Ransomware Roundup: 03.20.23

Silicon Valley Bank Collapse Fodder for Phishing Attacks

The collapse of Silicon Valley Bank collapsed is being called the second largest bank failure in the U.S., and the news was closely followed by the announcement of a regulatory takeover of Signature Bank. Big headline events like these that have a wide-reaching impact are exactly the kind of news items bad actors look to exploit for social engineering attacks.

The confusion at impacted organizations creates the opportunity for security failures through Business Email Compromise and phishing attacks. Threat actors may send phishing emails impersonating a company executive, the FDIC, SVB, or other organizations with carefully crafted messages about a supposedly urgent business matter that the target must resolve immediately.  

These messages may contain a link to an attacker-controlled website that looks like the victim's bank but is designed to intercept login credentials, or the email might have a malicious attachment that, when opened, will infect the endpoint with malware — or worse, set off a ransomware attack.  

Takeaway: To defend against these risks, those impacted should be extremely cautious about all communications. Don't click on links directly, go to the browser and input the website URL directly, and don't take any actions or volunteer any information when directed until they can independently confirm the information and the sender.  

In situations like this, individuals need to just stop and think - the attackers are counting on distractions and the highly stressful nature of events like this to get people to make mistakes while under duress.

‍

BlackCat/ALPHV Posts Home Security Provider Ring to Leaks Website

Home security company Ring may have been the victim of a ransomware or data extortion attack by Russian threat actor BlackCat/ALPHV.

The group apparently posted the Ring company logo to its leaks website along with the message, “There’s always an option to let us leak your data,” CSO Online reports.

“It is unclear what data has been stolen or what ransom has been demanded, but the potential implications for customers could be severe. As a provider of home security and smart home systems, Ring may have compromised customers’ recorded footage or personal information, such as credit card numbers, mailing addresses, phone numbers, names, and passwords,” CSO Online continued.

Takeaway: This is the unfortunate reality of our permanently online and connected modern world. As more consumer devices are connected to the internet, we open ourselves up to the possibility that the data they collect will be exposed, held hostage, or used for malicious purposes.

Theft of sensitive data prior to delivery of the actual ransomware payload is a favored tactic for most ransomware operators. It was only a matter of time before consumer privacy became yet another casualty of the ransomware epidemic.

If these early reports of BlackCat/ALPHV’s attack on Ring are accurate, we can assume that the group has already exfiltrated a significant amount of sensitive data which they will likely leverage to compel payment when they make their ransom demand. This could include data that was stored in the cloud.

BlackCat/ALPHV is known to post stolen data to leaks websites on the public web as opposed to the dark web like other groups, so any leaked personally identifiable information would be greatly exposed. BlackCat/ALPHV is one of the more active RaaS platforms - they demanded millions of dollars over the course of 2022.  

But even if Ring is ready and able to respond to the ransomware attack, they will still have to contend with possibly paying BlackCat/ALPHV to prevent further data exposure, and even then there is no guarantee the attackers will honor their end of the agreement.

‍

CISA Launches Anti-Ransomware Alert System for Exploitable Vulnerabilities

CISA has launched a pilot program to identify known vulnerabilities in critical infrastructure networks that could be exploited by ransomware operators to infect systems and exfiltrate victim data for extortion.

The Ransomware Vulnerability Warning Pilot (RVWP) is designed to alert critical infrastructure operators of vulnerable systems as required by the recent Cyber Incident Reporting for Critical Infrastructure Act of 2022.  

“Ransomware attacks continue to cause untenable levels of harm to organizations across the country, including target rich, resource-poor entities like many school districts and hospitals,” said Eric Goldstein, executive assistant director for cybersecurity at CISA, as reported by CyberScoop.  

“The RVWP will allow CISA to provide timely and actionable information that will directly reduce the prevalence of damaging ransomware incidents affecting American organizations.”

Takeaway: Threat actors have been actively probing networks for exploitable vulnerabilities for decades, so the RVWP program that CISA announced is a good idea. Researchers doing analysis using tools like Shodan have demonstrated numerous times that there is an incredible number of insecure and exploitable internet-connected devices out there, and the high number in the critical infrastructure space has always been concerning.  

