Ransomware Roundup: 03.06.23

U.S. Marshals Service Reports Ransomware Attack and Data Exfiltration

The U.S. Marshals Service reported they have been hit with a ransomware attack that included the exfiltration of sensitive information possibly related to ongoing investigations. On February 17, investigators “discovered a ransomware and data exfiltration event affecting a stand-alone USMS system,” according to reports.

“The affected system contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees,” the agency stated.

Jon Miller, CEO and co-founder of ransomware resilience platform Halcyon, tells CyberNews that since the investigation is still at the earliest stages, the scope full scope and impact from the attack are unlikely to be known yet.

“Further investigation may reveal that the attack was more widespread, occurred over an extended period, or exposed more sensitive information than initially thought. That’s just the nature of an IR at this scale. It could be months before we know for sure,” Miller said.

Takeaway: The USMS attack proves that no one is immune from being the victim of a ransomware attack. At this time, very little information is available regarding the full scope and impact of the attack, and it will likely be a while before the investigation is complete.

While the notion that a major US LEO agency was hit with ransomware is alarming, the real issue here is that we don't know how long the attackers have been in the system(s) before they decided to drop the ransomware payload. However, we know they were in the system(s) long enough to gain access to sensitive information and exfiltrate it, assumably to be leveraged in a double extortion scheme as added leverage to force payment of the ransom demand.  

Even if a ransom is paid, there is no guarantee the attackers would honor any agreement to not expose the data, or worse, that it would be used in other attacks. Not to mention, if the attackers were in the USMS network for an extended period and stole large amounts of data, they likely have established persistence, have elevated privileges and have deployed additional malware beyond just the ransomware payload reported. Thus, it could be difficult to kick them out of the infected systems quickly.  

Furthermore, there is also the possibility that the ransomware attack itself is a distraction to divert attention from the "real attack," where ransoming data and systems is not the actual objective of the attackers.  

“The worst-case scenario is that all of the above is in play: quick cash in a ransomware attack, divert attention and resources while continuing to expand the attack, exfiltrating more sensitive data to be monetized, and moving deeper into the network or spreading to other systems,” Miller explained. This is often the case with more complex, multi-staged ransomware operations - or RansomOps - where there are weeks to months of detectable attacker activity on the targeted network before the ransomware payload is delivered.

This is why organizations cannot only focus on the detection/prevention side of the cyberattack equation. They must also implement the necessary requirements to be truly resilient, providing the confidence that even when an attack like this is successful, the organization is ready and able to respond quickly and decisively to ensure that any potential disruption to operations is kept to an acceptable minimum. A robust defense is key, but resilience is how we will win the battle and remove the economic incentive for further ransomware attacks.

HHS Alerts on Cl0p Ransomware Following GoAnywhere MFT Exploits

The Department of Health and Human Services has issued an alert warning that organizations in the healthcare sector need to pay particular attention to attacks by the ransomware gang known as Cl0p.  

The threat actors behind Cl0p have been particularly focused on the healthcare sector, hence the latest guidance issued by the DHS’s HC3 (Health Sector Cybersecurity Coordination Center) following the recent exploitation of a GoAnywhere MFT vulnerability.

Takeaway: Cl0p displays advanced anti-analysis capabilities and anti-virtual machine analysis to prevent further investigations in an emulated environment – such as sandboxing – and it is interesting to note that the threat actors recently developed a Linux version of the ransomware. While Linux has a small footprint in desktop computing, it runs ~80% of all web servers, the majority of smartphones, all supercomputers, and a good portion of all embedded devices – including those being widely used in healthcare settings.  

While there are comparatively few Linux targets, the targets are potentially extremely lucrative. The "always on" nature of Linux systems provides a strategic beachhead for moving laterally throughout the network. Targeting Linux systems would allow the threat actors to disrupt the most critical parts of a network to demand high ransom amounts, and this is especially true in the healthcare sector.

Ransomware attacks are the biggest threat facing organizations today, and healthcare providers have been hit particularly hard. Attackers have significantly advanced their ability to quietly infiltrate large portions of a target's network in order to demand a higher ransom payout and exfiltrate sensitive data to be used as additional leverage to get the victims to pay. This is a big-money game, and we continue to see healthcare and other critical infrastructure providers be a favorite target given they typically have the least amount of resources to dedicate to securing these sensitive systems.

