Ransomware Roundup: 03.13.23

FBI and CISA Issue Alert on Royal Ransomware Attacks

CISA and the FBI have issued a joint advisory highlighting the increasing threat behind ongoing Royal ransomware attacks targeting many U.S. critical infrastructure sectors, including healthcare, communications, and education. The alert arrived roughly three months after the U.S. Department of Health and Human Services warned organizations in the healthcare sector of the risks associated with Royal ransomware.

Takeaway: The CISA/FBI advisory regarding Royal ransomware gang targeting critical infrastructure - particularly the healthcare sector - follows closely similar guidance from HHS on Cl0p ransomware attacks a few weeks ago. Both ransomware families display advanced security evasion and anti-analysis capabilities that can hinder both detection and investigation in emulated environments such as sandboxing and virtual machines. We see ransomware operators continue to advance their tactics, techniques, and procedures (TTPs) to improve infection vectors, stealth and lateral movement on the targeted network, and in the efficacy of their payloads.  

Ransomware gangs like Royal continue to invest heavily in recruiting and retaining new talent, expanding their operations and capabilities at an astounding pace. While some research indicates there has been a decrease in the volume of ransomware attacks in the period following the Russian invasion of Ukraine, the attacks that are being seen tend to be more disruptive to operations and are generating more illicit income for the attack groups than ever before.  

Ransomware attacks are the biggest threat facing every organization today, and healthcare providers have been hit particularly hard. Attackers have significantly advanced their ability to quietly infiltrate large portions of a target's network in order to demand a higher ransom payout and exfiltrate sensitive data to be used as additional leverage to get the victims to pay. Healthcare and other critical infrastructure providers are a favorite target for ransomware attacks given they typically have the least amount of resources to dedicate to security, the networks are often composed of older legacy components, and any downtime is extremely disruptive.  

A robust defense is key, but resilience is what will ensure critical operation stay up and running even in the event of a ransomware attack. A strong prevention and resilience strategy to defend against ransomware attacks includes:

• Endpoint Protection (EPP): Deploy an anti-ransomware solution alongside existing Endpoint Protection Platforms (EPP/DR/XDR) to bridge the gaps in ransomware-specific coverage
• Patch Management: Keep all software and operating systems up to date and patched

• Data Backups: Assure critical data is backed up offsite and protected from corruption in the case of a ransomware attack
• Access Control: Implement network segmentation and policies of least privilege (Zero Trust)
• Awareness: Implement an employee awareness program to educate against risky behaviors, phishing techniques, etc.
• Resilience Testing: Regularly test solutions against simulated ransomware attacks to assure effective detection, prevention, response, and full recovery of targeted systems
• Procedure Testing: Plan and prepare for failure by running regular tabletop exercises and ensuring all stakeholders are ready and available to respond to an attack at all times

The detection/prevention side of the cyberattack equation is important, but organizations also have to prepare for failure by assuring they can quickly and decisively respond to a successful ransomware attack so any potential disruption to operations are kept to a minimum.

‍

DoppelPaymer Ransomware Members Arrested in Germany and Ukraine

Law enforcement authorities in Germany and Ukraine arrested either the developers of or affiliates using the DoppelPaymer RaaS platform in coordination with the Dutch National Police and the U.S. Federal Bureau of Investigation (FBI), The Hacker News reports.

"Forensic analysis of the seized equipment is still ongoing to determine the exact role of the suspects and their links to other accomplices," a Europol spokesperson stated.

THN also reported that German authorities issued arrest warrants against three alleged DoppelPaymer operatives who are believed to be the leaders of the DopplePaymer ransomware gang.

Takeaway: Substantive actions against DopplePaymer and other ransomware gangs is long overdue – strengthening LEO coordination to thwart attacks as outlined in the National Cybersecurity Strategy released last week is a no-brainer.  

Countries like Russia are either actively coordinating with cybercriminal syndicates on targeting and operations or are willingly turning a blind eye to attacks that originate from their regions. Proactive measures to disrupt ongoing attack operations and infrastructure are a good start, but we also need to put additional pressure on anyone who is actively facilitating these attacks while enjoying a level of impunity and indict them along with the threat actors who actually carry out the attacks.  

This could bring a whole new level in international enforcement capabilities and significantly work to curtail some of the nation-state and cybercriminal overlap. We won't see progress in the fight against ransomware if we are only reactively addressing part of the threat.

‍

Ransomware Gang Publishes Clinical Photos of Breast Cancer Patients

The BlackCat /ALPHV ransomware gang has found a way to sink to new lows in attempting to extort a Pennsylvania healthcare provider out of a ransom payment by publishing private, compromising clinical photographs of breast cancer patients.

The Lehigh Valley Health Network disclosed the attack in late February, stating they were refusing to pay the ransom demand, reported The Record.

“Based on our initial analysis, the attack was on the network supporting one physician practice located in Lackawanna County. We take this very seriously and protecting the data security and privacy of our patients, physicians and staff is critical,” said Lehigh Valley Health Network president Brian Nester.

Takeaway: Criminal ransomware groups have shown time and time again that there is no line they will not cross. Threatening to leak medical photographs of breast cancer patients is a shocking new low, but ultimately not surprising.  