Identifying all assets in a network - especially the vulnerable ones - is just the first step in mounting a reasonable defense posture that will be resilient in the case of a serious security event, like a ransomware attack. Even then, organizations still need to prioritize implementing their own multi-layered resilience capabilities:

• Endpoint Protection (EPP): Deploy an anti-ransomware solution alongside existing Endpoint Protection Platforms (EPP/DR/XDR) to bridge the gaps in ransomware-specific coverage
• Patch Management: Keep all software and operating systems up to date and patched
• Data Backups: Assure critical data is backed up offsite and protected from corruption in the case of a ransomware attack
• Access Control: Implement network segmentation and policies of least privilege (Zero Trust)
• Awareness: Implement an employee awareness program to educate against risky behaviors, phishing techniques, etc.
• Resilience Testing: Regularly test solutions against simulated ransomware attacks to assure effective detection, prevention, response, and full recovery of targeted systems
• Procedure Testing: Plan and prepare for failure by running regular tabletop exercises and ensuring all stakeholders are ready and available to respond to an attack at all times

‍

LockBit Hits SpaceX via Third-Party Compromise

The LockBit ransomware gang is claiming to have exfiltrated data from SpaceX by infiltrating a third-party supplier. The group implies the attack originated at a third party called Maximum Industries that contracts with SpaceX for waterjet and laser cutting services.  

“LockBit claims it looted ‘3,000 drawings’ certified by SpaceX engineers. As proof, the gang’s website on the Dark Web has published a few of the stolen documents, including a drawing of what appears to be a Raptor V2 engine from the Elon Musk-led company,” reported PC Magazine.

LockBit posted SpaceX to the group’s leaks website with the threat to expose the sensitive data if a ransom demand is not met.

Takeaway: LockBit is one of the most prolific and dangerous ransomware groups operating today. It's infuriating that LockBit and other ransomware operators revel in the chaos and pain they cause, given that pain increases pressure on victims to pay the ransom demands. Victims' pain is the attackers' gain. And that pain will remain until we can eliminate the financial incentive for ransomware attacks.

Furthermore, LockBit raises concerns because it's a threat to both Windows and Linux systems. In fact, it's surprising there isn't more attention on the multiple ransomware operators who have expanded their capabilities to include Linux distributions. Groups like LockBit, IceFire, Black Basta, and Cl0p all have Linux targeting capabilities.

Thus, we could expect attacks in the near future to cause widespread disruptions across several key sectors. Most people are unaware that Linux runs about 80% of web servers, most every smartphone, supercomputer, and embedded and IoT devices used in manufacturing and energy.

Linux is favored for large network applications like data centers and drives most of the U.S. government and military networks, our financial systems, and the backbone of the internet. Despite this, we barely see mention of Linux advancements in the media. It's frustrating because anyone running critical Linux distributions should start preparing to defend these systems that, until recently, had rarely been attacked - let alone attacked with ransomware.

Linux systems have very few security solution options available to adequately defend them, and virtually none that focus on stopping ransomware specifically. This issue has been overlooked and had the potential to cause a serious crisis - one ensures would make the Colonial Pipeline attack look like a blip - the consequences could be catastrophic.

Additionally, if you examine the variance in LockBit's targeting - with victims today including SpaceX and the L.A. Housing Authority - it's likely that LockBit has automated the early stages of their attacks by scanning for the kinds of vulnerabilities CISA just announced they will be alerting critical infrastructure providers about. The LockBit payload has advanced security tool evasion capabilities and dangerously fast encryption speeds.

They continue to improve their attack platform by introducing new capabilities in new version releases, including more advanced anti-analysis features. These factors will all come together soon to potentially create the perfect ransomware storm, where multiple critical infrastructure providers are disrupted simultaneously.

Is BianLian Ransomware Gang Moving to Straight Data Extortion?

Researchers assess that the BianLian ransomware group may be shifting tactics focus from encrypting its victims' files to only exfiltrating data found on compromised networks and using them for extortion.

BianLian first emerged in the wild in the summer of 2022, and successfully attacked several high-profile organizations before a free decryption tool was released to help victims recover files encrypted by ransomware.

“Redacted reports that BianLian operators have kept their initial access and lateral movement techniques the same and continue to deploy a custom Go-based backdoor that gives them remote access on the compromised device, albeit a slightly improved version of it,” Bleeping Computer reports.

“The main difference seen in recent attacks is that BianLian attempts to monetize its breaches without encrypting the victim's files. Instead, it now solely relies on threatening to leak the stolen data.”

Takeaway: Ransomware is a financially motivated crime. They want the money at any cost - and if they can reduce the resources required to be successful, they will. Attackers always consider ROI in their operations. So, if ransomware groups can achieve their goals by simplifying the attack and still achieve the same results, they will.  

Evidence that the BianLian group may be moving away from delivering ransomware payloads in favor of exfiltration and extortion shows how successful the double extortion strategy works for ransomware groups. In fact, it works so well that we will likely see more groups join the likes of BianLian (and Karakurt before them) and opt to forego the hassle involved in developing and managing the complicated encryption and decryption process in favor of a less complicated process.

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.