Ransomware Roundup: 04.10.23

Novel Rorschach Ransomware Abuses Cortex XDR for Stealthy DLL Side-Loading

Researchers provided analysis of a new ransomware strain with "technically unique features," which they dubbed “Rorschach.”

“Among the capabilities observed is the encryption speed, which, according to tests from the researchers, would make Rorschach the fastest ransomware threat today,” Bleeping Computer reported.

“Rorschach was deployed using the DLL side-loading technique via a signed component in Cortex XDR, the extended detection and response product from Palo Alto Networks.”

Takeaway: While the Rorschach ransomware's fast encryption speed is incredibly interesting and garnering lots of attention, it's not the most interesting feature evaluated in the analysis.

"With fast encryption, once the ransomware payload is delivered and the operation is exposed, responders have less time to intervene," Jon Miller, CEO and co-founder of Halcyon, told SCMagazine. "RaaS providers tout their encryption speed to attract affiliate attackers, and it definitely makes this ransomware strain one to watch. "

What stands out even more to Miller is that Rorschach displays advanced security evasion capabilities to make payload delivery undetectable, which is far more concerning than the fast encryption speed.

"It is more interesting to learn that the DLL side-loading delivery abusing the Cortex XDR Dump Service Tool because this is a legitimate, digitally signed security product. This technique leverages vulnerable software to load malicious DLLs that provides persistence and evasion capabilities," Miller told Computer Weekly.

"DLL-sideloading is not new, but it is somewhat rare. It was similarly deployed by the threat actors REvil in the infamous 2021 Kaseya ransomware attack, targeting a managed service provider to deploy a ransomware payload in a supply chain attack. As we saw in the case of Kaseya, downstream victims were compromised by a legitimate software update from a known vendor that was signed with a valid digital certificate," Miller continued.

"All the security hygiene in the world is not going to prevent a legitimate application from executing the malicious payload in this kind of attack. Thus, operational resilience is key."

Detecting DLL side-loading attacks is tricky, but SOC analysts can look for any unsigned DLLs within executable files, or for any suspicious loading paths and timestamps that show gaps between the compilation time for the executable and DLL loading time. Every executable has a timestamp for when it was compiled. If that timestamp is significantly different than the loaded DLLs, this could indicate a malicious payload.

The attackers can make this even more difficult by using timestomping techniques to modify the timestamps. Luckily, it does not look like this is the case with this first iteration of Rorschach. Furthermore, the paths for legitimate executables generally include clear references to a product name, where a malicious DLL may have a generic path name, so analysts can look for these clues as well.

Ransomware Attack Hits Large Alabama School District

The Jefferson County School System in Alabama reported it was the victim of a disruptive ransomware attack during the District’s Spring Break period.

"Preliminary investigations have not revealed any evidence of a breach of sensitive personally identifiable information,” a district spokesperson said.

“However, we will continue to investigate any possibility of compromised data and notify stakeholders accordingly if discovered. We have engaged outside cybersecurity experts and law enforcement officials to assist."

No details regarding whether sensitive data was exfiltrated during the attack as the investigation is ongoing.  

Takeaway: The education sector has been under assault by some of the most prolific ransomware operators and criminal syndicates operating today, and they are simply outmatched. Legacy security tools like antivirus were not designed to address the unique threat that ransomware presents, and this is why we keep seeing destructive ransomware attacks circumvent these solutions.

Educational institutions are primary ransomware targets not just because they are vulnerable, but also because collect and store a treasure trove of personally identifiable (PII) and financial information that can be leveraged for identity theft and other crimes. But it is unreasonable to expect a public school district to have the ability to stand up a security program that can withstand the advanced tools and tactics these threat actors are employing.

CISA recently warned about the growing risk to the education sector from ransomware attacks, noting that some ransomware groups disproportionately target schools. CISA included some updated guidelines for K-12 organizations, but implementing the guidelines requires resources and personnel with the prerequisite skill set that are typically out of reach for the education sector. It's kind of like sending them "thoughts and prayers," which is a nice gesture but does little to prevent attacks from being successful or make them more resilient after they are victimized if they can't implement them.

These are well-staffed and funded, multi-million-dollar ransomware operations that regularly breach, exfiltrate and disrupt some of the biggest corporations in the world who maintain mature security programs, so we can’t expect a little school district to be any match for these adversaries – they need help.

Ransomware Attack Fallout: Dish Network Faces Multiple Lawsuits

Dish Network is facing multiple class action lawsuit filings stemming from a ransomware attack that caused a multi-day network outage in February and exposed customer data.

The lawsuits allege DISH "overstated" operational capabilities and maintained a deficient cybersecurity posture and seeks to recover DISH investor losses who are accusing Dish of securities fraud.

“The civil complaint alleges that DISH Network attempted to conceal the fact that it maintained deficient cybersecurity and IT infrastructure while overstating its operational efficiency... As a result of the foregoing, the Company was unable to properly secure customer data, leaving it vulnerable," Bleeping Computer reports.

"The foregoing cybersecurity deficiencies also both rendered Dish's operations susceptible to widespread service outages and hindered the Company's ability to respond to such outages; and... as a result, the company's public statements were materially false and misleading at all relevant times," alleges the complaint.

Takeaway: The impact of ransomware attacks is staggering, especially when you consider that more than 4000 ransomware attacks are undertaken daily, according to the Department of Justice.  

