Ransomware Roundup: 04.17.23

Destructive Iranian Attacks Masquerade as Ransomware Operations

The Iranian nation-state group known as MuddyWater has been busy conducting destructive attacks disguised as ransomware operations.

"While the threat actors attempted to masquerade the activity as a standard ransomware campaign, the unrecoverable actions show destruction and disruption were the ultimate goals of the operation," the Hacker News reports.

“MuddyWater is the name assigned to an Iran-based actor that the U.S. government has publicly connected to the country's Ministry of Intelligence and Security (MOIS). It's been known to be active since at least 2017.”

Takeaway: This latest string of attacks from Iranian threat actor MuddyWater highlights the continued blurring of the lines between nation-state and cybercriminal ransomware operations. Criminal ransomware operations are getting more complex with stealthier attacks designed to penetrate as much of the targeted network as possible before the ransomware payload is delivered, exfiltrating sensitive data along the way. Nation-states are using the "fog of ransomware attacks" to further geopolitical efforts while enjoying a level of plausible deniability by making their espionage and destructive attacks appear to be criminally operated.

There are generally three models that exemplify this crossover, the most prolific being the Russian model where ransomware gangs conduct attacks against Western targets with impunity. These ransomware operators not only share intelligence with the Russian government, but they also appear to be under the direct control of the state as evidenced by some of their targeting and the overlap in attack infrastructure between the operations. For example, Russian criminal ransomware activity took a noticeable dip at the beginning of the conflict in Ukraine, providing pretty clear evidence that many of the Russian ransomware operators are directly controlled by the Russian government and were likely conscripted to support the war effort.

Then, there is the case of DPRK, where we see nation-state ransomware operators conducting ransomware attacks that are most likely designed to both cause disruption for the target nations and to raise funds the cash strapped DPRK can use for other purposes.

Last there is the Iranian model, where ransomware and/or destructive wipers are employed in attacks as a diversionary tactic in conjunction with other attacks, or for general disruption by damaging critical systems. In most cases, no ransom demand is levied, no serious effort was made to collect a payment, or there is no actual mechanism for the victim to pay a ransom - it's all part of a grand deception.

These models show us that criminal elements have increased capabilities by adopting what was, until recently, only seen in APT-level operations. But this also means that there are potentially weeks of detectable activity on the targeted networks before the ransomware payload was delivered. With the right controls in place, we can interrupt attacks like these much earlier in the kill chain.

Yum! Brands Notifies Customers of Breach Following Ransomware Attack

Yum! Brands is sending data breach notification letters to customers whose personal information was stolen in a January ransomware attack. Yum! Owns popular brands including KFC, Pizza Hut, and Taco Bell

“This comes after the company said that although some data was stolen from its network, it has no evidence that the attackers exfiltrated any customer information,” reports Bleeping Computer.

“In the breach notification letters sent to affected people starting Thursday, Yum! Brands revealed that it has now found out the attackers stole some individuals' personal information, including names, driver's license numbers, and other ID card numbers.”

Takeaway: Given how common it is for ransomware attacks to include the exfiltration of sensitive data, we should start talking about this issue as a data exfiltration attack problem that includes the delivery of a ransomware payload, instead of the other way around. While it may be a painful process to mitigate the impact of a ransomware attack, if the organization made the effort to build-in resilience to its incident response plans, it will recover. There is no recovery from data exfiltration - once the attackers have your data, it is beyond your control what happens to it.

It's not surprising that Yum! is just now notifying customers that their data was exposed in a ransomware operation that was first discovered months ago. Incident response and forensic examinations are complicated and take a considerable amount of time to complete. Most companies, especially those that are public and/or are in highly regulated industries typically try to be as transparent as they can be, but it takes time to understand how a complex attack took place and exactly what assets were impacted.

One would think that - given how ransomware attacks are designed to reveal themselves to the victim, unlike other attacks - that disclosure of the details would come swiftly. That's not necessarily the case with these attacks that not only deliver ransomware but are also stealthy data exfiltration operations. Up to the point when the ransomware payload is delivered, there is little difference between these cybercriminal ransomware operations and corporate or government espionage attacks. These are complex, multi-stage operations often involving multiple threat actors.

