Read The Ransomware Brief Our Monthly Newsletter

Once a month we send out our "Ransomware Brief" - a newsletter prepared by Ransomware experts to help you stay up to date on what is happening in the world of Cyber Security. Here you can read some of our recent Briefs.

The March 2022 Ransomware Brief

*|MC:SUBJECT|*

Your Personal Ransomware Brief For March 2022!

Edition 4: Good News Edition


In This Issue:

  • Finally, some good news
  • REvil Down
  • Memento/APT35 attribution
  • RPI versus IoT malware

Finally, Some Good News

We’re starting this month’s newsletter off with some good news, with a hat tip to Emisoft Threat Analyst Brett Callow for the tip. A coding bug helped researchers build a secret BlackMatter ransomware decryption tool. The headline tells the tale, but we do so love it when the bad guys goof up.
 

REvil Down

Russia says it has neutralized the cutthroat REvil ransomware gang. For anyone who has been involved in information security (or international politics) any time in the past 25 years, headlines that contain the words “Russia says” and “ransomware gang” normally elicit skepticism, especially when the topic is REvil, a.k.a. Sodinokibi.

Russia is widely understood to both operate a number of advanced cyber warfare units, and either directly or indirectly support a number of threat actors, including numerous ransomware operators. So long as they don’t attack Russian citizens or infrastructure, the hypothesis goes, Russia allows them to continue their activities because they impede the interests of Russia’s geopolitical rivals.

REvil was behind a number of devastating cyberattacks in 2021, including the pillaging of Microsoft Exchange Servers, the JBS S.A. Cyberattack, and the Kaseya VSA Ransomware attack.

There is, however, some reason to believe that Russia may well have been willing to offer up some or all of REvil ransomware gang’s members. In October 2021 many of the world’s most powerful nations got together to discuss counter-ransomware co-operation. An international effort of that scope could change the rules with regards to both cybercrime and espionage.

Russia may also have offered up REvil as a negotiating tactic as part of an unfolding geopolitical brouhaha centered on Ukraine. The espionage and cyber warfare activities of all parties to the Ukraine situation have been one of the negotiation tracks. Cyber warfare capabilities are also on full display as all parties bring their “A” game in an attempt to “prepare the battlefield” should negotiations fail.

Everything about this situation is fluid. State-sponsored and private threat actors are engaging as much in disinformation campaigns as they are direct information warfare; but for the time being, Russia probably has to at least maintain the pretense that REvil is off the board. So let’s call that a win.
 

Memento/APT35 Attribution

As a general rule, any time we have to talk about specific threat actors, the news isn’t good. We do, however, enjoy it when there are steps made toward attribution, as there are in this case: Iranian state-sponsored group APT35 linked to Memento ransomware. Knowing your enemy is one step on the road to defeating them.

The attribution was revealed in a report by Cybereason, and links the long-active APT35 (a.k.a., Charming/Imperial Kitten, Phosphorus, Tortoiseshell, TA453, Newsbeef, and Ajax Security) to the infrastructure behind the Memento ransomware that infected numerous exchange servers in 2021.
 

Raspberry Pi vs. IoT Malware

On the list of unexpected – not to mention expensive – anti-malware tools is the unlikely marriage of an RPI, an Oscilloscope, and a few other odds and ends. The result being that you can Detect malware with electromagnetic waves and Raspberry Pi.

We have officially reached the point where we can wave one box of flattened sand over another box of flattened sand and get the caged lightning in the first box to tell you whether or not the caged lightning in the second box of flattened sand is going to try to infect any of your other boxes of flattened sand. “Computers are boxes of flattened sand with caged lightning we trick into doing math” may be a popular meme, but honestly, detecting IoT malware using a Raspberry Pi and an Oscilloscope is just this side of outright magic. It’s also really, really cool.

Tweet of the Month

The context for this month’s top Tweet is that it was quote tweeting Zerodium looks to buy zero-days in Outlook and Thunderbird email clients, an article worth reading in its own right. The Tweet, by Nate Worfield (@n0x08) reads as follows:

“Outlook vulns sold to Zerodium are worth 10x+ more than what Microsoft will pay. $150k higher than RCE in HyperV, arguably the most hardened code Microsoft has.
We’re banking on people responsibly disclosing to avoid the stigma of selling to an exploit broker.
Sub-optimal”

We could not agree more.

