Ransomware Roundup: 03.27.23

Feds Issue Alert on Black Basta Ransomware Targeting Healthcare

The Health Sector Cybersecurity Coordination Center (HC3) issued an alert warning the healthcare sector of the continued threat posed by the Black Basta ransomware gang who has been observed targeting healthcare organizations.

"Black Basta's high-volume attacks in 2022 suggest that they will continue to attack and extort organizations," Beckers Health IT reports.  

"As ransomware as a service threat groups become more prolific, healthcare organizations should remain vigilant and strengthen their defenses against ransomware attacks. Organizations can take several multilayered actions to minimize their exposure to and the potential impact of a ransomware attack."

Takeaway: Ransomware gangs are ruthless and intent on bringing as much pain as possible in order to extract the largest payments possible, and unfortunately, that means they will continue to target those who are most susceptible to extortion. Patients seeking medical care and the organizations that provide it are probably the most vulnerable among us, and these threat groups have continued to target them with some of the most advanced tactics and techniques.  

Black Basta first emerged in the spring of 2022 and quickly became one of the most prolific attack groups with more than 100 known victims. The attacks display sophisticated security evasion and anti-analysis capabilities which hinder detection and investigation. Black Basta also employs a double extortion scheme and maintains an active leaks website where they post exfiltrated data if an organization declines to pay the ransom demand, so we can expect sensitive patient data to be exposed if the victim organizations do not acquiesce to the ransom demands.

With healthcare and other critical infrastructure providers remaining a top target, we recommend a robust prevention and resilience strategy to defend against ransomware attacks, including endpoint protection solutions, patch management, data backups, access controls, employee awareness training, and organizational procedure and resilience testing into all ransomware readiness plans.

Ferrari Says Ransomware Operators Exfiltrated Sensitive Client Data

Italian luxury sportscar manufacturer Ferrari has informed customers that it was the victim of a ransomware attack that exposed the personal information of customers.

“We regret to inform you of a cyber incident at Ferrari, where a threat actor was able to access a limited number of systems in our IT environment. As part of this incident, certain data relating to our clients was exposed including names, addresses, email addresses and telephone numbers,” Ferrari CEO Benedetto Vigna said in a letter to affected customers.  

“Your data may have been included as part of this incident. However, based on our investigation, no payment details and/or bank account numbers and/or other sensitive payment information, nor details of Ferrari cars owned or ordered have been stolen.”

Vigna went on to say that production systems were not impacted, and that the company "will not be held to ransom as paying such demands continues to fund criminal activity and enables threat actors to perpetuate their attacks.”

According to reports, it is uncertain if the attack is related to reports of an October 2022 incident where the RansomEXX had claimed to have successfully attacked the carmaker, which Ferrari never confirmed.  

“A listing on the RansomEXX website, seen by TechCrunch, lists seven gigabytes of data allegedly stolen from Ferrari, including internal documents, data sheets and repair manuals,” TechCrunch reported.

Takeaway: “The ransomware attack against Ferrari - which appears to include the exfiltration of sensitive data that exposed client 'names, addresses, email addresses and telephone numbers' and potentially other information - highlights the fact that this is not just a ransomware problem, it is a major data loss issue too. Even if Ferrari did everything right with regard to securing the data, and even if they do everything right with regard to the incident response measure, the fact is ransomware gangs are intent on stealing data to force victims into paying the ransom demand, and often this means that there is collateral damage to the entities whose sensitive data is exposed," Jon Miller, CEO & Co-founder of Halcyon, told CyberWire.

"Remember, the focus for ransomware operators is to cause as much pain as possible for victim orgs in order to extract the highest payment possible - this means even if the victim org pays the ransom, the attackers still have the data and can sell or expose it, or come back to the victim org and ask for even more money. Not paying ransom demands does not end the financial incentive for these attacks - defeating the attack before they can exfiltrate data and before they can disrupt operations is the only way to make these attacks unprofitable.”

‍

Cl0p Ransomware Group Hits Saks Fifth Avenue

The Cl0p ransomware gang listed "Saks Fifth Avenue" on its dark web data leaks website and claims to have exfiltrated data, which Saks claims was merely “mock customer data does not include real customer or payment card information and is solely used to simulate customer orders for testing purposes.”

“The cyber security incident is among Clop's ongoing attacks against vulnerable GoAnywhere MFT servers belonging to established enterprises. Although the company states no real customer data is impacted, it did not address if corporate or employee data was stolen,” Bleeping Computer reported.

“The threat actor has not yet disclosed any additional information, such as what all data it stole from the luxury brand retailer's systems, or details about any ongoing ransom negotiations... BleepingComputer reached out to Saks to better understand the scope of this incident. A spokesperson confirmed the incident was linked to Fortra.”

