Ransomware Roundup 02.27.23

Production at Agriculture Giant Dole Disrupted by Ransomware Attack

‍

Production at agricultural giant Dole was disrupted following a ransomware attack, stating that the impact on operations was limited: "Upon learning of this incident, Dole moved quickly to contain the threat and engaged leading third-party cybersecurity experts, who have been working in partnership with Dole's internal teams to remediate the issue and secure systems," a statement from the company said.

‍

Takeaway: This attack highlights the two key security areas leaders are prioritizing when it comes to ransomware: Obviously, they want to be able to spot incoming attacks to prevent the initial infection. However, an equally important aspect is resilience. If they are hit with ransomware, they want to be able to recover quickly and resume normal business operations with minimal disruption. 

‍

As well, data exfiltration and double extortion campaigns are a concern. But the nightmare scenario is being locked out of the business, hemorrhaging money, and facing the tough decision of whether or not to pay. The key is to begin reversing the effects of the attack immediately to minimize its impact.

‍

"The Dole attack is the perfect example of how ransomware can put organizations in a pressure cooker. If they are locked out of their systems, they can't fulfill customer orders, they're losing more money every second that the system stays down,” Jon Miller, CEO and Co-founder at ransomware prevention specialist Halcyon, told The Register.

‍

HardBit Gang Entices Ransomware Victims to Defraud Insurers

‍

The HardBit ransomware gang has introduced a new tactic – the effectiveness of which is yet to be seen – where they instruct victims to provide details of their cyber insurance coverage so the attackers can properly set the ransom demand.

‍

“The hackers tell victims to anonymously provide them with the details of their cyber insurance <sic> so that they can set the ransom amount accordingly,” according to SecurityWeek. “The HardBit operators say they do not want to demand more than what the victim can recover from the insurance company, but they also don’t want to be offered a low amount by the insurer’s representatives.”

‍

Takeaway: While the HardBit ransomware gang might appreciate a victim providing details of their cyber insurance coverage in an attempt to maximize potential profits, for victims, this offer to conspire against insurers is extremely ill-advised, and for obvious reasons. 

‍

Not only would colluding with attackers likely nullify any and all coverage under the terms of the cyber insurance policy, but the organization and those involved in the collision could also be subject to severe legal repercussions. 

‍

Even good-faith negotiations with attackers to set a ransom amount and terms for payment would face intense scrutiny by any insurer, law enforcement, and/or regulators. Furthermore, any payment to ransomware operators who may be under international sanctions restrictions could land an organization and its leadership in serious trouble.

‍

No organization should ever entertain any offer of collusion with attackers. By doing so they would expose their organizations to a degree of legal jeopardy that simply is not worth contemplating.

‍

BlackCat/ALPHV Ransomware Gang Hits City of Lakewood

‍

SecurityWeek reports that the BlackCa/ALPHV ransomware gang has hit the City of Lakewood, Washington, with a ransomware attack that included the exfiltration of sensitive data, as well as a call to any impacted third parties to sue the city for any damages.

‍

BlackCat/ALPHV, a Ransomware as a Service (RaaS) attack platform provider, has been around since at least November of 2021 and was involved in over 10 percent of reported ransomware attacks in 2022, according to estimates. Attacks leveraging BlackCat typically employ a double extortion strategy where sensitive data is first exfiltrated before the ransomware payload is delivered, as in the Washington State case - and the attackers threaten to leak the data should the ransom demand go unpaid. BlackCat attacks have also employed additional extortion methods like DDoS attacks to put more pressure on the victims to pay. BlackCat also claimed a recent attack against the Five Guys burger chain where sensitive data was also exfiltrated for double extortion.

‍

Takeaway: Ransomware attacks are more than just disruptive malware infections. The exfiltration of sensitive data means that even with a robust cyber program and data backups to assist in recovery efforts, organizations face additional risk from the exposure of internal communications, trade secrets, R&D assets, and intellectual property. The impact of attacks like the alleged attack on Washington can also extend to partner organizations as the sensitive information is leveraged in other criminal acts.

‍

It is also worth noting that, while some of the targets may seem somewhat random or less desirable, they were likely chosen for good reason. Five Guys, for example, is an obvious choice, as the company certainly has ample resources to pay a ransom. Combine that with the fact that they lose significant revenue for every second their systems are bricked and you have an attractive target. Contrast that with a cash-strapped small city, and one has to wonder why they were targeted. Chances are they were selected by way of automation, where the attackers are scanning the internet for organizations with detectable vulnerabilities, misconfigurations, and other weaknesses in the network that can be exploited. So, while Five Guys were likely targeted deliberately, the city of Lakewood was probably chosen somewhat at random as a target of opportunity where the threat actors invested little time or resources.

‍

Organizations of every size need to implement a strong prevention and resilience strategy to defend against ransomware attacks, including:

‍

• Keeping all software and operating systems up to date and patched
• Assuring critical data is backed up offsite and protected from corruption in the case of a ransomware attack
• Assure all endpoints are protected with an EPP solution like next-generation anti-virus (NGAV) software and an anti-ransomware solution
• Implement network segmentation and Zero Trust policies
• Implement an employee awareness program to educate against risky behaviors, phishing techniques, etc.
• Plan and prepare for failure by running regular tabletop exercises and ensuring all stakeholders are ready and available to respond to an attack at all times

‍

Student Health Records Leaked by Ransomware Attackers

‍

Health records for several thousand current and former Los Angeles school district students leaked publicly following a ransomware attack in 2022. LAUSD had fallen victim to a major ransomware attack claimed by the Russian outfit Vice Society. The district, under the advice of federal authorities assisting in the response, declined to pay the ransom demand and subsequently took another hit when the attackers released sensitive data as part of a double extortion scheme.

‍

Takeaway: Several takeaways from this incident, a key item being that data backups (while important and highly recommended) do not assure resilience in regard to ransomware attacks. Data backups will certainly aid in recovery, but they do not protect against data loss and leakage. Double extortion is an increasingly popular tactic in which the attackers exfiltrate data from the target prior to detonating the ransomware payload and encrypting systems. When the ransom note is delivered, it usually states a ransom payment deadline the victim must meet lest they end up like LAUSD and have their sensitive data leaked.

‍

Another takeaway here is that attackers know that the SOC is typically not fully staffed on weekends and holidays, so this is an optimal time to perpetrate an attack. As well, the light staffing also means that the attack takes longer to detect and it takes longer to assemble the team and initiate incident response - these delays most certainly drive up the overall cost of recovery for victim orgs.

‍

Lastly, criminal ransomware groups continue to target organizations like hospitals and school districts because they lack the appropriate budgets and staff to bolster their cybersecurity and IT capabilities. Even if grant money is available or if technology is donated, there is still a resource gap in trained staff to manage and protect their infrastructure. The students who have had their PII leaked unfortunately will pay the cost well into the future by having their information available to purchase for pennies. Until the profit motive is substantially reduced for successful ransomware attacks this trend will continue.

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.