Last week, we dove into detail regarding a specific ransomware attack suffered by the city of Florence, Al.
This week, we pull back for a broader view of the developments in ransomware and how different companies have been affected.
Ransomware: An Evolving Business
Between 2018 and 2019, ransomware attacks increased 40%, and the common ransom amounts soared from $6,000 to $84,000 – an 14x increase! In the first quarter of 2020, the average increased even further to $111,605.
Ransomware gangs attack with great skill and with sophisticated evasion techniques. However, the most notable changes in the past few months have nothing to do with technology.
The business models for ransomware are evolving to put even more pressure on the victims.
In May, the Maze Ransomware gang announced it would team up with other gangs to form an extortion cartel to share resources, tactics, and intelligence. The Maze team already had a Maze news site to announce the release of stolen data, and a separate platform to release the stolen data. Through the cartel, Maze now makes those resources available to other gangs.
In early June, Maze released the first data stolen by the LockBit ransomware gang via the Maze sites.
A few days later, the Ragnar Locker attackers were announced as the latest member of the cartel. Interestingly, Ragnar Locker already has their own data-leak website, so it seems the cartel members may have different levels of involvement with each other.
Meanwhile, different gangs continue to explore new ways to increase the pressure on their victims or to increase the potential ransoms. The Sodinokibi Ransomware gang, also known as REvil, began urging affiliates to copy data for extortion purposes to capitalize on the data leak trend. The gang then publicly hinted that it was considering leaking data about ransomware victims to the stock exchanges (NASDAQ, etc.) to affect the victim’s stock prices.
In May, the Ako Ransomware gang began to charge separately for the decryption key and for the deletion of the data. While the Ako ransomware operators claim that this tactic is only used against larger victims, this provides an interesting dilemma for many organizations.
Any ransomware attack that seizes data must be treated as a data breach for both internal purposes as well as for regulatory purposes. However, Ako claims that some healthcare providers only pay to have their data deleted and do not purchase the decryption key. Experts believe a significant number of ransomware victims will deny a leak occurred if they can pay to eliminate the cache of stolen files.
It remains to be seen how these developments in ransomware tactics will affect the trends or the regulatory enforcement. Meanwhile, many prominent organizations continue to fall prey to ransomware attacks.
Notable Victims in June 2020
In addition to the city of Florence, the city of Knoxville, TN suffered a ransomware attack on June 11. Computers on the network were encrypted overnight, affecting city employees and court sessions, but the attack did not prevent the city from providing most of its services.
Knoxville is the third largest city in Tennessee, with a population of over 180,000 residents and significant resources. Still, the attack forced Mayor Glenn Jacobs said that “cyber attacks can happen to anyone or any government agency, no matter how good the defense is.”
Other recent attacks back up the mayor’s claim. In late May, the Maze ransomware gang appeared to strike Costa Rica’s state bank and release stolen credit card data to the public. In June, Honda, MaxLinear, Enel Group, and Lion suffered ransomware attacks that affected their companies to different degrees.
The Snake ransomware team struck Honda, which appeared to affect computer networks in Japan, US, and Europe. Honda claims that no information breach took place, and thus they expected minimal impact.
MaxLinear, a system-on-chip manufacturer, suffered an attack by the Maze Ransomware team in May that was traced to an initial breach around April 15. MaxLinear elected to recover from the attack using backups. The company noted that, although they would incur extra costs investigating and remediating the attack, they would not suffer significantly financially because they had cybersecurity insurance.
However, in June, the Maze Ransomware gang leaked 10.3 GB of accounting and financial information. The leak forced MaxLinear to release data breach notices to affected individuals ,and the U.S. Securities and Exchange Commission (SEC). It is not yet known if this data breach will expose MaxLinear to additional liability.
On June 7, the Snake ransomware gang struck the European energy conglomerate Enel Group, but the malware minimally impacted the company. Antivirus caught the attack, and only a small portion of the company’s network was affected. However, despite the limited nature of the attack, temporary blockage of the internal IT network still prevented customer care activities until the IT department could ensure the attack was contained.
Both the Honda Group and Enel Group declined to acknowledge the nature of the attacks on their systems, but researchers were able to detect the Snake ransomware files uploaded to VirusTotal and the associated company’s file paths in the uploaded virus files. Even when an attack is contained, it seems it is not always possible to keep the attack a secret.
Lion, an Australian beverage company, suffered the more serious consequences from their June ransomware attacks. Although Lion claims the attack did not breach any data, the company was forced to shut down IT systems, and their recovery took longer than expected. The company expects temporary shortages of beer and other products as they bring their breweries, dairies, and other drink manufacturing sites back online.
Although the impact to these large organizations remains small this month, we should all be reminded that ransomware attacks could occur at any time for organizations of any size.
In order to minimize the impact to your own organization, you need to learn from the attacks on others so you can take steps to secure your organizations and improve your ability to recover from attacks.
Hoaxes & Scams
As part of the process to study your adversaries, you also should educate your team about non-technical threats. With the increasing success of real attacks, fake attacks are also on the rise.
In June, scammers began sending out notices to website owners threatening to leak stolen website databases unless the victim paid a ransom of between $1,500 and $3,000. However, there is usually no data leak!
Researchers warn potential victims to check their websites for signs that it was hacked. While most organizations will find the attack is a hoax, there is a real attack targeting SQL servers that typically will demand a much higher ransom.
The STOP Djvu ransomware provides a much more insidious threat to organizations by posing as a free ransomware decryption software. Once an unlucky victim downloads and tries to activate the software, it then proceeds to doubly-encrypt the ransomware files and demand an additional ransom!
Fortunately, you only need to inform your team to prevent falling for these types of attacks. Information about hoaxes and scams should be part of the regular briefing to the IT team, the security team, and to general employees.
Should your team need to deal with an attack, Blue Bastion and Ideal Integrations are ready to help. From incident response and recovery to IT design and active monitoring, we provide a selection of tools and services designed to help organizations and budgets of all sizes.
Complete the form below to connect with us. Learn how our experience can transform your cybersecurity readiness.