Whatever data these groups can extract, they will weaponize in their extortion schemes. They will continue to do so until it is no longer profitable. The only way this is solved is by building resilient security programs, getting organizations to invest in cybersecurity skills and technologies and collaborating on new regulations that actually have teeth in the fight against cybercrime.

‍

Ransomware Attack Disrupts Operations at Barcelona Hospital

A ransomware attack targeting one of Barcelona’s largest hospitals has disrupted systems and forced cancellation of hundreds of medical procedures. The attack against Hospital Clinic de Barcelona occurred was first detected on Sunday.

Shortly after reporting the attack, the hospital stated that they will only be able to proceed with 10% of medical appointments and some non-urgent procedures, Infosecurity Magazine reported.

Takeaway: Ransomware operators continue to demonstrate zero concerns about the collateral damage caused by their attacks. In a case like this, where the delivery of medical care gets disrupted, they're quite literally putting people's lives at risk. It's hard to fathom why we would continue to see ransomware attacks as purely an IT security issue.

Often, these criminal groups operate as proxies whose attacks serve two purposes. The first is financial gain and the second is to instill fear and create uncertainty. Clearly, current strategies are insufficient to defend against this threat. If we want to break this near-constant ransomware attack cycle, we must take a different approach. Healthcare organizations continue to be a top target for ransomware attacks, not just because the nature of their operations increases the likelihood of a quick payout, but also because attacks like this terrify the public.

Everything the staff and patients at the Hospital Clinic de Barcelona are currently experiencing highlights the dire need for healthcare and other critical infrastructure organizations to do everything they can to ensure daily operations continue regardless of ruthless attacks like this. Robust detection and prevention capabilities are necessary, but we know attacks can get through those defenses. Resilience from the endpoint to across the entirety of an organization's operations has never been more paramount than it is today in the face of this ransomware scourge.

‍

IceFire Ransomware Targeting Linux Distributions

The IceFire ransomware group has added capabilities designed to target Linux systems and has attacked several media sector organizations.

“The attacks leverage an exploit for a recently disclosed vulnerability in IBM Aspera Faspex file-sharing software (CVE-2022-47986),” TheHackerNews reported.

“The ransomware binary targeting Linux is a 2.18 MB 64-bit ELF file that's installed on CentOS hosts running a vulnerable version of IBM Aspera Faspex file server software. It's also capable of avoiding encrypting certain paths so that the infected machine continues to be operational.”

Takeaway: This is just the latest evidence of a rapidly growing trend where ransomware threat actors are expanding their capabilities to include attacks on Linux distributions. While this may seem trivial, with groups like IceFire, LockBit, Black Basta and Cl0p targeting Linux environments, we can expect some attacks to cause widespread disruptions across several key sectors, impacting a larger population of collateral victims.

Attackers have limited resources and make strategic decisions based on anticipated ROI, so they traditionally focused on Windows because it is deployed on most systems. Linux runs approximately 80% of web servers, most smartphones, supercomputers, and many embedded and IoT devices used in manufacturing. Linux is also favored for large network applications, and data centers and drives most of the U.S. government and military networks, our financial systems, and even the backbone of the internet.

Attacks on Linux systems are potentially devastating. These attacks could have a broad impact like the disruption experienced from the Colonial Pipeline attack. The "always on" nature of Linux systems not only provides a strategic beachhead for moving laterally throughout the network, but attacks on Linux systems would also disrupt the most critical parts of an organization's network. Thus, attackers can demand higher ransom amounts.

While attacks on Windows systems make for a bad day or week, attacks on Linux systems could make for bad weeks or months - we should all be monitoring this trend closely.

‍

Ransomware Gang Exfiltrates MPS Student Data for Extortion

Minneapolis Public Schools are facing a March 17 deadline to pay a million-dollar ransom demand after attackers posted sensitive data that was exfiltrated as leverage in a ransomware attack.  

The Medusa ransomware gang has claimed responsibility for the attack that has caused widespread disruptions to the district’s operations. The attackers posted a video online to prove they have the stolen data in hand and are prepared to leak it if the ransom demand is not met.  

“A preliminary review of the gang’s dark web leak site by The 74 suggest the compromised files include a significant volume of sensitive documents, including records related to student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications,” reports noted.

Takeaway: “Ransomware groups continue to prove they are ruthless, heartless criminals with zero consciences. They continue to victimize organizations in education and healthcare simply because they are easy targets," said Jon Miller, CEO and Co-founder of Halcyon.  

"These sectors usually lack the appropriate budgets and staff to maintain a reasonable security posture. Despite available grant money or technology donations from big companies, these organizations likely lack the staff to properly manage and protect their infrastructure. Even if the attack is easily resolved, students whose personal information was stolen may continue to be at risk of identity theft and financial fraud into the unforeseeable future. Ransomware attacks and data exfiltration will continue unabated until profit motives are eliminated. To protect themselves, EDU organizations must reevaluate what kinds of data they collect and store, for how long and pinpoint where it’s stored. They continue to keep legacy student data that is no longer relevant or needed. Eliminating unnecessary data will make EDU organizations a less attractive target to attackers, thus, minimizing potential threats.”

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.