Their goal, like that of their espionage-focused counterparts, is to be as quiet as possible while infiltrating as much of the targeted network and exfiltrating as much sensitive data as they can, and then leveraging it for a bigger ransom demand. In most respects, the only difference between a corporate espionage operation and a ransomware attack is that in the latter the attackers plan on revealing the attack to the victim in time.

NoName Ransomware Gang Hits Multiple German Government Ministries

The pro-Russian NoName ransomware group, known to launch attacks in retaliation for sanctions imposed against Russia, has claimed attacks against multiple German government ministries, including:

• Germany’s Federal Central Tax  
• Federal Constitutional Court  
• Federal Intelligence Service  
• Federal Officer for the Protection of the Constitution  
• Federal Supreme Court  
• Supreme Court of Labour disputes  
• Ministry of Foreign Affairs  
• Federal Ministry of Transport and Digital Infrastructure

“At the time of writing, most of the listed German websites were not accessible. The website (sic) were failing to load and displaying ‘this site can’t be reached’ message without any error code,” the Cyber Express reported.

Takeaway: There is a great deal of overlap between Russian nation-state operations and those of Russian cybercriminal syndicates. These ransomware operators openly share intelligence with the Russian government, and at times they appear to be heavily influenced by - or even under the direct control of - the Russian government, as evidenced by attacks like this in Germany.

Russia exploits the "fog of ransomware attacks" to further their geopolitical agenda while enjoying a level of plausible deniability in their making espionage and disruptive ransomware attacks appear to be criminally motivated. This is why these well-known Russian ransomware gangs are able to launch attacks against Western targets without fear of any consequences.  

There is the exception where cracking down on some low-level players for the sake of the media serves the Russian government’s larger strategy, as we saw with the arrests of several REvil members in early 2022. But you can be assured that Russian authorities did not make the arrest out of concern about illegal operations – it was likely just a PR ploy.

We also saw that Russian ransomware gang activity took a noticeable dip at the beginning of the conflict in Ukraine, which is a pretty clear indication that many of the Russian ransomware operators are heavily influences or directly controlled by the Russian government and were likely redirected to support the war effort.

It should come as no surprise that the NoName group has also been observed targeting Ukraine, where reports estimate that cyberattacks have tripled in the past year.

Nokoyawa Ransomware Attacks Exploited Windows Zero-Day

Microsoft’s patch Tuesday security updates fixed nearly 100 vulnerabilities, most particularly a privilege escalation zero-day flaw CVE-2023-28252 impacting the Windows Common Log File System (CLFS) driver that has been exploited in Nokoyawa ransomware attacks.

“CLFS is a log file subsystem described by Microsoft as a general-purpose logging service that can be used by software clients running in user- or kernel-mode. The vulnerability affecting CLFS allows an authenticated attacker to elevate privileges to System,” Security Week reports.

“The Nokoyawa ransomware family, which is designed to target Windows systems, emerged in February 2022. The malware encrypts files on compromised systems, but the cybercriminals also claim to steal valuable information that they threaten to leak unless a ransom is paid.”

Takeaway: The marked increase in the exploitation of vulnerabilities by ransomware gangs is further evidence that criminal actors continue to employ increasingly complex techniques that we used to only see in nation-state operations.  

Ransomware attacks used to be clumsier and more random, basically a numbers game where massive email spam campaigns or drive-by watering hole attacks designed to infect as many individual devices as possible while asking for ransoms of a fraction of a bitcoin - but those days have largely passed.  

It is highly unusual to see ransomware gangs using zero-day exploits targeting vulnerabilities in Windows, as these exploits are highly valuable to attackers and usually leveraged in nation-state operations as opposed to cybercriminal attacks.  

Research from earlier this year found that more than three-quarters of all ransomware-related vulnerability exploits observed throughout 2022 targeted older bugs disclosed between 2010 and 2019 for which patches were already available. Most of the vulnerabilities were low to medium severity levels, making it more likely that they were lower on an organization's priority list for patching or were simply never addressed.  

