and gas sector. 

Takeaway: One of the more alarming trends in the report is the significant expansion of external-facing connections into ICS environments. A lack of visibility into OT environments combined with this inability to isolate systems from direct lines of communication outside the network leaves them wide open to attackers. Without a reasonably secure network perimeter, then security teams stand little to no chance of keeping the adversary out.

Another identified contributing factor is in user access control and credential misuse – users are in the habit of using the same credentials, or their org is set up to use the same credentials for both IT and OT environments. This is the single biggest factor that allows attackers to move laterally throughout the network and achieve privilege escalation once they are in, according to the report. Many of these IOT/OT systems were not designed with Internet connectivity in mind – they were intended to be localized systems with limited access.

Furthermore, many weren’t designed with even the most basic security features built in and may not have the capacity to include any security functionality. This makes the task of going back and 'bolting on' security super challenging. That challenge is compounded by the fact that security teams cannot always accurately assess risk because they can't defend something they either can't see or don’t know is part of the complex network they need to keep secure.

Visibility, segmentation, and the ability to control and limit any connectivity outside of the network are part of the security basics that IOT/OT devices were not designed to make easy, so it will likely be some time before we see these hard-working security teams achieve an adequate baseline security posture.

‍

Research: Ransomware Operators Exploiting Old Vulnerabilities

New research published in the 2023 Spotlight Report: Ransomware Through the Lens of Threat and Vulnerability Management found that more than three-quarters of all ransomware-related vulnerability exploits observed throughout 2022 targeted older bugs disclosed between 2010 and 2019.

Most of the vulnerabilities were low to medium severity levels, making it more likely that they were lower on an organization's priority list for remediation or were simply never addressed. For many of these vulnerabilities, exploits have been available for quite some time. In many cases, the exploits have been built into exploit tool kits and largely automated, so we're also seeing an increase in ransomware attacks displaying these more sophisticated attack sequences.

"Ransomware gangs are persistently going after old vulnerabilities and have been weaponizing them systematically. Out of the 264 old vulnerabilities, 208 of them have exploits that are publicly available,” reported TechTarget.

“Of these, 131 have RCE/PE (remote code execution or privilege escalation) exploits, which make them extremely dangerous. What is more worrying is the fact that 119 of them are actively trending in the deep and dark web as a point of interest for hackers."

Takeaway: The marked increase in the exploitation of vulnerabilities by ransomware gangs is further evidence that criminal actors continue to employ increasingly complex techniques that we used to only see in state-supported operations. Ransomware attacks used to be more clumsy and random, basically a numbers game where massive email spam campaigns or drive-by watering hole attacks designed to infect as many individual devices as possible while asking for ransoms of a fraction of a bitcoin - but those days have largely passed.

Today's more robust ransomware operations, or RansomOps, can involve a range of threat actors who each specialize in different aspects of a more extensive operation, essentially monetizing every stage along the way. 

This can include initial access brokers (IABs) who infiltrate networks and then sell the access to other groups, such as an affiliate user who is also "renting" attack infrastructure from a RaaS provider and then perhaps using the services of a specialist who can facilitate negotiations with the victims and the laundering of any proceeds, and so on. 

As these different specialist roles have evolved, it's no surprise that we have seen a corresponding evolution in the threat actors' TTPs, which includes the leveraging of a wide range of vulnerabilities.

“The fact that these attackers are leveraging exploits for well-documented vulnerabilities means we have the opportunity to detect and stop these ransomware operations earlier in the attack sequence. Many of the TTPs they employ are common and should help to reveal the weeks or more of detectable activity on the network that occurs before the actual ransomware payload is delivered,” said Jon Miller, CEO and Co-founder of ransomware prevention specialist Halcyon.

Organizations with the right controls in place stand a good chance of disrupting these attacks at initial ingress when these known exploits are likely to be used or when the attackers begin to move laterally on the network and seek to escalate privileges. The ransomware payload is the very tail-end of a longer attack, so a multi-layer defense strategy that is designed to detect more than just the detonation of a ransomware binary is critical to detecting earlier and remediating against these attacks faster.

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.