Ransomware Roundup: 05.22.23

Ransomware Attack Shutters Production at Philadelphia Inquirer

The Philadelphia Inquirer reports the publisher has experienced what is being described as the “most significant disruption to its operations in 27 years.”  

The organization said the disruption, suspected to have been caused by a ransomware attack, was as serious as that experienced during a massive blizzard back in January of 1996.

“The company was working to restore print operations after a cyber incursion that prevented the printing of the newspaper's Sunday print edition, the Inquirer reported on its website,” ABC News reports.

“The news operation's website was still operational Sunday, although updates were slower than normal, the Inquirer reported.”

Takeaway: When disruptions from ransomware attacks reach a level that puts them on par with significant natural disasters, we know we have a major problem here. The fact that the attack comes just ahead of the Philadelphia Democratic mayoral primary and will impact coverage of this very significant race is also of concern.

A disruptive ransomware attack creates enough issues for victim organizations, and a timely response is of the utmost importance. Currently, the Inquirer staff are unable to use their offices due to systems being down, and the company is scrambling to find coworking space.  

They also reported that staff will not be able to use the newsroom on election night. Contingencies for these kinds of disruption need to already be in place and stress tested before a successful ransomware attack occurs.  

Organizations need to plan for failure, and assume the worst in preparing for any crisis, cyberattacks included. Resilience planning for when controls fail to protect the organization is just as important as prevention planning.

Ransomware operators are, for the most part, driven by financial incentives. They continue to go after both high-value targets that have the means to pay ever-higher ransom demands, as well as industries that traditionally have understaffed and underfunded security operations that cannot adequately defend against these more complex, multi-stage attacks.

While many organizations have stepped up efforts to prepare for a ransomware attack by implementing controls like anti-ransomware and endpoint protection solutions, most organizations have not done the hard work of actually preparing for a ransomware attack to be successful.

In addition to prevention capabilities, organizations need to hold regular tabletop exercises where they can stress test their incident response plans and develop contingencies to account for disruptions to systems and critical services.

‍FBI and CISA Alert on the Bl00dy PaperCut Vulnerability Exploit

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint Cybersecurity Advisory (CSA) alerting organizations – particularly those in the Education sector - about the ongoing mass exploitation of CVE-2023-27350.  

This vulnerability, for which a patch has been available since March, is present in some versions of PaperCut NG and PaperCut MF and can allow threat actors to engage in unauthenticated remote code execution.

Threat actors identified as the Bl00dy Ransomware Gang in the alert have been observed exploiting vulnerable PaperCut servers since as early as April, the report states. By late April, it was reported that nearly 1,800 internet-exposed servers had been compromised.

“In early May 2023, according to FBI information, the Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet. Ultimately, some of these operations led to data exfiltration and encryption of victim systems,” according to the alert.

"FBI and CISA strongly encourage users and administrators to immediately apply patches, and workarounds if unable to patch. FBI and CISA especially encourage organizations who did not patch immediately to assume compromise and hunt for malicious activity using the detection signatures in this CSA. “If potential compromise is detected, organizations should apply the incident response recommendations included in this CSA.”

Takeaway: So how do ransomware operators compromise thousands of servers in a matter of a few weeks? They are increasingly automating exploitation of known vulnerabilities en masse, and the huge increase in the volume of attacks observed in early 2023 is evidence of this latest trend.

March of 2023 was the most prolific month so far for the sheer volume of ransomware attacks observed, with research indicating there were 459 successful attacks, up 91% from February volume and up 62% year-over-year.

Threat actors are getting better at taking advantage of unpatched vulnerabilities and misconfigurations by automating aspects of their attack progressions. Automation means ransomware operators can simply hit more victims faster.

For example, hundreds of organizations have been hit by the Cl0p ransomware gang this year as they continue to exploit a known vulnerability in the GoAnywhere software. We are also seeing signs of automation is attacks exploiting a similar vulnerability in IBM Aspera Faspex. ‍

In early April, researchers published analysis of a new semi-autonomous ransomware strain dubbed Rorschach that was noted for its automation, fast encryption speed, and stealthy DLL side-loading for security evasion and persistence.

Later in April, the Vice Society ransomware gang was observed using Living-off-the-Land (LotL) techniques with a custom PowerShell-based tool that automates data exfiltration on targeted networks, and the Play ransomware gang also developed two new custom data exfiltration tools.

These are multi-staged attacks, where the threat actors are designed to infiltrate as much of the victim network as possible to exfiltrate sensitive data for extortion. This ingress and lateral movement on the targeted network usually takes a good amount of time, so automating these aspects of the attack sequence allows threat actors to compromise more targets faster.
Some of these automated techniques and attack tooling are extremely difficult to detect and are more typical of APT-type operations.

Timely patching of vulnerabilities – both old and new - is something all organizations should prioritize to prevent exploitation. These attackers are out there somewhere scanning for any opening they can find.

Patching can be difficult in some circumstances and take time, but there is no excuse for organizations to be unaware that they need to patch a known vulnerability. Attackers are automating the discovery and exploitation of these vulnerable systems, so organizations should have processes in place to understand if they are exposed. There is really no reason for them to be caught off guard.

‍

FBI and CISA Issue Alert on BianLian Ransomware Gang Tactical Shift

The FBI and CISA have issued a joint alert regarding a confirmed shift in tactics by the BianLian ransomware gang. The report notes that BianLian, who had previously engaged in a double-extortion model where they encrypted targeted systems after exfiltrating sensitive data, but early this year shifted tactics to an exfiltration-focused data extortion strategy.

“BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development,” the alert notes.  

“The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian group actors then extort money by threatening to release data if payment is not made.”

Takeaway: Ransomware is a financially motivated crime. They want the money at any cost - and if they can reduce the resources required to be successful, they will. Attackers always consider ROI in their operations. So, if ransomware groups can achieve their goals by simplifying the attack and still achieve the same results, they will.  

BianLian first emerged in the wild in the summer of 2022, and successfully attacked several high-profile organizations before a free decryption tool was released to help victims recover files encrypted by ransomware.

BianLian is known to abuse Remote Desktop Protocol (RDP) for ingress, one of the more common tactics used by ransomware operators to move laterally in a compromised network. RDP exploits are also used to remotely execute malicious code like malware and attack kits, or by executing scripts in fileless attacks, or when abusing legitimate network tools in what is known as living-off-the-land. Access to RDP instances is usually accomplished by way of stolen or brute-forced user credentials.  

Confirmation that the BianLian group has moved away from delivering ransomware payloads in favor of purely data exfiltration and extortion attacks shows how successful the double extortion strategy is for ransomware groups.  

In fact, it works so well that we will likely see more groups join the likes of BianLian (and Karakurt before them) opt to forego the hassle involved in developing and managing the encryption and decryption process in favor of a less complicated attack.

With data exfiltration as one of the primary tactics employed in today’s multi-stage ransomware attacks, we should really start thinking of these as data extortion attacks with some ransomware thrown into the mix sometimes, as opposed to ransomware attacks that sometimes include data exfil.

‍

With Few Options, US Sanctions Ransomware Operator

The U.S. government has indicted and issued sanctions against a Russian national for his role in ransomware attacks against U.S. critical infrastructure targets including law enforcement agenies.

Mikhail Matveev, aka Wazawaka” and “Boriselcin,” has been identified as a key player in the development of the Hive, LockBit, and Babuk ransomware variants, as well as being connected to the Conti ransomware gang.

“In 2021, Matveev claimed responsibility for a ransomware attack against the Metropolitan Police Department in Washington, D.C, according to the U.S. Justice Department. The cyberattack saw the Babuk ransomware gang, which Matveev was allegedly a member of since early 2020, infiltrate the police department’s systems to steal the personal details of police officers, along with sensitive information about gangs, suspects of crimes and witnesses,” TechCrunch reports.

“These three ransomware gangs are believed to have targeted thousands of victims in the United States. According to the Justice Department, the LockBit ransomware gang has carried out over 1,400 attacks, issuing more than $100 million in ransom demands and receiving over $75 million in ransom payments. Babuk has executed over 65 attacks and has received $13 million in ransom payments, while Hive has targeted more than 1,500 victims around the world and received as much as $120 million in ransom payments.”

Takeaway: The announcement that the US government is charging and sanctioning Russian national Mikhail Matveev is welcome news, and we hope to see more such actions taken to help stem this epidemic of ransomware attacks.  

While we have seen some arrests here and there of affiliates and other low-level threat actors in the space, Matveev is on another level, having been connected to some of the most prolific ransomware operations, including Conti, Hive, LockBit, and Babuk.

One thing these groups have in common - aside from Matveev's alleged involvement - is their propensity to hit targets in key critical infrastructure sectors. A wide variety of industries fall under the critical infrastructure umbrella, some with the potential to cause widespread disruptions if successfully targeted by these threat actors, as we saw with the DarkSide attack on Colonial Pipeline back in the spring of 2021 that shut down fuel supplies on the East coast of the US for several days.  

That attack apparently crossed a line with the ransomware operator's Russian-aligned overlords, and the DarkSide operation was quickly shuttered. But this outcome was likely only because it turned up the heat on the Putin regime, and Putin probably did not like to hear his name invoked in the same news conference that was discussing the attack. It's likely that the Russians did not want to reveal just how disruptive a ransomware attack can be - yet.

As Cyber evolved into a theater of operations militarily, conventional thinking is that a major attack on critical infrastructure would likely only come as part of a larger operation that included traditional kinetic warfare. But this is in the context of nation-to-nation conflicts at the direction of governments. But this weird overlap of cybercriminal activity with nation-state-supported operations we see with the Russian ransomware model - that conveniently allows for plausible deniability on the part of the nation-state actor - means we have elements acting that are not necessarily under the direct control of a government.

In the case of Colonial Pipeline, it may well have been an affiliate actor who conducted the attack, subsequently getting slapped down by the Russians for the overreach in their targeting. Nonetheless, the attack demonstrated that our nation's critical infrastructure is extremely vulnerable to such disruptions.

The US government is in a tough position regarding what actions to take to stem this wave of ransomware attacks, namely because there is so much ambiguity in determining root attribution for the attacks. These actions against Matveev are a good start, but even if he is arrested, there will quickly be someone to take his place. Ultimately, it's the Russian government that is both providing safe harbor for criminal elements conducting ransomware attacks with impunity and is very likely influencing some of their targeting.

Until the US government directly sanctions the Putin regime for their direct or tacit support, we will not see this spate of ransomware attacks abate any time soon. It's only a matter of time before we see another massively disruptive attack against a critical infrastructure target.

‍

San Bernardino County Succumbs to $1.1 Million Ransom Demand

The San Bernardino County Sheriff's Department reportedly paid a $1.1 million to ransomware operators following an attack in April that led to a “network disruption.”

“The decision whether to render payment was the subject of careful consideration,” County spokesperson David Wert said.

The investigation is ongoing, and the county is trying to determine whether any sensitive information was exfiltrated.

“Sheriff Shannon Dicus said this week that public safety wasn't compromised by the ransomware attack, but it hindered some tasks,” the Recorder Online reports.

“Deputies, for example, could not access a system that provides information on whether a person is wanted for crimes elsewhere in the country, so they had to request that other agencies make the record checks, Dicus said.”

Takeaway: It had been rumored for some time that the San Bernardino County Sheriff's Department had elected to pay a sizable ransom demand, and now we have confirmation. Overall, this is not good news, and not a good look for law enforcement, given the nation's leading law enforcement agency strongly recommends that victims forego ransom payments because they further incentivize these disruptive attacks. So this is kind of a disappointing outcome to this case.

The fact that a ransom demand was paid suggests this was a really disruptive attack, and likely means that San Bernardino County was not prepared at all for the possibility they would be the target of a ransomware attack. While this may be because most state and local organizations are short-staffed and underfunded, that does not preclude them from preparing to be resilient in the face of a successful ransomware attack.  

Were endpoint protection and other security controls deployed and up to date? Was critical data backed-up offsite? Was the network segmented to prevent spread? Were system logs being monitored for suspicious activity, and was the IT team ready and able to respond?

Additionally - as it sounds like they are still early in their forensic investigation and have not even determined if any data was exfiltrated - there is a low probability that they have any solid attribution as to who the attackers really are, despite having paid them. Paying a ransom demand may seem to be the expeditious route to regain access to systems, but it comes with its own risks.

First, many of these threat actors are subject to sanctions, which means paying them would be a violation of Federal law. Then there is the fact that the majority of victims who pay a ransom don't necessarily get the quick return to normalcy they anticipate. Even if the attackers provided the decryption key as promised, every impacted device has to be restored individually, which is extremely time-consuming.  

Worse yet, half or more of the data may be corrupted in the process, as the attackers are more concerned about being paid than in guaranteeing a smooth recovery for the victim. And there are several studies that indicate victims who have paid a ransom demand are more likely to get attacked and ransomed again - often by the same threat actors.

And then there's the optics, which are terrible. It's one thing for a private organization to opt to pay a ransom - while still not advisable for the reason stated above - but it is not encouraging to see any law enforcement agency succumb to the demands of a criminal operation, especially when acquiescing means the criminal enterprise profits and those profits come from taxpayers. Government agencies should not be in collusion with threat actors to any degree; it just does not send a good message.

This is a good lesson for all organizations, public and private; don't be the low-hanging fruit that attracts attackers, prepare to defend and prepare for failure, and then plan plan plan to be resilient and then stress test that incident response plan regularly. Ransomware is a serious threat, and it needs to be taken seriously.

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.