To solidify IT security, we must maintain good fundamental security, keep current on developments, and learn from past breaches.
Let’s start by reviewing trends Verizon noted their 2019 annual analysis of their data breaches and then delve into some ransomware developments that threaten an increasing number of organizations.
2019 Verizon Breach Trends
Within Verizon’s 32,002 security incidents, organized crime accounts for 55% of breaches and the pursuit of profit (scams, credit card fraud, ransom, etc.) motivated 86% of the bad actors to breach the data. This is not really a surprise.
Sadly, neither is the fact that 37% of breaches stole or used existing credentials. Enterprises continue to lack sufficient password hygiene, use multi-factor authentication, and implement other security measures to protect credentials.
Fortunately, most attacks against credentials use basic tactics that are well understood. Enterprises can protect against credentials attacks with a modest investment in security measures that we have often covered such as microsegmentation, multifactor authentication, and strong password policies.
Unlike authentication, the 27% of breaches associated with ransomware will be significantly more difficult to counter because this category of attackers continue to become more sophisticated and aggressive. Therefore, it benefits us all to review the latest news and developments in ransomware.
Law Firms in the Crosshairs
Several weeks ago, the REvil ransomware team (AKA: Sodin or Sodinokini) struck the law firm of Grugman, Sire, Meiselas & Sacks, a New York law firm that represents prominent companies and celebrities such as Facebook, Elton John, and Madonna. The attackers posted screen shot samples as proof they had exfiltrated 756 GB of data.
When the news first broke, the attack used common techniques and methods often seen in 2020. What happened next, however, adds a new dimension to ransomware nightmares.
After getting nowhere in extorting the lawfirm, the REvil ransomware gang released 2.4 GB of data related to Lady Gaga and announced that their next batch would be related to President Donald Trump. Ultimately, they only released the ‘most harmless’ data, 160 Trump emails, but they then announced that they would begin to package data for auction to the highest bidder. Customer data would be auctioned once per week to the highest bidder starting with President Trump’s data.
To enhance the value of the auction, REvil assures that they will delete their copy of the data so the buyer has exclusive possession of the documents – or rather, near exclusive. We assume the law firm will eventually recover their data.
Additionally, REvil noted:
“This data will be bought either by the stars themselves, or various media and blackmail them, or simply kind people with good intentions. We do not care. The main thing is we will get the money.”
As of May 18, REvil updated that all of the President Trump data had been purchased. Next up? The data for Madonna with a target price of $1 million.
While not all data merits an auction, the success of the auction tactic provides yet one more revenue stream for Ransomware attackers. With each new revenue stream, ransomware becomes even more attractive, so we can expect attacks on law firms to increase significantly.
Patient Data Adds Pressure
We previously covered the Snake Ransomware attack on Fresenius, Europe’s largest private hospital operator. However, only a week later, the Stake ransomware attackers posted patient data from a Medical Care center in Serbia.
Such a data leak potentially triggers many different regulatory nightmares for the company under attack. Fortunately for Fresenius, a breach in Serbia does not trigger the European Union’s General Data Protection Regulation (EU GDPR) regulations since Serbia is not yet a member of the EU. However, Fresenius must certainly be concerned about data from other locations in the EU and future prosecution.
In the US, a medical facility hit by a similar ransomware attack would need to be concerned about HIPPA violations. Federal fines for HIPPA data breaches vary, but the US Department of Health & Human Services shows several instances where a medical center paid a penalty of more than a million dollars. Ransomware attackers understand this potential cost and will use it as leverage in negotiations.
RaaS focuses on the Enterprise
Ransomware attackers recognize the advantages of attacking enterprises over individuals. The The NetWalker ransomware group runs a Ransomware-as-a-Service (RaaS) that used to rely upon phishing for malware distribution, but as of April, the group shifted focus to Network Intrusion attacks against enterprises.
This shift follows the strategy of REvil/Sodinokibi, Ryuk and other high-profile ransomware gangs that have struck large enterprises with great success. In Russian hacker forums, the NetWalker team notes that they will no longer support spammers and that only those who have already penetrated a network of more than 1,000 PCs should bother contacting them.
NetWalker competes with the more established ransomware gangs by offering affiliates as much as an 84% share the ransoms. Other RaaS services offer as little as 60%. Like the Sodoinokibi and the GrandCrab teams, the NetWalker team prohibits attacks against Russia or the Commonwealth of Independent States and they refuse to work with affiliates that communicate in English.
NetWalker advertises its capabilities and discloses that the malware will automatically detect and encrypt a victim’s mapped drives and network resources (NAS, etc.). Further, they claim that the locker operates within a PowerShell script to evade antivirus detection.
NetWalker’s ominous capabilities represent developments of a relatively recent ransomware gang. The development and success of the much older Ryuk Ransomware hints to how we can expect newer competitors such as NetWalker to evolve.
The FBI estimates that ransomware groups received as much as $144.35 million in bitcoin payments between 2013 and 2019. Of those payments, $61.26 million was paid to the gang behind the Ryuk Ransomware known as Wizard Spider or Grim Spider.
The Ryuk ransomware gang uses a Trojan attack based originally upon the gang’s own TrickBot trojan, but more recently also seen used in conjunction with the powerful Emotet downloader. These are the top trojan/downloader malware in terms of usage and capabilities. Each one has regular updates that add features and counters for anti-virus software.
Once inside a network the Ryuk gang will steal credentials using the open source LaZagne tool and explore potentially exploitable network connections using the BloodHound tool. Their goal will be to identify and gain administrative control over domain controllers. These attacks are actively run by their attackers and do not rely upon automated software. This customized, persistent threat can be difficult to detect and to counter.
What to do about an attack?
If our security teams detect trojan malware attacks using common tools such as Trickbot, Emotet or Dridex, we should move quickly to remediate and remove the malware. We should also assume that credentials for users on these systems are likely compromised and we should require changed login credentials to mitigate exploitation.
If the ransomware has already struck, the decision moves out of the hands of the security team and into the C-suite. Recent analysis of ransomware attacks suggests that paying a ransom may actually double the cost to recover from the attack.
It seems that even though the attackers may provide the decryption keys, the process of restoring the data is complex and time consuming. In many cases, restoring from a backup can be faster.
This disparity and the FBI’s discouragement may make many companies decline to pay ransoms. However, this also helps to explain why the ransomware attackers are motivated provide external pressure in the form of leaked data. It is quite conceivable that a company capable of restoring data from backups will pay the ransom simply to prevent the public embarrassment.
Ultimately, the best defense will be to prevent the attack in the first place. Blue Bastion and Ideal Integrations can work with your team to design robust networks, install countermeasures against attack, and to monitor your systems for the presence of attackers. Let us help you avoid becoming the next ransomware headline!