Although our blog has recently been focused on other topics, ransomware has not been inactive in 2020. In fact, it’s off to an aggressive start this year with many high profile attacks and innovations.
As we anticipated in a recent article, Citrix attacks arrived almost immediately.
The Ragnarok Ransomware specifically targets the Citrix ADC flaw and then scans the network for Windows computers still vulnerable to the EternalBlue vulnerability. It also attempts to disable Windows Defender by using a technique that is easily defeated if you have enabled Windows 10 Tamper Protection.
However, many computers worldwide remain vulnerable.
One interesting aspect of the Ragnarok ransomware is that it specifically checks the Windows Language ID and excludes the computers using certain languages from encryption.
So, which language IDs that are safe? Russia, China, Belarus, Turkmenistan, Ukraine, Latvia, Kazakhstan, and Azerbaijan all will be excluded from attack.
Recent: Ideal Integrations Case Study by vXchnge
Ransomware Attacks & Mitigation Techniques
While this curiosity might suggest enabling unnecessary language IDs on endpoints to provide additional protection, we recommend improving standard security first. Applying patches or mitigation techniques would certainly be a good start.
However, in mid-January, the Dutch National Cybersecurity Centre (NCSC) noted that the Citrix mitigation techniques may be ineffective on some versions or configurations of the affected Citrix devices. The NCSC recommended that the servers simply be shut down until patches were available.
Less than one week later, the city of Potsdam, Germany, severed its internet connections and shut down its computers. While the city did not formally disclose the specific malware responsible, a German journalist, Hanno Böck, detected Citrix ADC servers on the administration’s network and theorizes that their malware attack used that vector to gain entry.
Sodinokibi Hackers
Another apparent victim of the Citrix vulnerability was the GEDIA Automotive Group of Germany, which was hit by another ransomware thought to target Citrix vulnerabilities: Sodinokibi.
The $600-million-plus automotive supplier’s woes became public when the Sodinokibi team followed the public extortion model, popularized by Maze Ransomware, and threatened to release company data to the public.
The hacker group claims to have 50GB of GEDIA data available, and its threats have added credibility after the release of 337MB of data earlier in January from Artech Information Systems, a U.S.-based IT staffing company.
The Sodinokibi attackers claim that if a company fails to negotiate with them, they will begin by publishing a sample of data. If that doesn’t bring companies to negotiate, they will then sell the corporate data.
Not all of the Sodinokibi Ransomware victims in January had their data leaked, though.
Travelex was hit at the end of 2019, and was forced to shut down its servers. That created a nightmare for those using the foreign currency exchange company’s related credit and debit cards for the holidays.
While no data has been leaked, over 5GB of data had been reportedly exfiltrated, and a $3 million ransom was demanded.
One week later New York’s Albany International Airport announced its servers were struck by Sodinokibi Ransomware. The airport paid the ransom because the attackers also compromised the server backups, which left the airport without a recovery option.
Also in January, the Temple Har Shalom in Warren, NJ, informed its congregation that their servers and networked computers had been encrypted by the Sodinokibi Ransomware. Although the backups had also been encrypted, the Temple decided to recreate the data instead of paying any ransom.
The Temple representatives felt that they had no private information that would be at risk, should the attackers release or sell the data. Most organizations, however, need to weigh the cost of potential data breaches against the cost of the ransom.
Maze Ransomware
There is very little in common between an airport, an automotive supply company, a temple, an IT staffing company, and a foreign currency exchange company. These attacks are a strong reminder that many malicious attackers focus on vulnerabilities – not specific industries.
While Sodinokibi Ransomware made the big headlines, the Maze Ransomware attacks also continued to unfold.
Despite the efforts of Southwire to shut down Maze Ransomware’s Irish web hosting provider, the attackers simply popped up on another host and published 10% of Southwire’s 120GB of stolen data. A short time later, the Maze attackers published an additional 10% of the company’s data and released 9.5GB of data stolen from Medical Diagnostic Laboratories (MDLab) as well.
Not to be left out, other ransomware attackers have begun to exfiltrate and threaten to release their victims’ data. BitPyLock Ransomware and Nemty Ransomware both announced that they will begin to publish stolen data if their victims fail to pay.
While neither attack group has released data so far, given the success and publicity generated by Maze and Sodinokibi, it is likely just a matter of time.
Is Paying a Ransom Worthwhile?
The average ransom payment in Q4 of 2019 is estimated to have more than doubled, from $41k to $84k, with the top ransoms reaching close to $1 million.
Is paying the ransom worth it? Yes and no.
The data recovery rate when paying a ransom is estimated to be 98%, but not all ransomware attacks are the same. Certain groups, such as Phobos, Rapid and Mr. Dec, have been known to withhold viable decryption keys. Even when keys are provided, the encryption fails to work and files are lost about three percent of the time.
So, how do attackers get into your network?
It is estimated that the top three attack vectors are: RDP compromise (57%), Email Phishing (26%), and Software Vulnerability (13%). These are well known attack vectors, and they will continue to be popular methods until they stop working.
Meanwhile, below the headlines, some attackers have begun to explore new attack methods.
The Ryuk Ransomware developed a way to attack offline computers. A Wake-on-LAN hardware feature allows some computers to be powered on by sending special network patches.
This technology was developed for network administrators to install patches or scheduled tasks on powered-down computers. Unfortunately, the Ryuk Ransomware found a way to use that feature to attack.
To mitigate it, researchers recommend that you restrict Wake-on-Lan settings to only allow packets from administrative devices and workstations. Of course, that’s based on the assumption those administrative machines have not been compromised.
The very public financial success of ransomware will continue to motivate attackers to pursue ransomware options by any means possible.
Get the Right IT Support for Your Business
Fortunately, you are not alone in defending your environment.
At Ideal Integrations and Blue Bastion, we’re ready to apply our experience and expertise to shore up your IT environment. And, we’re here to quick respond to any incidents that may occur.
With new vulnerabilities being found every week, it can be challenging for IT departments to keep up and manage their priorities.
Our IT management services help to ease that burden. Whether you are interested in significant outsourcing or just simple assistance on a specific project, we’re here to help.
Contact us today to get started! Just complete the form below, or call 412-349-6680.