For many of these vulnerabilities, exploits have been available for quite some time, and in many cases, the exploits have been built into toolkits and largely automated, so we're also seeing an increase in ransomware attacks displaying these more sophisticated attack sequences, but the use of zero-days of this caliber is almost unprecedented.  

The Nokoyawa ransomware family bears striking resemblance to the Hive ransomware that was first observed in June of 2021 and is responsible for some major disruptions that impacted COVID-19 responses, including an attack on a hospital that delayed care for patients.  

In July of 2022, the FBI penetrated the Hive network and provided decryption keys to victims worldwide, which has diminished the effectiveness of Hive operations, but Nokoyawa could be the group’s successor.  

Hive has claimed more than 1,500 victims who were extorted for more than $100 million in ransom payments as of November 2022, according to the FBI, and was one of the most active of all observed attack groups in 2022.  

Organizations with the right controls in place stand a good chance of disrupting these attacks at initial ingress when these known exploits are likely to be used or when the attackers begin to move laterally on the network and seek to escalate privileges.  

The ransomware payload is the very tail-end of a longer attack, so a multi-layer defense strategy that is designed to detect more than just the detonation of a ransomware binary is critical to detecting earlier and remediating against these attacks faster.

Data Exfiltration Attacks with Some Ransomware in the Mix

Early analysis of the recently discovered Rorschach ransomware strain indicates it may be the fastest ransomware strain - taking the title from LockBit 3.0 - with an encryption speed almost twice as fast.

While the Rorschach ransomware's super-fast encryption speed is concerning and obviously garnering lots of attention, it's not the most interesting feature evaluated. Faster encryption speed means that once the ransomware payload is delivered and the operation is exposed, responders have less time to intervene. RaaS providers tout their encryption speed to attract affiliate attackers, and it definitely makes this ransomware strain one to watch.  

But what stands out as particularly unique and potentially more concerning about this strain of ransomware is that Rorschach displays advanced security evasion capabilities to make payload delivery undetectable.  

This first iteration of Rorschach is pretty advanced, displaying autonomous propagation capabilities when executed on a Windows Domain Controller (DC). It is also interesting to see DLL side-loading abusing the Cortex XDR Dump Service Tool in some of the early attacks because this is a legitimate, digitally signed security product.  

This technique leverages vulnerable software to load malicious DLLs that provides persistence and evasion capabilities. DLL-sideloading is not a new technique, but it is somewhat rare - especially in ransomware attacks. The technique was used by REvil in the infamous 2021 Kaseya attack where they targeted the managed service provider to deliver a ransomware payload to their customers by way of a supply chain attack.  

As we saw in the case of Kaseya, downstream victims were compromised by a legitimate software update from a known vendor that was signed with a valid digital certificate. This is an extremely difficult attack technique to defend against.  

SOC analysts can look for any unsigned DLLs within executable files or for suspicious loading paths, as well as timestamps that show gaps between the compilation time for the executable and DLL loading time.  

Loading paths for legitimate executables generally include clear references to a product name, whereas a malicious DLL may have a generic path name, so analysts can look for these clues as well.  

Every executable has a timestamp for when it was compiled. If that timestamp is significantly different than the loaded DLLs, this could indicate a malicious payload. Attackers can make detection even more difficult by using timestomping techniques to modify the timestamps.  

Rorschach just recently emerged, and the first analysis appears to have come from an incident response at an unnamed US company. So far there have not been any reports of a major attack against a large organization.

This is possibly due to several factors, the first being that like any software release, the developers are evaluating its performance and fixing any issues, so they may go after smaller targets first for testing purposes.  

As well, today's more complex ransomware operations are multi-staged attacks, where the threat actors are looking to infiltrate as much of the targeted network as possible, exfiltrating sensitive data along the way.  

They threaten to expose the stolen data to put more pressure on the victim to pay the ransom demand and receive the decryption key to restore their systems, In some cases the attackers will demand an additional payment for the stolen data in addition to the initial ransom.  