Takeaway: While there are few details available about the data breach aspect of the Saks attack, the notion that Cl0p may have only exfiltrated "fake data" stood out as a potential case where deception techniques proved masterful in undermining the attack. Instead, Saks indicated it was "mock data" used to "simulate customer orders for testing" that was stolen.  

Nevertheless, if these details are accurate, it does suggest that data deception techniques can be really valuable in the case where operators like Cl0p are looking to first exfiltrate sensitive data before deploying the ransomware payload and then using the threat of exposing that stolen data to compel the victim to pay a hefty ransom demand.  

While EPP/NGAV/EDR/XDR endpoint tools don't typically offer deception as a feature, organizations can opt to run endpoint solutions alongside those tools that are designed specifically to defeat ransomware that includes deception techniques to fool the attackers into exfiltrating mock data instead of the real thing. Were this the case with the Cl0p attack on Saks, it's readily apparent that the strategy would have put the company in a much better position to forego payment of the ransom and instead work to mitigate the attack by restoring infected systems from backups.  

Better yet, if the anti-ransomware solution also captured the attacker's encryption keys, most if not all of the impacted systems could be easily restored through automated means, keeping operations running and saving the victim company a lot of trouble and lost revenue. Ransomware attacks can be defeated, but it requires a slightly different approach than has been traditionally offered by endpoint protection tools designed to combat attacks leveraging other forms of malware.

Organizations require a robust prevention and resilience strategy to defend against ransomware attacks, including endpoint protection solutions, patch management, data backups, access controls, employee awareness training, and organizational procedure and resilience testing into all ransomware readiness plans.

‍

Cl0p Claims 130+ Victims in Massive Ransomware Campaign

Numerous organizations may have been impacted by a mass-ransomware attack campaign exploiting a vulnerability in the widely used GoAnywhere data transfer tool.

“Over the past few days, the Russia-linked Cl0p gang has added several other organizations to its dark web leak site, which it uses to extort companies further by threatening to publish the stolen files unless a financial ransom demand is paid,” reports TechCrunch.

“TechCrunch has learned of dozens of organizations that used the affected GoAnywhere file transfer software at the time of the ransomware attack, suggesting more victims are likely to come forward. However, while the number of victims of the mass-hack is widening, the known impact is murky at best.”

The Cl0p gang claims to have breached as many as 130 organizations via GoAnywhere bug, for which the tool’s producer Fortra has already released a patch for back on February 7, but the intrusions may have already occurred, and likely have already exfiltrated sensitive data from the targets.

Takeaway: The mass exploitation of the GoAnywhere vulnerability in this wave of Cl0p ransomware attacks is immensely concerning. It is evidence of how ransomware operators continue to leverage automation to identify exposed organizations who may not have had the time or resources to patch against known vulnerabilities.

If Cl0p is claiming they have compromised more than ten-dozen organizations in this recent campaign, it is likely they have already successfully exfiltrated large amounts of confidential information from the victims. There are likely numerous other targets who are at this very moment experiencing data loss as a precursor to the detonation of a ransomware payload, and they don't even realize they are in the midst of a major cyberattack.

These attacks have a long tail. They typically involve weeks or even months of effort by attackers to infiltrate as much of the target network and exfiltrate as much data as possible before encrypting systems and data to demand the highest ransom payment possible.

There are only two real approaches to defeating ransomware attacks. First, is to ensure the organization is prepared to detect and prevent the attack anywhere in the attack chain. Organizations must be ready to disrupt attacks at initial ingress, when attackers move laterally, command and control is established, data exfiltration begins, an attempt to execute malicious binaries or scripts, legitimate system tools are abused, and more. The other is to assure that in the event of a successful ransomware attack, the organization is resilient. The goal should be to minimize the duration, spread and overall impact, and get back to normal as quickly as possible. Both strategies need to be in play simultaneously.

These are multi-stage attacks, and that means we have multiple opportunities to detect and stop them. Organizations require both a robust prevention and an agile resilience strategy to defend against this wave of ransomware attacks. This approach includes endpoint protection solutions, patch management, data backups, access controls, employee awareness training, and organizational procedure and resilience testing into all ransomware readiness plans to be successful.

‍

Cl0p Ransomware Gang Adds Virgin Group to Leaks Site

The Cl0p gang claims to have breached more than150 organizations, having added about 30 more victims in one day – including international conglomerate Virgin Group, Toronto Municipality, Mexican airline Volaris, US TV network Gray Television, and more.  