Resource of the Month

Talos Intelligence has a reputation lookup on their main page. It allows you to search “by IP, domain, or network owner for real-time threat data."

Compromises of Note

Ransomware puts New Mexico prison in lockdown: Cameras, doors go offline. This compromise is interesting because it’s a representative example of a class of ransomware attacks increasingly affecting prisons. It’s unknown if these attacks are targeted or merely targets of opportunity, but the compromise events do tend to include a wide range of different systems, making us suspect that prisons should expect to be more regularly targeted by Big Game Hunters.

Ransomware Attack Against KP Snacks. This compromise is notable mostly as a reminder that Conti ransomware is still out there, still going strong, and it is threatening our munchies.

Additional Reading


Copyright © *|CURRENT_YEAR|* ActualTech Media

6650 Rivers Ave Ste 105 |  North Charleston, SC 29406

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

The February 2022 Ransomware Brief

*|MC:SUBJECT|*

Your Personal Ransomware Brief For February 2022!

IN THIS ISSUE:

  • This month’s headline attack
  • Ransomware gangs already exploiting log4j
  • New year, new ransomware

This Month’s Headline Attack

Assuming you can have a headline attack in a month wherein the log4j vulnerability played itself out, we are presented with four contenders for title of “headline attack” over the past month:

Human resource management group hit by ransomware attack. Ultimately Kronos Group was the target, but the impact may also be felt by their big-name clients, “including Tesla, Marriott, Yamaha, Samsung, Revlon, The Container Store and Peet’s Coffee and Tea.”

FBI: Hackers use BadUSB to target defense firms with ransomware. Targets received packages with letters and infected USB keys in the mail. Some packages contained a thank-you note and fake Amazon gift card. Others pretended to be from the US Department of Health & Human Services, with updated guidance about COVID-19. This attack, linked to the Fin7 group, has been in progress since at least August 2021, targeting transportation and insurance companies before pivoting to defense firms in December.

Brazilian Ministry of Health suffers cyberattack and COVID-19 vaccination data vanishes.  Brazilians lost access to health data, including digital vaccine certificates, but Brazilian health minister Marcelo Queiroga says backups exist.

Shutterfly services disrupted by Conti ransomware attack. Attackers are threatening to leak corporate data, including “legal agreements, bank and merchant account info, login credentials for corporate services, spreadsheets, and what appears to be customer information, including the last four digits of credit cards.”

What’s worth noting about these four headlines is the diversity of targets: a corporate back-end services provider, defense firms, a government health department and a photo lab. Together, these compromises underscore how no organisation is safe. No vertical is sacrosanct, and no organization is too small or irrelevant.

Podcast of the Month

The Extortion Economy Podcast: Exploring the Secret World of Ransomware. This 5-part podcast series “looks at the money, people and technology behind the explosion of ransomware that is delivering hundreds of millions of dollars to cybercriminals around the world.” The podcast is a joint production between ProPublica and MIT Technology Review.

Resource of the Month

How to Proactively Limit Damage From BlackMatter Ransomware. Security Researchers at Illusive found a logic flaw in BlackMatter ransomware that defenders can use to reduce the spread in some circumstances. More detail is available at Preventing BlackMatter Ransomware from Encryption of Available Remote Share.

Additional Reading


Copyright © *|CURRENT_YEAR|* ActualTech Media

6650 Rivers Ave Ste 105 |  North Charleston, SC 29406

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

The January 2022 Ransomware Brief

*|MC:SUBJECT|*
View this email in your browser

Your Personal Ransomware Brief For January 2022!

Edition 2: 2021 Was ‘The Year Of Ransomware’. Again. 


In This Issue:

  • This month’s headline attack: Planned Parenthood 
  • Ransomware attacks are crossing the line, causing chaos 
  • Pay attention to the broader cybercrime ecosystem 

This Month’s Headline Attack: Planned Parenthood 

Planned Parenthood Los Angeles was victim of a cyber-attack involving ransomware. Planned Parenthood Los Angeles says hack breached about 400,000 patients’ information

This attack combined ransomware with data exfiltration. While the attack hit the news in early December, it took place in October. The Planned Parenthood attack only affected the Los Angeles chapter, but data exfiltrated during the event may include patients’ “name and one or more of the following: address, insurance information, date of birth, and clinical information, such as diagnosis, procedure, and/or prescription information.” This is highly sensitive information, and the repercussions of this attack have yet to be fully felt. 

