The Halcyon Research and Engineering Team has exposed yet another major player in the Ransomware Economy that has been facilitating ransomware attacks as multiple state-sponsored APT operations.
Similar to Bulletproof Hosting companies who cater to attackers and criminals and allow malicious activity to thrive on their networks, there are also ostensibly legitimate ISPs who are acting as Command-and-Control Providers (C2P) and sell services to threat actors while assuming an otherwise legal business profile.
“What stood out most to us is the fact that we have ostensibly legitimate ISPs providing attack infrastructure to nation-state threat actors, ransomware operators, and other possibly sanctioned entities while under no obligation to take any action whatsoever to stem the illicit activity,” Ryan Smith, CTO and co-founder at Halcyon, told The Record.
“In fact, they are profiting from it… These Command-and-Control Providers — knowingly or unknowingly — are essentially another pillar in the global attack ecosystem, and a major player in the ransomware economy.”
C2Ps rely on legal loopholes in their Terms of Service and Privacy Policies that do not require them to vet their customers, enabling threat actors to abuse their platforms for malicious operations while enjoying plausible deniability.
In this report, titled Cloudzy with a Chance of Ransomware: Unmasking Command-and-Control Providers (C2Ps), Halcyon also demonstrates a unique method for identifying C2P entities and actually observe the precursors to major ransomware and espionage campaigns as the attack infrastructure is being set up.
Halcyon researchers used this method to identify two previously undisclosed ransomware affiliates tracked as Ghost Clown and Space Kook who were observed deploying BlackBasta and Royal payloads, respectively.
This methodology, detailed in the report, led the researchers to a particularly good example of how C2Ps operate and stay below the radar of security teams – an ISP called Cloudzy – which is registered in the U.S, but is most likely actually operating out of Iran.
“Initially, Halcyon suspected that the person or entity doing the leasing was a criminal infrastructure broker, a part of the underground ransomware ecosystem, akin to an initial access broker or malware developer,” the report states.
“To our surprise, Halcyon was able to successfully purchase servers with the identified RDP hostnames from one of the ISPs, and only one: the C2P Cloudzy. More precisely, these hostnames appeared on servers provisioned using their ‘RDP VPS’ service. We had our answer.”
Threat actors that are assessed to be leveraging Cloudzy include APT groups tied to the Chinese, Iranian, North Korean, Russian, Indian, Pakistani, and Vietnamese governments; a sanctioned Israeli spyware vendor whose tools are known to target civilians; several criminal syndicates and ransomware affiliates whose campaigns have spurred international headlines.
It is assessed that (potentially) between 40% - 60% of the overall activity could be considered malicious in nature. Halcyon recommends that the technical readers of the report use the Indicators of Compromise (IOCs) appended below to search their networks for any of the malicious activities we tied to C2P Cloudzy.
Halcyon further recommends that defenders look out for these hostnames both retroactively, to identify possible attacks already in progress, but also proactively, to prevent any malicious activity to begin with.
The Abyss Locker gang are the latest ransomware operators to develop a Linux version that target VMware's ESXi virtual machines.
“With VMware ESXi being one of the most popular virtual machine platforms, almost every ransomware gang has begun to release Linux encryptors to encrypt all virtual servers on a device,” Bleeping Computer reports.
“Other ransomware operations that utilize Linux ransomware encryptors, with most targeting VMware ESXi, include Akira, Royal, BlackBasta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive.”
Abyss Locker is a newer ransomware operation that first emerged in March 2023.
Takeaway: While there is constant change in the ransomware economy with new groups emerging constantly, what has not changed is the fact that these criminal organizations continue to be profitable.
More ransomware gangs have been developing Linux versions over the last year, expanding their addressable target range, but not much attention has been paid to what this trend potentially means for the threat landscape.
While Linux has a much smaller desktop footprint than Windows systems, Linux runs the most important systems including, web servers, most embedded and IoT devices used in manufacturing and energy, smartphones and supercomputers, most of the US government and military networks, and critical backbone systems in any large network.
Yet, we rarely see discussion around ransomware targeting Linux systems in the media. Groups like LockBit, IceFire, Black Basta, Cl0p, Akira – and now Abyss and others – have each developed Linux targeting capabilities, which makes the likelihood we will see widespread, disruptive ransomware attacks in the near future a distinct possibility.
Any organization running critical Linux distributions should start preparing to defend these systems – but defending them is a challenge. Linux systems have very few security solution options available, and virtually none that focus on stopping specifically ransomware.
The targeting of Linux systems has the potential to cause a serious disruption beyond the scale of what we saw in the Colonial Pipeline attack. The consequences of not redoubling our efforts to defend Linux systems could prove catastrophic.
A ransomware attack has disrupted healthcare systems in California, Texas, Connecticut, Rhode Island and Pennsylvania, forcing the suspension of services at emergency rooms and causing ambulances to be diverted to other facilities. The attacks have also caused the suspension of primary care services.
“Upon learning of this, we took our systems offline to protect them and launched an investigation with the help of third-party cybersecurity specialists,” a spokesperson for Prospect Medical Holdings in California told the Associated Press.
“While our investigation continues, we are focused on addressing the pressing needs of our patients as we work diligently to return to normal operations as quickly as possible.”
Other facilities impacted include:
- Connecticut: emergency departments at Manchester Memorial and Rockville General hospital were closed for much of Thursday and patients were diverted to other nearby medical centers.
- Pennsylvania: services impacted at the Crozer-Chester Medical Center in Upland, Taylor Hospital in Ridley Park, Delaware County Memorial Hospital in Drexel Hill and Springfield Hospital in Springfield, according to the Philadelphia Inquirer.
- California: seven hospitals in Los Angeles and Orange counties including two behavioral health facilities and a 130-bed acute care hospital in Los Angeles.
The FBI said it is working with “law enforcement partners and the victim entities” but could not comment further.
Takeaway: Ransomware attacks are one of the biggest threats facing every organization today, and healthcare providers have been hit particularly hard. Attackers are financially motivated, and they know that the more pain they can inflict on a target, the more money they can extort from them.
Ransomware operators are simply ruthless, and they know that the impact of an attack against healthcare organizations doesn’t just disrupt operations, it directly affects the lives of patients, which in turn puts tremendous pressure on the targeted provider to pay up for swift recovery.
The threat from ransomware is very real, and the fact that nation-state sponsored or directed operators are getting more active in conducting ransomware attacks on our critical infrastructure – especially healthcare - is more than concerning.
Last year CISA warned organizations to remain vigilant with respect to an increased risk from ransomware and destructive data attacks, and a joint alert was issued in early 2023 by CISA, the FBI, NSA, and HHS regarding and increase in ransomware attacks targeting healthcare providers.
Criminal elements have significantly advanced their ability to quietly infiltrate large portions of a target's network, exfiltrating sensitive data to be used as additional leverage for demanding a higher ransom payout.
Ransomware is a multi-billion-dollar industry that operates like legitimate businesses - with a host of specialists, R&D departments, recruiters, Helpdesk, HR departments and more. We can expect to continue to see healthcare and other critical infrastructure providers be a favorite target given they typically have the least resources to dedicated to securing sensitive systems that can have the widest impact when disrupted in an attack.
Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.