“At the time of writing, the gang’s leak site had no information about what type of data was taken and when. Cybernews has reached out to Virgin Group for comment, but we did not immediately receive a response,” Cybernews reports.

Cl0p is leveraging a vulnerability in the popular file sharing application GoAnywhere to carry out this massive attack campaign. The tool’s producer Fortra had released a patch for the bug back on February 7, but the intrusions may have already occurred, and likely have already exfiltrated sensitive data from the targets, but many organizations are still exposed.

Takeaway: The Cl0p ransomware gang has reportedly added 30 more organizations to its leaks website in the last 24 hours - including transportation giant Virgin Group. These organizations are likely victims of Cl0p's mass exploitation of the GoAnywhere vulnerability, bringing the total number of known Cl0p targets in this campaign closer to 200, and there are likely more.

This wave of Cl0p attacks is immensely concerning for several reasons, the first being around how surprisingly successful they have been in exploiting a known vulnerability for which there is a patch already available. Patching systems can be a complex process for some organizations. In order to avoid breaking critical business systems, patches often need to be applied in dev environments and tested prior to being put into production environments. Even then, some issues prevent patching due to legacy systems/software or internal (home-brewed) scripts/applications that will break if the patch is applied haphazardly. Thus, there can be months or more of work to do before some vulnerabilities can be mitigated, leaving the organization exposed.

Another concern is that this spate of attacks is likely evidence that ransomware operators like Cl0p are leveraging automation to identify exposed organizations who may not have had the time or resources to patch against known vulnerabilities.

If Cl0p is claiming they have compromised more than 150 organizations so far in this campaign, it is likely they have already successfully exfiltrated large amounts of confidential information from the victims. Just as important is the fact that there could be dozens of other targets who are at this very moment experiencing data loss as a precursor to the delivery of a ransomware payload, and they don't even realize they are in the midst of a major attack.

Mulli-stage ransomware attacks have a long tail, as they typically involve weeks or even months of effort by attackers to infiltrate as much of the target network and exfiltrate as much data as possible before encrypting systems so they can demand higher ransom payouts.

There are basically two things organizations need to do to prepare for ransomware attacks: first ensure the organization is prepared to detect and prevent the attack at multiple points in the attack sequence: at initial ingress, at lateral movement, when they establish C2, at data exfiltration and so on. The second is to assure that in the event of a successful ransomware attack, the organization is resilient. The goal is always to minimize the duration, spread and overall impact of the attack and get back to normal as quickly as possible. Both strategies need to be in play simultaneously.

These ransomware campaigns are multi-stage attacks, so we have multiple opportunities to detect and stop them. Organizations need both a robust prevention strategy as well as an agile resilience strategy. This approach includes deploying endpoint protection solutions, good patch management, offsite data backups, good access controls, employee awareness training, and regular procedure and resilience testing for a ransomware readiness plans to be successful.

‍

Dole Confirms Employee Data Compromised in Ransomware Attack

Dole has confirmed that information for an undisclosed number of employees was exposed in a February ransomware attack. Dole had already disclosed the attack on February 22, saying it had a limited impact on its operations.

Bleeping Computer reports that “the company revealed that last month's cyberattack directly impacted its employees' information in the annual report filed with the U.S. Securities and Exchange Commission (SEC) on Wednesday.”

"In February of 2023, we were the victim of a sophisticated ransomware attack involving unauthorized access to employee information," Dole said in the filing.

Takeaway: Dole has confirmed that employee data was compromised in the February ransomware attack. Again, we are seeing that data exfiltration is now central to how these ransomware groups operate, with some like BianLian (and Karakurt before them) showing signs they may move entirely to a direct exfiltration/extortion strategy, foregoing the detonation of a ransomware payload altogether. This would streamline operations for the attackers, reduce overhead and development costs, and possibly result in more sensitive data being exposed.

Organizations need to focus on both prevention and resilience. If they are hit with ransomware, they need to be able to recover quickly and resume normal business operations with minimal disruption. Dole mentioned in their latest statement that they would be implementing a 'crisis management protocol' that includes a 'manual backup program," which we can assume means protecting copies of critical data offsite for swifter recovery in the case of a ransomware attack, which is highly advisable for every organization, but it does not address the data exfiltration and exposure issue.

Organizations should also be more cognizant of the data loss aspect of these campaigns. These are multi-stage attacks, and that means we have multiple opportunities to detect and stop them. Organizations require both a robust prevention and an agile resilience strategy to defend against this wave of ransomware attacks. This approach includes endpoint protection solutions, patch management, data backups, access controls, employee awareness training, and organizational procedure and resilience testing into all ransomware readiness plans to be successful.

‍

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.