The annual impact from ransomware attacks in the US alone is estimated to be more than $20 billion dollars. Remediation costs following a ransomware attack average more than $4M per incident per each targeted organization.

These figures do not include tangential costs like damage to the brand, lost revenue, lost production from downed systems, and other collateral damage – including potential lawsuits brought by customers and investors.

Ransomware also creates liability and intellectual property loss issues for organizations as attackers focus on the exfiltration of sensitive data prior to delivering the ransomware payload:

• Ransomware Attacks are Stealthy: On average, a ransomware attack took 237 days to detect (about eight months) and 89 days to fully remediate (about three months) – this is when they are exfiltrating data for double extortion.
• Ransomware Remediation is Costly: The average ransomware attack response cost $4.54 million, more than the average cost of a data breach at $4.35 million – this represents an existential threat to organizations.
• Collective Business Impact is Huge: Ransom payments, damage to brand, increased premiums, legal fees, and lost revenue can far exceed remediation costs – this is why the focus needs to be on prevention and resilience.

Current solutions available in the market, while robust and effective for some threats, do not fully protect against ransomware attacks because they were built to detect malware variants in general, but were simply not designed to recognize ransomware.

Basic security hygiene is not enough though. Most attacks start at the endpoint, so endpoint security and resiliency are essential.

Ransomware Attackers Improve Operational Efficiencies

Attackers are getting more efficient at exploiting vulnerabilities, and this trend is likely to continue as threat actors automate aspects of their attack sequences. We see evidence of this automation in the hundreds of organizations that have been hit by the Cl0p ransomware gang in just the last few weeks.

Cl0p has been observed exploiting a known vulnerability in the GoAnywhere software en masse. Now we are just starting to see attacks leveraging a vulnerability in IBM Aspera Faspex, and if threat actors automate this exploit too we could see a similar surge in victim organizations.

And just this week, researchers published analysis of a new ransomware strain dubbed  Rorschach that was noted for having some unique features like extremely fast encryption speeds, advanced security evasion, and some stealthy DLL side-loading.  

The researchers noted that the strain is partly autonomous and is running tasks that other ransomware operators would typically do manually, like creating domain group policies that allow it to propagate the malicious executable on the network as new users log in. They go on to detail other automated aspects of this new threat.  

Takeaway: In short, as attackers continue to automate efficiencies in the attack progression to exploit known vulnerabilities for initial access, improve stealthy payload delivery and evasion techniques, and exponentially improve encryption speeds, we may be in for a very busy period for ransomware attacks as we move closer to summer.

While a lot of focus is around the delivery of the ransomware payload, this is the last stage of the attack. These are multi-stage attacks, and that means we have multiple opportunities to detect and stop them.

Organizations must have the ability to disrupt attacks earlier - at initial ingress, when attackers move laterally, when command and control is established, when data exfiltration begins – instead of after the attackers have already detonated the ransomware payload.  

Organizations require both a robust prevention and an agile resilience strategy to defend against this wave of ransomware attacks. This approach includes endpoint protection solutions, patch management, data backups, access controls, employee awareness training, and organizational procedure and resilience testing into all ransomware readiness plans to be successful.

Money Message Gang Hits Micro-Star International with $4M Ransom

“Taiwanese PC parts maker MSI (Micro-Star International) has been listed on the extortion portal of a new ransomware gang known as Money Message, which claims to have stolen source code from the company's network. MSI is a global hardware giant that makes motherboards, graphics cards, desktops, laptops, servers, industrial systems, PC peripherals, and infotainment products, with an annual revenue that surpasses $6.5 billion.”

“The threat actor has listed MSI on its data leak website and posted screenshots of what they claim to be the hardware vendor's CTMS and ERP databases and files containing software source code, private keys, and BIOS firmware. Money Message now threatens to publish all these allegedly stolen documents in about five days unless MSI meets its ransom payment demands.”

“BleepingComputer highlighted this novel ransomware group's activity in a report published over the weekend and described the gang's attack chain, hinting at the possibility of the threat actors having breached a well-known computer hardware vendor. According to chats seen by BleepingComputer at the time, the threat actors claimed to have stolen 1.5TB of data from MSI's systems, including source code and databases, and demanded a ransom payment of $4,000,000.”

Vice Society Ransoms Lewis & Clark College

“Cybernews confirmed the March 3 breach with Lewis & Clark VP of Communications Lori Friedman, who told us by Friday evening ‘that the vast majority of our systems are fully operational.’ The Cybernews team was also able to check the ransom gang's dark web leak site, where Vice Society has indeed claimed responsibility for the ransomware attack.”

“Cybersecurity analyst and security researcher Dominic Alvieri first posted about the breach on Twitter Friday, claiming, ‘the Lewis and Clark College March system outage is now confirmed as a ransomware attack from Vice Society.’”

“On Friday, the college Executive Council posted a notice about the month-long breach on the school's official website, saying the ransomware attack ‘significantly impacted almost all IT systems on campus. The cybercriminals responsible for the incident now claim to have published a limited amount of Lewis & Clark data on a dark web website maintained by the threat actors,’ the school said.”

“However, they ‘do not have reliable information about the scope or content of the allegedly published data.’ The Council also said they are refusing to pay the ransom demand – which has not been disclosed – on the advice of law enforcement and security experts helping with the case. The gang’s leak site posted what appears to be a live link tree of the entire college network system, along with three rotating photo albums that continuously flip through a sample of alleged photocopies of student passports.”

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.