Ransomware Roundup: 09.03.23

Ransomware Operators Inject Payloads into Legitimate Executable via Citrix NetScaler Exploit

Researchers have observed ransomware operators exploiting an unpatched Citrix NetScaler vulnerability to inject malicious payloads and allow remote code execution (RCE).

“Attack chains involve the exploitation of CVE-2023-3519, a critical code injection vulnerability impacting NetScaler ADC and Gateway servers that could facilitate unauthenticated remote code execution,” The Hacker News reports.

“In one intrusion detected in mid-August 2023, the security flaw is said to have been used to conduct a domain-wide attack, including injecting payloads into legitimate executables such as the Windows Update Agent (wuauclt.exe) and the Windows Management Instrumentation Provider Service (wmiprvse.exe)."

Takeaway: Attackers are getting more efficient at exploiting vulnerabilities, and this trend is likely to continue as threat actors automate aspects of their attack sequences.  

Nowhere is this more evident than in the continued exploitation of a vulnerability in the MOVEit managed file transfer software (CVE-2023-34362) the Cl0p ransomware gang has used to compromise more than 1000 victims in rapid succession over the summer.

The wave of attacks followed another earlier in the year where Cl0p successfully compromised more than a hundred targets by exploiting a bug in the GoAnywhere file transfer tool.

Overall, the marked increase in the exploitation of vulnerabilities by ransomware gangs is evidence that criminal actors are increasingly using more complex tactics usually seen in state-supported operations versus the random ‘spray and pray’ ransomware attacks of the past.  

This mass exploitation wave is also evidence that ransomware gangs are increasingly leveraging automation to identify and target exposed organizations who have not patched against known vulnerabilities, which is why we are seeing so many new victims.

March and June of 2023 saw huge spikes in the number of successful attacks across every major industry vertical, federal agencies, and state and local governments.

The bad news is that as attackers are getting more proficient at automating aspects of the attack progression by exploiting known vulnerabilities for initial access, improving stealthy payload delivery, fine tuning evasion techniques, and exponentially improving encryption speeds, we will likely continue to see an escalation in attacks.

The good news is that given these attacks leverage exploits for well-documented vulnerabilities means we have the opportunity to detect and stop these ransomware operations earlier in the attack sequence.  

Many of the TTPs they employ are common and should help to reveal a host of detectable activity on the network that occurs long before the actual ransomware payload is delivered.

Organizations with the right controls in place stand a good chance of disrupting these attacks at initial ingress when these known exploits are likely to be used, or when the attackers begin to move laterally on the network and seek to escalate privileges.  

The ransomware payload is the very tail-end of a longer attack, so a multi-layer defense strategy that is designed to detect more than just the detonation of a ransomware binary is critical to detecting earlier and remediating against these attacks faster.

FBI Disrupts Massive Qakbot Botnet Driving Millions in Ransomware Losses

The FBI and the Justice Department spearheaded a multinational operation to “disrupt and dismantle” the massive Qakbot botnet that has driven millions in losses from ransomware attacks.

Qakbot malware has been used in ransomware and other attacks since at least 2008 that caused hundreds of millions of dollars in losses in the U.S. and other countries.

The takedown operation involved authorities from the U.S., France, Germany, the Netherlands, Romania, Latvia, and the UK, making it “one of the largest U.S.-led disruptions of a botnet infrastructure” in history.

"The FBI neutralized this far-reaching criminal supply chain, cutting it off at the knees," said FBI Director Christopher Wray. "The victims ranged from financial institutions on the East Coast to a critical infrastructure government contractor in the Midwest to a medical device manufacturer on the West Coast."

"This botnet provided cybercriminals like these with a command-and-control infrastructure consisting of hundreds of thousands of computers used to carry out attacks against individuals and businesses all around the globe.”

Takeaway: The Qakbot botnet delivered the notorious Qakbot Trojan which has been leveraged to compromise systems and steal sensitive data for the better part of two decades. This advanced malware evolved, gaining the ability to propagate, evade detection, and deploy other payloads.  

Qakbot has been observed acting as a dropper in major ransomware campaigns and was first linked to the delivery of the ProLock and Egregor ransomware variants.  

Qakbot operations first compromise a targeted system and establishes persistence, then download additional payloads like ransomware that encrypt victim files. The ability to deliver other malware like ransomware made Qakbot a tremendous threat to organizations.  

Accurate data is hard to come by when assessing the wider impact of ransomware attacks, as private organizations and individuals are not required to report attacks.

In 2022, the FBI spent seven months observing the infamous Hive ransomware gang after infiltrating their operations. Based on their observations, the agency came to the shocking conclusion that only about 20% of attacks were being reported to law enforcement.

Ransomware is big business, and the financial impact of ransomware attacks is one we all bear, and it is going to become a significant drag on our economy. The only way we can counter its growth as a major industry vertical is to disincentivize the attackers.  

The only way to disincentivize them is to make ransomware attacks unprofitable, and raising the cost for attackers with operation like the takedown of the Qakbot botnet increases the burden for these attackers, which is a good start, but it’s just a drop in the bucket.

Less Than Half of Organizations Report Ransomware Attacks

Hard numbers on the extent of the ransomware crisis are hard to come by, and the problem may be even bigger than we think given a new survey reveals that the majority of executives say their organizations do not report attacks.  

Well over half (61%) of executives surveyed reveal they did not report a major ransomware attack, according to a global survey of over 1,400 IT decision-makers at large organizations.  

