Ransomware gangs continue to innovate. Indeed, barely a day seems to go by without news of yet another high-profile victim of crypto-locking malware coming to light.
In the past few weeks, reports have emerged of a collaboration between the Maze and Lockbit gangs, as well as the REvil – aka Sodinokibi. These operators are not leaking stolen data for free when victims don’t pay, instead, they are auctioning it off to the highest bidder. And despite the ongoing COVID-19 pandemic, many gangs have continued to pummel the healthcare sector and its suppliers.
1. Maze – Data Leaking as a Service
The Maze ransomware gang was the first to begin not just crypto-locking systems, but also stealing and leaking data, to try and force victims to pay. Since beginning to use these tactics in October 2019, about a dozen other gangs or ransomware-as-a-service operations have followed suit, including Nefilim, Sekhmet and REvil.
Chief Scientist at McAfee, Raj Samani, is reported to have said that, “The leak sites appear to be a response to fewer victims paying ransoms to attackers”… and goes on to say he believes “People, were paying less and less.”
Continuing to be a trendsetter, Maze has now gone a step further and begun collaborating with the Lockbit gang, by posting data stolen by Lockbit to Maze’s dedicated leaks site, according to IBM X-Force researchers. The group didn’t previously have a data-leaking site. This move could be part of a bid by Maze to offer data-leaking-as-a-service to other ransomware gangs, via Maze’s relatively high-profile data-leaking site. Ole Villadsen, a cyber threat hunt analyst for IBM X-Force IRIS, said of this new collaboration “We do not have any specific information on what Maze is receiving for providing this service to other groups, but we strongly suspect that they are getting a percentage of any payment that the victims make in response to the data being posted on the Maze site,”
Meanwhile, Maze has continued to expand its leaking syndicate, and earlier this month (June 2020) had begun hosting leaks from the RagnarLocker gang, which previously dumped data using the Mega file-sharing site, reports the Ransom Leaks on Twitter, which tracks ransomware gangs. “RagnarLocker’s leak site was hosting leaks on http://mega.nz which leaves them vulnerable to takedowns,” it reports. “Hosting on Maze’s infrastructure means they don’t have to worry about it and they can retire their WordPress site.”
2. REvil – Auctioning Stolen Data
Another innovation that’s come to light in recent days is not leaking data but instead auctioning it for sale to the highest bidder.
Last week, the operators behind the ransomware-as-a-service operation REvil began auctioning data that the gang claims was stolen from Canadian agricultural company Agromart Group, which includes Sollio Agriculture, and promised there would soon be more victims.
Selling or trading in stolen data is not a new concept, it’s how these criminal groups monetise their activities, however, Brett Callow threat analyst at Emsisoft, says that “this is the first time that it has actually been sold in an organized auction – and it will probably not be the last” – “Selling the data in this way not only provides the criminals with an additional option for monetization, it also puts additional pressure on future victims,” he says. “The prospect of victim data being auctioned and sold to competitors or other criminal enterprises is likely to concern companies more than the prospect of it simply being posted on an obscure Tor site”.
3. Targetted Ransomware Attacks Continue…
Ransomware attacks typically come in two flavours
- Some attackers practice “smash and grab,” gaining access to a network, infecting a bunch of endpoints, and then moving on…
- Other attackers are more advanced and spend their time conducting reconnaissance, gathering credentials, studying potential avenues for hitting business partners, supply-chain and more.
Attackers wielding any strain of malware may bring more advanced attach methodologies, while some types of ransomware appear to get used for targeted attacks only! For example, researchers at BlackBerry and KPMG’s UK Cyber Response Services have just released a joint report into Tycoon, a strain of ransomware that uses a Trojanized Java runtime environment to hit both Windows and Linux systems. Security researchers say the ransomware has been seen in attacks targeting organizations in the education and software development sectors, since last December.
4. Health Sector continues to be hit
Despite the pandemic, and some ransomware gangs pledging to try and not hit healthcare organisations, security experts say they’ve seen no cessation in attacks targeting the sector. In fact, the healthcare sector may be getting hit more than ever before. While reviewing the data available for the USA healthcare sector, it would seem to be a bigger problem for USA based healthcare sector, than the UK’s NHS – however as we all know that attack trends – what is a problem in the USA today, could soon become a problem for the NHS and the wider global healthcare sector community.
5. Free Decryptors
Thankfully, the current ransomware situation isn’t all doom and gloom. While there are many strains of ransomware that do not have decryptors or workarounds, the No More Ransom project, provides free decryptors for a number of strains of ransomware, and recently added free decryptors for JavaLocker and Vcryptor ransomware. In recent days Emsisoft has released a free decryptor for RedRum ransomware, which it says “encrypts victim’s files using AES256 GCM and RSA-1024, adding the extension “.id-..redrum” to files.” Emsisoft has also released an updated decryptor for Jigsaw, giving it the ability to decrypt the .ElvisPresley variant. (Jigsaw can include a range of filenames, including .fun but also .gdpr and .payransom, among many others.) The firm also updated its Mapol ransomware decryptor, adding coverage for more varieties.
Security experts recommend ransomware victims use both No More Ransom as well as ID Ransomware, maintained by Emsisoft employee Michael Gillespie (@demonslay335), to identify the strain of ransomware with which they’ve been hit, to see if free decryptors or workarounds might be available to restore encrypted data.
No More Ransom offers this via the site’s “Crypto Sheriff” page, while ID Ransomware offers it from the homepage. Both services allow victims to upload an encrypted file for identification, while ID Ransomware also gives victims the ability to upload a ransom note for identification purposes.
6. Vulnerability & Unfixed Flaws
Experts have long warned that many successful ransomware attacks must be seen as being part of a bigger incident response challenge; as many breaches do not begin or end with ransomware.
Before infecting systems with crypto-locking malware, attackers have to get into the organisations system either by gaining remote access to the network via brute-forced remote desktop protocol credentials or a phishing attack. Then they may have spent weeks or months leapfrogging to other systems, conducting reconnaissance, potentially stealing administrator-level access credentials for Active Directory as well as stealing sensitive data to potentially leak it later if victims do not immediately pay. Even after a company experiences a ransomware outbreak, the current attackers may not be finished, and new attackers may come calling to try and find weaknesses the company hasn’t yet fixed.
At this point, it is important to note that if your systems have been hacked or infiltrated in some other way, you are more likely to be repeatedly attacked during the 12 – 16-weeks immediately after such an attack – this makes it critical to ensure that all vulnerabilities and flaws are fixed to protect against future attack.
7. Ransomware Gangs may be “camping out” in compromised systems
Sometimes, attackers remain camped out in victims’ networks after hitting it with ransomware. This can be a significant challenge to incident response and recovery teams. If compromised networks are not thoroughly cleaned and purged there is a heightened risk that attackers can eavesdrop on the victims’ post-breach response plans, rendering those plans useless.