Organizations of every size need to implement a strong prevention and resilience strategy to defend against ransomware attacks, including:

• Endpoint Protection (EPP): Deploy an anti-ransomware solution alongside existing Endpoint Protection Platforms (EPP/DR/XDR) to bridge the gaps in ransomware-specific coverage
• Patch Management: Keep all software and operating systems up to date and patched
• Data Backups: Assure critical data is backed up offsite and protected from corruption in the case of a ransomware attack (backups)
• Access Control: Implement network segmentation and policies of least privilege (Zero Trust)
• Awareness: Implement an employee awareness program to educate against risky behaviors, phishing techniques, etc.
• Resilience Testing: Regularly test solutions against simulated ransomware attacks to assure effective detection, prevention, response, and full recovery of targeted systems
• Procedure Testing: Plan and prepare for failure by running regular tabletop exercises and ensuring all stakeholders are ready and available to respond to an attack at all times

MKS Instruments Anticipates $200M Revenue Hit from Ransomware Attack

MKS Instruments, a global provider of systems for advanced manufacturing processes is anticipating a 20% hit to quarterly revenue due to disruptions to its supply chain operations from a ransomware attack that occurred in February, CybersecurityDive reports.  

The attack prevented the company from meeting the demand for its semiconductor manufacturing and advanced electronics and may have also impacted its photonics and vacuum divisions, President and CEO John Lee said on the company’s quarterly earnings call.

“We are well into the recovery phase of our manufacturing and service operations following the ransomware incident identified on February 3rd, and we expect these operations will be restored over the coming weeks,” Lee said.

Takeaway: The bottom line is that ransomware attacks net proceeds in hundreds of thousands or even millions of dollars - this is big business with a relatively low barrier to entry given the availability of RaaS (Ransomware as a Service) platforms. The ransomware attack on MKS prevented the company from meeting customer demand for its products across multiple divisions. This illustrates how ransomware attacks can cost victim organizations hundreds of thousands or even millions of dollars, significantly impacting their balance sheets.  

Attackers are unlikely to shift away from ransomware until we can remove the economic incentives for the attackers, and that will come only through enhancing prevention and resiliency capabilities. To better protect themselves, organizations must ensure they have not only robust detection capabilities but also ensure they are positioned to be resilient if/when a ransomware attack is successful. They need confidence that they can respond and remediate ransomware swiftly and minimize any potential business disruptions.  

If we can raise the cost to the attackers and eliminate the need for organizations to pay a ransom demand to recover their systems, we can eliminate the economic incentives driving these disruptive attacks. Organizations of every size need to implement a robust prevention and resilience strategy to defend against ransomware attacks. We recommend incorporating patch management, data backups, access controls, employee awareness training, endpoint protection solutions, incident response and organizational resilience testing into all ransom readiness plans.

Dish Network Hit Suffers Multi-Day Outage Following Ransomware Attack

Satellite broadcast provider Dish Network reportedly suffered a ransomware attack that caused their app, services, and websites to go offline the weekend of February 25th.  

“The widespread outage affects Dish.com, Dish Anywhere app as well as several websites and networks owned by the corporation. Customers also suggest the company's call center phone numbers are unreachable. Additionally, customers are facing authentication issues when signing into TV channel apps such as MTV & Starz via their Dish credentials,” BleepingComputer reports.

Takeaway: The attack appears to have created a lot of confusion both for Dish customers and their employees – this confusion hampers recovery efforts and can further damage the brand following a successful ransomware attack. Confused employees reaching out to journalists and divulging unvetted information and internal communications certainly do not help the recovery effort. Does your organization have an incident response plan that addresses not just the technical aspects of an attack, but also clearly outlines the roles of all stakeholders? Are the right teams involved from the start, is there an “official” source of information where both customers and employees can get immediate updates? Organizations need to plan and prepare for failure by running regular tabletop exercises and ensuring all stakeholders are ready and available to always respond to ransomware or other attacks.

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.