"Most incidents do not get made public. After all, not every ransomware incident spreads to, nor takes down, an entire system or company infrastructure," noted Ian McShane, field chief technology officer at Arctic Wolf, who conducted the study.  

"Unsurprising when you think of the negative press and brand damage, let alone potential for fines or other penalties depending on the industry," McShane said.

Key findings of the survey worth noting include:  

• 78% of executives claim that they would be willing to pay a ransom
• 74% of executives believe their security teams cannot defend against ransomware
• 60% of executives believe their employees could not identify a cyberattack

Takeaway: No, the ransomware problem is not going away. Ransomware attacks continue to be extremely lucrative, with ransom demands and recovery costs bleeding victim organizations for millions of dollars.  

Ransomware-as-a-Service (RaaS) and other extortion attack operators continue to implement novel evasion techniques specifically designed to evade or completely circumvent traditional endpoint protection solutions.

More than 2,300 organizations succumbed to ransomware attacks in just the first half of 2023 according to the most recently data, with the vast majority carried out by only three ransomware operators: LockBit (35.3%), ALPHV/BlackCat (14.2%), and Cl0p (11.9%). Overall, ransomware attacks were up 74% in Q2-2023 over Q1 volumes.  

So, if half of all ransomware attacks are going unreported, the problem is much bigger than we think. But wait – it could be even worse.

In 2022, the FBI spent seven months observing the infamous Hive ransomware gang after infiltrating their operations. Based on their observations, the agency came to the shocking conclusion that only about 20% of attacks were being reported to law enforcement.

That would mean the ransomware problem is not just twice as big as we think, but potentially several orders of magnitude bigger.

Given the risks involved in reporting an incident, it’s no wonder executives choose not to report unless compelled – and that looks like it will be the case for publicly traded companies.  

The U.S. Securities and Exchange Commission will soon be requiring disclosure of cyberattack events within four business days if they are deemed “material” to current and prospective shareholders "in making an investment decision."

Ransomware is big business, and the financial impact of ransomware attacks is one we all bear, and it is going to become a significant drag on our economy. The only way we can counter its growth as a major industry vertical is to disincentivize the attackers.

Ransomware attacks can do more damage to an organization than simply impacting the bottom line, they have the potential to damage brand, increase insurance costs, force budget cuts and layoffs, negatively impact stakeholders and even put victim organizations and their CXOs and BoDs in legal jeopardy.

The ransomware threat is very real, the problem is seemingly growing exponentially, and executive leadership at organizations are struggling with how best to deal with both preparing to defend against attacks as well as what to do to protect the organization after a successful attack.

Cl0p Campaign Drives Ransomware Attacks to Record Levels in July

The Clop ransomware gang’s unprecedented campaign exploiting a known vulnerability in the MOVEit file sharing program drove attacks levels to a new high in July, according to new research.  

“Analysts observed a record number of ransomware-related cyberattacks last month, with 502 major incidents tracked. According to the researchers, this represents a 154% increase year-on-year, compared to 198 attacks traced in July 2022,” ZDNet reports.

“July's numbers represent a 16% rise from the previous month, with 434 ransomware incidents recorded in June 2023.”

Takeaway: The last time attack volumes hit record levels was just a few months ago in March, with a reported 459 successful attacks. That was up 91% over February’s volume and up 62% year-over-year.

Other reports indicate there have been more than 2,300 successful ransomware attacks in just the first half of 2023 according to the most recently data, with the vast majority carried out by only three ransomware operators: LockBit (35.3%), ALPHV/BlackCat (14.2%), and Cl0p (11.9%). Overall, ransomware attacks were up 74% in Q2-2023 over Q1 volumes.

The actual numbers are likely to be much higher than what is being reported, given another recent study found that over half (61%) of executives surveyed reveal they did not report a major ransomware attack, according to a global survey of over 1,400 IT decision-makers at large organizations.

But wait... the ransomware problem may still be bigger than that.  

In 2022, the FBI spent seven months monitoring the infamous Hive ransomware gang after infiltrating their operations. Based on their observations, the agency came to the shocking conclusion that only about 20% of attacks were being reported to law enforcement.  

That would mean the ransomware problem is not just twice as big as we think, but potentially several orders of magnitude bigger.  

By extrapolation, we could infer that there have actually been more than 10,000 successful ransomware attacks in the first half of 2023, but they are simply not being reported.

While federal authorities have been making efforts to help organizations get a handle on the ransomware onslaught, all of our efforts to stem the tide of ransomware attacks are hindered by not truly understanding the magnitude of this growing threat.

Security teams need hard numbers so they can quantify the risk accurately and make the needed recommendations for improvements to security programs, else grams, else they are going to have an even harder time getting proper finding.

Security is a tough space when it comes to budgets. When a security program is running well, the outcome is that nothing happens, or at best there is some data on the number of attempted attacks that were thwarted.

This makes it hard for security team leaders to justify new investments to address novel threats. And this is why we keep seeing organizations pledge to spend millions to shore up security and better protect consumer and customer data – but usually only after the organization has been victimized and sensitive data lost.

If the federal government wants to have an immediate impact in combatting ransomware attacks, giving organizations the data they need to adequately measure their potential risk will go further than most anything else they can offer at this time.

Ransomware is one of the biggest threats to any organization today, and we can’t effectively address the threat if we don’t understand it fully.

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.