Ransomware Attacks Are Crossing the Line, Causing Chaos 

Delta-Montrose Electric Association, a Colorado energy company, has lost 25 years of data to what appears to be a ransomware attack. While none of the press releases about the event have used the term “ransomware,” the description of the attack fits a standard ransomware profile. 

While the attack did not affect the utility company’s electrical or fiber optic networks, it devastated back office networks, with numerous functions still offline a month after the attack. This is only the latest attack against critical infrastructure companies in the USA, which may explain why the U.S. military’s cyber command now admit that they are acting directly against ransomware groups, including those not known to be state sponsored: U.S. Military Has Acted Against Ransomware Groups, General Acknowledges

The USA isn’t the only country to see their critical infrastructure attacked recently. A great deal of energy was expended by the Australian media on blaming China for the attack, but it ultimately turned out to be ordinary Conti ransomware in a Ransomware attack on Australian utility claimed by Russian-speaking criminals.  

This underscores the problem that nations face in retaliating against malware gangs: attribution is often more difficult than actually disrupting a malware gang’s operations. In acting directly against ransomware operators you may not actually know whom you’re attacking… or being attacked by. 

Pay Attention To the Broader Cybercrime Ecosystem

Perhaps the most overlooked piece of advice for defenders is to pay attention to the entire Cybercrime supply chain: Fueling the rise in ransomware. Trend Micro’s David Sancho has a particularly excellent quote in this article: “Media and corporate cybersecurity attention have been focused only on the ransomware payload, when we need to focus first on mitigating the activity of initial access brokers.” 

Some of this is a signal-to-noise problem. Research for this newsletter involves trawling through the month’s news regarding all things information security, with a focus of ransomware. One that that stands out when you do this regularly is how saturated every medium is with vendors talking about how their backup and/or disaster recovery software will help you recover from ransomware, trying to sell you incident response services or talking about cybercrime insurance. 

It is important to understand why this is, and why this needs to change. Traditionally, information security practices were almost exclusively focused on prevention: firewalls, endpoint protection, and so on, all focused on keeping the bad guys out so that compromises didn’t happen. This never really worked because there were just so many attacks that eventually someone would succeed, almost always through some sort of phishing attempt. 

But this is changing. Initial network access is often gained by specialist “access brokers” who then sell access to multiple networks to various threat actors who then wish to deploy malware, ranging from cryptominers to information stealers, as well as ransomware. In addition to phishing, access brokers make use of social engineering and unpatched vulnerabilities to gain direct access to networks without having to rely on someone clicking the wrong link.  

Not being up-to-date on patches is a nearly universal problem that affects organizations of all sizes. Among the worst culprits for being unpatched are single-purpose IT “appliances.” This year, VPN appliances have been notably in the spotlight, but there are plenty of examples of everything from storage units to firewalls having critical vulnerabilities that went unpatched in significant numbers of organizations this year. 

It isn’t enough to focus on what happens when ransomware strikes—efforts must be made to secure all parts of the network, including disrupting the initial access to the network. 

Podcast of the Month

The Supply Chain Buzz for November 15th  

In which the pivot by attackers away from well-defended financial organizations and towards poorly defended manufacturing organizations is discussed. 

Resource of the Month

The cost of ransomware in 2021: A country-by-country analysis  

The statistics in this article show the devastating economic toll ransomware has taken in a number of key markets. The data includes ransom demands, the cost of downtime, and the overall global cost of ransomware, as well as separate statistics focused on the public and private sectors.

Additional Reading


Copyright © *|CURRENT_YEAR|* ActualTech Media

6650 Rivers Ave Ste 105 |  North Charleston, SC 29406

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

The December 2021 Ransomware Brief

*|MC:SUBJECT|*
View this email in your browser

Your Personal Ransomware Brief For December 2021!

Edition 1: Hackers Don’t Take the Holidays Off 


Happy Holidays to all of our readers! But while the holidays are a time to relax and decompress, it’s important to remember that cybercriminals don’t take holidays off. In fact, cybercriminals tend to ramp up their activity on weekends and holidays explicitly because everyone else tends to let their guard down during those times. 

Want more information? Keep up to date on all things ransomware by following us on Twitter, subscribing to our Youtube channel, and keeping an eye out for regular updates to our blog.

