Ransomware Roundup: 07.01.22

This week’s round up…

  • It seems like a great side hustle … until it lands you in prison
  • The updated version of AstraLocker is looking for a quick payout
  • UK’s NCSC names the greatest cybersecurity threat of our times
  • Vice Society takes down a medical university
  • So, we found a reason to jeer at a bug bounty program
  • CISA offers warning about MedusaLocker

It seems like a great side hustle … until it lands you in prison

A ransomware affiliate pled guilty to charges in an all too rare instance of legal action against a cybercriminal. Jonathan Greig at The Record Reported that Canada extradited Sebastien Vachon-Desjardins of Quebec to the United States in March 2022 and worked with the NetWalker group to extort a company in Florida.

“United States Attorney for the Middle District of Florida Roger Handberg said Vachon-Desjardins has agreed to plead guilty to four charges: Conspiracy to Commit Computer Fraud, Conspiracy to Commit Wire Fraud, Intentional Damage to a Protected Computer and Transmitting a Demand in Relation to Damaging a Protected Computer,” Greig wrote.

It should be noted that Vachon-Desjardins cybercriminal enterprises were a side hustle and he worked fulltime – wait for it - "for the Canadian government as an IT employee while conducting ransomware attacks on behalf of NetWalker,” Greig reported.

A Canadian court sentenced Vachon-Desjardins to seven years in prison on separate charges in Feb. 2022.  

The updated version of AstraLocker is looking for a quick payout

Lindsey O’Donnell-Welch at Decipher by Duo reported on an updated version of the AstraLocker that can be delivered directly from infected Microsoft Office files. According to the article, the intent is “an unusually quick delivery method leading researchers to believe that the threat actor behind the ransomware is solely interested in making a big impact and receiving a quick payout.”  

“Typically, affiliate threat actors avoid pushing ransomware early, opting instead to push files that allow them to expand their reach within the target environment,” O'Donnell-Welch quoted Joseph Edwards, a researcher with ReversingLabs. “Ransomware almost invariably is deployed last, after compromising the victim's Domain Controller(s), which enables the cybercriminals to use the domain controller (for example: Active Directory) to deploy a group policy object and encrypt all hosts in the affected domains.”

UK’s NCSC names the greatest cybersecurity threat of our times

The United Kingdom’s National Cyber Security Centre declared ransomware the greatest global cybersecurity threat. Danny Palmer at ZDNet reported that “the volume of ransomware has risen significantly with the amount of detected activity in the first quarter of 2022 more than three times what was detected during the same period last year.”

"Even with a war raging in Ukraine – the biggest global cyber threat we still face is ransomware. That tells you something of the scale of the problem. Ransomware attacks strike hard and fast. They are evolving rapidly, they are all-pervasive, they're increasingly offered by gangs as a service, lowering the bar for entry into cyber crime," Palmer quoted Lindy Cameron, CEO of the NCSC.

Vice Society takes down a medical university

Vice Society – the group that claimed responsibility for extorting the Italian city of Palermo – scored another victim this week. Bill Toulas at Bleeping Computer reports that the cybercriminal group attacked the Medical University of Innsbruck, which “caused severe IT service disruption and the alleged theft of data.”

“On June 21, 2022, the university's IT team proceeded to reset all 3,400 students' and 2,200 employees' account passwords and called everyone to go through a manual process of personally collecting their new credentials.

“In the days that followed, the university gradually restored its online services and returned operations to its main site, which had previously been initially taken offline,” Toulas reported.

Vice Society have been particularly active lately, including “a college in the UK, a hospital in Italy, and two universities in the UK. This makes the Medical University of Innsbruck the fifth disclosed European victim of Vice in the past month” according to Toulas.

So, we found a reason to jeer at a bug bounty program

Usually, the launch of a bug bounty program is a cause for celebration. Unless a ransomware gang announces it, in which case … disgusting.

Adam Janofsky at The Record by Recorded Future reported that the LockBit gang recently released the third version of its ransomware and a new bug bounty program, which ostensibly seeks to crowdsource the improvement of the malware – again, disgusting.

“Although few details were provided about technical changes to the ransomware-as-a-service operation, the group said it was inviting all security researchers and hackers to participate in its bug bounty program, which allegedly offers rewards ranging from $1,000 to $1 million. The group is seeking website bugs, locker errors, and ideas to improve the group’s software, among other things. A $1 million bounty is reserved for discovering the true name of the affiliate program manager, known as LockBitSupp,” Janofsky reported.

CISA offers warning about MedusaLocker

The United States Cybersecurity & Infrastructure Agency (CISA) released an alert about MedusaLocker. The RaaS gang targets specific vulnerabilities and the CISA notice includes indicators of compromise, MITRE ATT&CK Techniques and mitigation details to enable organizations to reduce the risk of infection.

“Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks,” CISA wrote in the alert.

Thanks to the reporters and researchers

Shout out to the following people for their original reporting and research referenced in this week’s Ransomware Roundup.

Jonathan Greig at The Record - Recorded Future for their reporting on Netwalker ransomware affiliate agrees to plead guilty to hacking charges.  

Catalin Cimpanu at The Record - Recorded Future for their reporting on NetWalker ransomware affiliate sentenced to seven years in prison.

Lindsey O’Donnell-Welch at Deciper by Duo for their reporting on AstraLocker Ransomware Spread in ‘Smash and Grab’ Attacks.

Joseph Edwards at ReversingLabs  for their research on Smash-and-grab: AstraLocker 2.0 pushes ransomware direct from Office docs.

Danny Palmer at ZDNet for their reporting on Ransomware is the biggest global cyber threat. And the attacks are still evolving.

Bill Toulas at Bleeping Computer for their reporting on Vice Society claims ransomware attack on Med. University of Innsbruck.

Adam Janofsky at The Record - Recorded Future for their reporting on LockBit adds a bug bounty program in its revamped ransomware-as-a-service operation.

Cybersecurity & Infrastructure Security Agency for their #StopRansomware: MedusaLocker alert.

The Halcyon Platform

Halcyon is the industry’s first dedicated, adaptive security platform focused specifically on stopping ransomware attacks. Halcyon is built by offensive security experts to stop attackers. Our platform is a lightweight agent that combines multiple proprietary advanced prevention engines along with AI models trained solely on ransomware.

Ready to get a demo? Fill out the form and let’s talk!

Get a Demo

Meet with a Halcyon Anti-Ransomware Expert