Ransomware Roundup: 05.08.23

Ransomware Operators Automate Exploitation of Insecure MS- SQL Servers

Researchers have identified ransomware campaigns leveraging automated scans to identify inadequately secured MS-SQL servers that are in-turn abused to deliver Trigona ransomware.

“Researchers... observed the threat actors scanning for internet-exposed Microsoft SQL servers and then trying to access them either via brute-force or dictionary attacks. These attacks work if the servers have simple, easy-to-guess passwords, and by automating the login process, the hackers can breach numerous servers with ease,” Tech Radar reports.

“Once they gain access to the endpoint, the attackers will first install a piece of malware the researchers named CLR Shell. This malware picks up system information, changes the compromised account’s configuration, and escalates privileges to LocalSystem through a vulnerability in the Windows Secondary Logon Service.”

Takeaway: March of 2023 was the most prolific month so far for the sheer volume of ransomware attacks observed, with research indicating there were 459 successful attacks, up 91% from February volume and up 62% year-over-year.

One of the reasons for this spike in ransomware attacks is the fact that threat actors are getting better at taking advantage of unpatched vulnerabilities and misconfigurations by automating aspects of their attack progressions.  

Automation means ransomware operators hit more victims faster, which translates to more ransoms collected and more fiscal pain for the victim organizations, which is the name of the game for these threat actors.

For example, hundreds of organizations have been hit in the last few weeks by the Cl0p ransomware gang as they continue to exploit a known vulnerability in the GoAnywhere software. We are also seeing signs of automation is attacks exploiting a similar vulnerability in IBM Aspera Faspex. ‍

Then just last week, researchers published analysis of a new semi-autonomous ransomware strain dubbed Rorschach that was noted for its automation, encryption speed, stealthy DLL side-loading, and advanced security evasion.

Then again just this week, the Vice Society ransomware gang was observed using Living-off-the-Land (LotL) techniques with a custom PowerShell-based tool that automates data exfiltration on targeted networks, and the Play ransomware gang also developed two new custom data exfiltration tools.

These are multi-staged attacks, where the threat actors are designed to infiltrate as much of the victim network as possible to exfiltrate sensitive data for extortion. This ingress and lateral movement on the targeted network takes time, so automating aspects of the attack sequence allows threat actors to compromise targets faster.

Some of these automated techniques and attack tooling are extremely difficult to detect, but many of these techniques can only be leveraged if the target has left themselves open to the attack. Simple things like not using weak or default passwords, which helps prevent brute-force or dictionary attacks.

Timely patching of vulnerabilities – both old and new - is another big one all organizations should prioritize to prevent exploitation. These attackers are out there somewhere scanning for any opening into the target network they can find.  

If it’s so easy for attackers to automate discovery of these vulnerable systems, there is really no excuse for an organization to be caught off guard and victimized.

‍

Screenshots Show ALPHV/BlackCat Ransomware Gang Monitored Western Digital’s Incident Response

The Alphv/BlackCat ransomware group reportedly published screenshots that reveal the attackers were monitoring Western Digital’s incident response actions and communications from inside the company’s network.

“The screenshots include what appear to be video calls, emails and internal documents discussing the hack, as well as invoices, development tools, confidential communications, and various tools used internally by the company,” Security Week reports.

“The hackers said that, unless WD pays up, they will release stolen files every week. They also threaten to sell stolen intellectual property, including firmware, code signing certificates, and customer personal information.”

Takeaway: If the attackers have already exfiltrated an organization's most valuable data, it’s safe to assume they are deep into the targeted network, so it should not be surprising that they will leverage this level of access and visibility to monitor and even actively counter any incident response efforts because by this point in the operation, the attack has already been successful – it's too late.  

Most of the discussion around ransomware attacks centers on the delivery of the payload that encrypts data and systems – basically the very end of a complex ransomware attack sequence. Unfortunately, not enough focus is placed on the preceding steps that allowed the attackers access large portions of the targeted network, or on the exfiltration of sensitive data, that have already been successful.

‍These are multi-staged attacks, where the threat actors are determined to infiltrate as much of the victim network as possible to exfiltrate sensitive data for extortion, with the aim to be as disruptive as possible. But this level of infiltration also means the attackers have likely achieved persistence and admin-level privileges.

This means that when the victim organization finally realizes they have been attacked and begin their incident response, it is highly likely that the attackers will have a front row seat to the remediation actions, and even internal communications as appears to be the case with the attack on Western Digital.

Given how much effort attackers are putting into actions like security evasion, establishing persistence, moving laterally in the network and exfiltrating data, it’s clear we are not putting enough emphasis on these earlier stages of today’s long-tail ransomware attacks.  

If the attackers have already gained admin-level access to the network and exfiltrated the organization's most valuable data, then it should be no surprise that the attackers are also privy to recovery efforts because the attack has already been successful. And this visibility can allow the attackers to better resist being expelled from the network.