In This Issue:
  • Supply Chain Attacks Becoming Normalized 
  • Secure Your Cloud Instances 
  • The Cost of Being Unprepared 
  • Remember Insider Threats 

Secure Your Cloud Instances 

One of the most common mistakes that today’s organizations make is to assume that workloads in the cloud are secure.  While it’s true that virtual machines and other cloud-provisioned resources tend to be more secure by default than an on-premises install, that doesn’t mean they’re actually secure. Attacks against public cloud instances are becoming more common, with one example detailed here: Hackers Using Compromised Google Cloud Accounts to Mine Cryptocurrency.  

Today, there are two primary attacks that are commonplace once a system is compromised: using the compromised instances to mine cryptocurrency, and encrypting them with ransomware. More sophisticated threat actors may attempt to move laterally from the compromised public cloud instance, attacking other public cloud workloads, or even on-premises workloads, if a VPN between an on-premises data center and the cloud exists for them to exploit. 

Supply Chain Attacks Becoming Normalized 

Supply chain attacks have been so successful that some threat actors are beginning to specialize in them.  One such threat actor, Darkdev, is known for creating a fake Roblox API NPM package, the technical details of which are explored here: Tracking the ‘Noblox.js’ npm Malware Campaign

Supply chain attacks involve hiding malware inside code that is uploaded to popular repositories for commonly used programming frameworks. In the above case, it is the node.js ecosystem that is under attack, but these types of supply chain attacks have become normalized everywhere you find a development framework with a community repository of code libraries. 

This is a big problem in large part because the use of frameworks is increasingly taught to new developers as part of post-secondary education. This has led to a rapid rise in their popularity, their use within today’s organizations, and thus the exposure of those organizations to supply chain attacks if they are not diligent about which code repositories they allow to be used. 

The Cost of Being Unprepared 

In November 2020 the Canadian city of St. John New Brunswick was hit by a devastating ransomware attack. This attack was the work of the Ryuk Ransomware gang. The attack took most of the city’s digital infrastructure offline, including its 911 dispatch system. The few publicly known details are discussed here: Inside Saint John's response to a 'devastating' cyberattack

The Ryuk gang demanded some $20 million Canadian worth of Bitcoin. The city didn’t pay, and a year later there are still systems offline due to this attack. This incident demonstrates many of the hard choices that ransomware victims must make. 

There’s no guarantee that paying the ransom would have resulted in systems being restored – the Ryuk gang was not exactly communicative – or that those systems could have been trusted if Ryuk offered the decryption keys. The capital costs of rebuilding and/or replacing systems have thus far proven to be significantly lower than the initial amount demanded for ransom … but only if you don’t take into account the time required to bring all these systems back online. 

Most importantly, this isn’t an extreme example in any way. This is actually a pretty run-of-the-mill example of what happens when municipalities don’t invest adequately in information security, backups, and disaster recovery: near-total compromise, and a lengthy road back to “working.” And today it remains the norm for municipalities not to invest in infosec, backups, or DR, which is the primary reason they are favored targets for ransomware gangs. 

Remember Insider Threats 

One of the easiest vulnerabilities for any threat actor to exploit is people. Security blogger Brian Krebs has been following one particularly interesting approach in which the threat actor approaches employees of various companies, and offers them a share of the ransom if they will infect their employer. More on that here: Arrest in ‘Ransom Your Employer’ Email Scheme

While an arrest has been made in relation to this scheme, this will not be the last we hear of this approach. 

Resource of the Month

The “No More Ransom” project describes itself as “an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky and McAfee with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.”  

The project offers free prevention advice, decryption tools, and Crypto Sherriff (a tool for identifying ransomware variants). 

Podcast of the Month

Why a Ransomware Group Is Pretending to Be a Real Company – Kate Linebaugh, Bob McMillan - Wall Street Journal.   

Increasingly, ransomware operators are using many of the same strategies and processes as legitimate businesses. This requires them to recruit staff for a variety of roles, including infrastructure maintenance and even media relations. Here’s how criminal group Fin7 does it. 

Ransomware Coverage From Ransomware.org

Additional Reading

 

Copyright © *|CURRENT_YEAR|* ActualTech Media

6650 Rivers Ave Ste 105 |  North Charleston, SC 29406

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Want The Brief In Your Inbox?

Sign Up To Receive Our 
Monthly Ransomware Newsletter

envelope linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram