Technical Support: 412-349-6678 | Incident Response

Ransomware Updates As We Enter the Holiday Season

Ransomware updates - Holiday season 2020

The holiday season is here!

During a year with such major ups and downs, it’s a nice break, right? Well, cyber attackers won’t be taking a break, unfortunately. In fact, they’ll want to take full advantage of unprepared IT teams.

If your organization needs extra support over the holiday season, don’t hesitate to call us at 412-349-6680, or fill out the form below, to inquire about our cybersecurity monitoring services. 

Meanwhile, here’s this month’s ransomware roundup, along with some interesting new trends.

Ransomware: Printers, Facebook Ads, and TurboTax

Egregor

Ransomware creators continue to find new and unusual ways to attack companies and pressure them to pay.

They understand that those companies often want to suppress information about the nature of an attack until the situation is fully understood.

The Egregor ransomware gang capitalizes on this fear with their new technique: spewing ransom notes from all available printers within the organization. While we might initially see this as annoying and wasteful, during the Egregor attack on Cencosud, the attack was broadcast to more than just their 140,000 employees.  

As one of the largest retail companies in Latin America, their embarrassment was compounded when the ransom note began printing on their register receipt printers inside their stores.

Ragnar Locker

The Ragnar Locker gang took a different approach to promote their attack on Compari Group, an Italian liquor company. 

In addition to the $15 million ransom to restores systems, the Ragnar Locker group stole 2 TB of data and created Facebook ads to add more public pressure to the company. This novel campaign was caught and stopped by Facebook after being seen by 7,000 people.

Ragnar didn’t buy the ads directly. Instead, they hacked the account for Hodson Event Entertainment, an Illinois-based disc jockey, and purchased the ads through that company’s account.

DarkSide

The DarkSide ransomware operation created a distributed data storage system to prevent authorities from recapturing data or blocking ISPs that host stolen data. 

 

Recent Article: The Importance of Actively Monitoring For Domain Attacks

 

This gang’s system is also operating from within Iran, which exposes organizations paying ransoms to the U.S. Treasury Department sanctions we covered a few weeks ago.

Mount Locker

Meanwhile, the Mount Locker ransomware gang chose to specialize and has developed a ransomware that focuses on tax data. 

Their software specifically targets TurboTax’s .tax file extensions for both encryption and data extraction.

Ransomware payment prompted by Facebook ads

Recent Ransomware Victims & Outcomes

Ransomware attacks have become so common that attacks on a county website in North Carolina, Public Library systems in Pennsylvania, and a multinational Biotech company didn’t even make the headlines. 

Capcom

Instead, the highest profile attack was suffered by Capcom, the Japanese videogame company behind the enormously popular Megaman, Street Fighter, and Resident Evil franchises.

Capcom decided not to pay the Ragnar Locker ransom. Instead, the company allowed the attackers to publish confidential corporate documents, customer’s personal information, and the information of 14,000 employees

How many organizations could survive such a breach? 

Capcom could face lawsuits from employees, and will likely face regulatory fines, if the leaked data contained information from citizens in the EU (GDPR violations), California, or New York (individual state privacy protection laws).

Steelcase

Of course, data leaks are only part of the problem.  Office furniture giant Steelcase suffered a two week global shutdown after a Ryuk ransomware attack and was forced to file formal announcements with the SEC.

Managed.com

Managed.com, a website hosting company, was forced — by a REvil ransomware attack — to shut down the websites for all of their customers. The attack led some customers to switch hosting providers. 

Americold

Meanwhile, the cold storage company, Americold, similarly shut down their operations to deal with a ransomware attack. 

The concern about the Americold attack are particularly troublesome, as their facilities may become part of the refrigerated supply chain for COVID-19 vaccines. Ransomware attackers will certainly focus on the vaccine supply chain to put even more pressure on organizations to pay.

Make It Difficult For Ransomware Gangs

Law enforcement discourages the payment of ransoms.

However, 27% of victim organizations are estimated to pay ransoms that average $1 million.  This has led to a surge in ransomware gang activity and their active recruitment of unethical hackers.

We have often mentioned basic preventative measures, such as multifactor authentication and network segmentation. However, there are other preventative measures that can help:

  • Review Group Policy preferences to ensure previously stored passwords have been purged
  • Review admin processes to make sure passwords do not linger in Notepad, scripts or batch files
  • Require users to use fresh passwords
  • Restrict the use of Remote Desktop Protocol (RDP) to static IP addresses, RDgateway protected access, or two-factor authentication protected access
  • Disable Server Message Block protocol version 1 (SMBv1)
  • Patch systems to prevent privilege escalation
  • Employ strong email filtering and train users about phishing to limit exposure
  • Network and user monitoring to catch attacks

Ideal Integrations and Blue Bastion are ready and waiting to help your organization to bolster its defenses and stay safe this holiday season. 

Call us today at 412-349-6680 or fill out the form below – we’re here to help!

Need a Managed IT Solution For Your Organization? Contact Us!

  • This field is for validation purposes and should be left unchanged.