Better detection and automated remediation of the specific elements that are unique to the earliest actions in a multi-stage ransomware attack will give targeted organizations a much better chance of minimizing disruption to operation, reduce the potential for data loss, and put them in a better position to defeat a ransomware attack long before the ransomware payload comes into play.‍

‍

AvosLocker Ransomware Gang Blasts Messages to Bluefield University Victims

The AvosLocker ransomware gang has claimed responsibility for an attack that has crippled internet and other services at Bluefield University. The attackers also appear to be in control of the university's “RamAlert” emergency notification system, blasting messages to the impacted students and staff that imply they have exfiltrated sensitive data.

Messages state the attackers have “hacked the university network to exfiltrate 1.2 terabytes of files,” and that they “will continue attacking if BU’s president does not pay,” but did not say how much they are demanding for ransom.

The FBI issued an alert about AvosLocker activity back in March 2022 indicating that the group has “targeted victims across multiple critical infrastructure sectors in the U.S. Including...The financial services, critical manufacturing, and government facilities sectors.”

“As you know, on Sunday, April 30, 2023, Bluefield University discovered a cybersecurity attack that impacted our systems. Upon learning of this issue, we immediately engaged independent third-party cybersecurity experts to assist in our review and remediation efforts, but it may be a few days before full functionality can be restored,” a statement from BU school officials said.  

“We are working through the investigation to determine the nature and extent of the incident. However, as of now, we have no evidence indicating any information involved has been used for financial fraud or identity theft.”

We talked to two students over the phone who wanted to remain anonymous. While they expressed concerns about their personal information being leaked, they were also optimistic about the university’s response.

Takeaway: What’s unprecedented in this attack is that the AvosLocker operators are communicating directly with the impacted population whose data is at risk and whose daily lives have been disrupted by the attack.  

We have seen cases of double and triple extortion where the attacks reach out to a victim’s clients or partners in an effort to put more pressure on the victim to pay. But I don’t think we have seen an attacker actively communicate and basically lobby the secondary victims of a ransomware attack in this manner.

While the disruption to services is always a concern, the real threat here in the long-term is the theft of sensitive, personal, and financial data. This is where we see the potential for some lasting damage. The attack can be remediated, and systems respond, but once the data is in the hands of the threat actors, even if a ransom is paid there is no guarantee the data will be exploited in further crimes.  

Ransomware attacks that include the theft of sensitive data will continue unabated until the profit motives for the threat actors are eliminated. This is organized crime we are dealing with; they only care about bringing pain to victims for their own financial gain.

To protect themselves and their students, education organizations must seriously reevaluate what kinds of data they collect and store, and for how long. Eliminating the unnecessary storage of sensitive data will make EDU organizations a less attractive target to attackers and help reduce overall risk.

Ransomware groups continue to victimize the education sector simply because they are easy targets. CISA recently warned about the growing risk to the education sector from ransomware attacks, noting that some gangs disproportionately target the education sector.  

CISA released updated guidelines for K-12 organizations, but guidelines don’t protect systems and they don’t pay for security boots on the ground. The education sector needs more resources and more skilled personnel, or they will keep being victimized in this manner. ‍

‍

Royal Ransomware Knocks Critical Services Offline in Major Attack on City of Dallas

The Royal ransomware gang has claimed the City of Dallas as a victim, disrupting critical services including 911 dispatch systems.  

“There is no effect to 911 calls at this time, and they continue to be dispatched for service. The outage is not affecting police response,” DPD spokesperson Melinda Gutierrez told TechCrunch.

Multiple municipal websites are down, with the City of Dallas website displaying a message that “the City is experiencing a service outage and is working to restore services,” and the city confirmed that the municipal courts were closed as a result of the attack.

Takeaway: Critical infrastructure, services and systems have never been under more of a threat than they are today in the face of a relentless barrage of ransomware attacks. Royal specializes in targeting critical infrastructure sectors.

Royal has been active since September 2022 but has quickly become one of the more concerning ransomware operations. Royal is somewhat unique in that they prefer only partial encryption for larger files to evade detection before they choose to reveal the attack.  

Royal increased attack activity in late 2022 and early 2023, prompting CISA and the FBI to issue alerts to critical infrastructure providers like the healthcare, communications, and education sectors. According to CISA, Royal ransom demands range between $1 million and $11 million dollars.

Royal has been known to use its own custom-made file encryption program and leverages tools like Cobalt Strike or malware like Ursnif/Gozi. Evidence indicates they continue to invest heavily in development, expanding their operations and capabilities. The RaaS platform includes advanced security evasion and anti-analysis capabilities that can hinder both detection and investigation in emulated environments.  

Royal typically does not include a specific ransom demand in the post-infection ransom note but instead requires victims to directly negotiate terms through an Onion URL via the Tor browser.  

Royal is a really ruthless threat actor group, and this level of disruption of emergency services and other critical operations is exactly what they are after - the more pain for the victims and the bigger the crisis they can cause just works in their favor.

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.