There is a lot of focus on the delivery of the ransomware payload, but this occurs at the end of the attack sequence and the damage has already been done to the targeted organization.  

Since these are longer, multi-stage operations, it is likely that there are some Rorschach attacks underway that have not been detected yet, and most targets only discover they have been hit when the attackers deploy the ransomware payload and reveal themselves via the ransom note.

The defense focus here needs to shift left to prevent the attackers from exfiltrating data. We should really look at these attacks as data exfiltration events with some ransomware in the mix, as opposed to ransomware attacks with some data exfiltration.  

With an eye on resilience in developing a security posture, organizations can limit the impact of a ransomware payload on operations, but once their data is compromised the attack becomes much more difficult to mitigate, as there is no guarantee the attacker will not exploit the data even if they receive payment.

Data Exfil Spotlight: Money Message Ransomware Gang Leaks 500GB of MSI Data

New arrival on the ransomware scene Money Manager leaked 528GB of data exfiltrated from Taiwanese computer manufacturer Micro-Star International (MSI) and is also threatening to expose some of the company's source code.

“Earlier this month, MSI confirmed the company suffered a cyberattack, with attackers supposedly demanding several million dollars in ransom for the stolen MSI source code,” the CyberNews reported.  

“Source code leaks pose severe security issues to companies, as threat actors can get a glimpse of the company’s intellectual property and system data. Revealing source code can allow attackers to subsequently craft targeted security exploits.”

Takeaway: The predicament MSA is in today is increasingly common. More often victims are dealing both with the aftermath of a disruptive ransomware attack and trying to restore all operations to normal while also facing the prospect that their intellectual property will be compromised and their competitive advantage in the market negatively impacted.

As an industry, we continue to view these events as ransomware attacks with some data exfiltration. Given most ransomware attacks include the theft of sensitive data these days - with some threat actors even like BianLian and Karakurt skipping the encryption stage and moving to straight-up data extortion - it's time we flip the convo and start looking at these as data exfiltration attacks with some ransomware in the mix.

Today's more complex ransomware operations are multi-staged attacks, where the threat actors are looking to infiltrate as much of the targeted network as possible while exfiltrating sensitive data along the way. They threaten to expose the stolen data to put more pressure on the victim to pay the ransom demand and receive the decryption key to restore their systems. In some cases, the attackers will demand an additional payment for the stolen data in addition to the initial ransom.  

There is a lot of focus on the delivery of the ransomware payload, but we have to remember that this occurs at the end of the attack sequence when the damage to the victim organizations has already likely occurred. Targets usually only discover they have been hit after the attackers deploy the ransomware payload and reveal themselves with a ransom demand.  

But given how much effort goes into laying the groundwork for these attacks, we are not putting enough emphasis on these early stages of the attacks where the threat actors are preparing the environment for delivery of the ransomware payload. There are days, weeks or potentially even months of detectable activity on the network prior to the final payload, and a lot of data is leaving the organization over the course of the attack

The defense mindset here needs to shift to the left significantly where we are addressing ransomware attacks first as an effort to prevent the attackers from exfiltrating data. We should really look at these attacks as data exfiltration events with the additional threat that ransomware could be deployed, as opposed to focusing too much on the tail end of the attack when the ransomware is delivered, and the attack is already successful.  

With an eye on resilience in developing a security posture, organizations can limit the impact of a ransomware payload on operations, but once their data is compromised the attack becomes much more difficult to mitigate, as there is no guarantee the attacker will not exploit the data even if they receive payment.

A solid resilience strategy that includes the necessary mechanisms and preparations to swiftly respond to and recover from a ransomware attack without the need to pay the ransom demand or cooperate with the attackers at all will reduce the risk of serious disruptions to operations and the health organization as a whole.  

But if the attackers already exfiltrated the organization's most valuable data, then all those preparation efforts largely go out the window, and the victim will find themselves in the same predicament as MSI and thousands of other companies who are the victim of these extortion campaigns.

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.