How do organizations protect against ransomware?  You need a ransomware defense strategy. It’s important to find the best ransomware defense strategy that is right for your organization. Here are several facts about ransomware to help protect your organization.

Ransomware is a well-named type of cyberattack. Cybercriminals taking this approach kidnap your data. After accessing your network, they encrypt files and demand payment for the passcode. Here are the top facts you need to know about this business threat.

Your Organization is Not Immune to Ransomware

You and your employees are being targeted on an ongoing basis. Cybercriminals rely on your false confidence. Don’t think “it won’t happen to me.” Attacks on government, education, healthcare, or financial institutions get publicity. Yet organizations of all types and sizes are targeted.

Ransomware has become an undeniable threat to business growth, profitability and security. It’s a ruthless type of malware that locks your keyboard or computer to prevent you from accessing your data until you pay the ransom, which is usually demanded in untraceable Bitcoin. Cybercriminals are turning this type of attack into big business, raking in billions each year as many businesses have no choice but to pay up.

How does ransomware get into the network?

Surprisingly, it’s NOT those random USB drives floating around from unknown sources. That’s old school, and cybercriminals operate much more effectively now. The most common vehicle for ransomware attacks today are email, such as phishing or spearing emails, and compromised websites.

One email is all it takes.

We’ve all become so used to email as the major form of business communication that getting someone to click a link is easier than ABC. Ransomware attacks come disguised as legitimate emails that can trick your employees into clicking through to an infected website or opening an infected attachment. Unfortunately, cyber criminals have gotten really, REALLY good at faking internal emails, external communications from stakeholders and seemingly genuine inquiries from customers. They’ll often conceal their ransomware in normal attachments like invoices and reports in Office docs as well as PDFs. Even TXT files can actually be an executable javascript in disguise!

Infected websites aren’t always obvious.

Let’s face it, cybercriminals will infect any web page they can get their hands on, which is why of the less reputable sites should be avoided. But it’s not just about making sure you and your employees stick to suitable sites, mainstream websites can also carry ransomware infections ready to spread to all visitors. It’s happened before – in 2016 the New York Times, BBC & MSN homepages accidentally exposed thousands of web visitors when their infected site showed malicious ads.

Read More: https://cybriant.com/ransomware-attacks-are-here-to-stay-how-to-stay-protected/

Ransomware Spreads Fast

Ransomware is malware, malicious software that can reach throughout a network. So, if Jane from accounting opens a ransomware file, every single computer on your business network could be infected. The virus can spread between businesses, too. Consider the debilitating WannaCry ransomware attack of 2017. Within four days of its first detection in Europe, the strain had spread to 116 countries.

Ransomware Targets You and Your Employees

A common method to send out phishing emails in the hope of having people enter their access credentials. Targeted business communication emails work, too. The attacker gets to know your business first. Then they send an email impersonating a colleague, supplier, or customer asking you to take action or update contact details by clicking on the link or downloading a file.

Ransomware is Costly

Once the ransomware is installed on your system, it locks down your files. To regain access to the files, you need the password or decryption key the attacker supplies when you pay up; that’s if they keep their end of the bargain once you pay the ransom. These are crooks you’re dealing with after all!

In Coveware’s analysis of Q3 2019, the average ransom payment increased by 13% to $41,198 as compared to $36,295 in Q2 of 2019. And that’s just the cost of the ransom. Indirect costs include the cost of downtime, lost revenue, and long-term brand damage. There’s also the expense of removing the ransomware, forensic analysis, and rebuilding systems. https://www.coveware.com/

The average ransomware attack in Q3 2019 resulted in 12.1 days of downtime. — Coveware

Ransom Requires Cryptocurrency

Ransom payment is usually made by bitcoin or another cryptocurrency. Your business needs to buy cryptocurrency with actual cash, then transmit the ransom. They choose cryptocurrency because it’s very difficult to trace. It doesn’t help you that bitcoin is not something you can charge back like a credit card.

A Recovery Plan Helps

Planning in advance can help you respond more reasonably. Document plans to disconnect infected computers from the network as soon as possible. Also, power down any machines that could be vulnerable to avoid spreading contagion.

You should also discuss in advance whether or not your business will pay a ransom. Weighing the costs and benefits without a deadline on the decision can help you react more strategically.

You Can Take Action

You don’t have to sit around worrying and waiting for a ransomware attack. There are many things you can do to help prevent this type of attack:

Prevent

The number one way to mitigate the damage from any attack on your environment is to prevent it from happening in the first place.

It’s vital to protect your organization from all points of entry and ensure your organization has visibility of all the points of entry that are being accessed by authorized personnel.

CybriantXDR combines the latest technology utilizing machine learning and artificial intelligence with experienced oversight to identify and terminate malicious software before it can execute.

Detect

The longer it takes to discover and remediate the cause of a breach, the greater the damage to your company’s reputation and business operations.

To limit exposure and to prevent sophisticated breaches, organizations need a team of experienced security analysts working around the clock dedicated to piecing together any evidence or signatures of malicious behavior.

CybriantXDR offers that capability and alerts your organization only when a credible threat is detected.

Remediate

When a cyber threat is detected, quick response and remediation is essential to limit impact to your organization’s business operations.

Many IT departments don’t have the resources to completely remediate the threat, or the measures required to regain function are laborious and time consuming.

CybriantXDR remediation capabilities can limit the interruption to your business and restore normal operations rapidly

Ransomware Defense Strategy – Learn more at Cybriant.com/Cybriant-xdr.

The Black Lives Matter movement has increased activity from the hacktivist group, Anonymous, and hacktivism overall. Take a look at the evolution of hacktivism below.

Based on the video by Anonymous posted on twitter, see the video here, the group released cyberattacks on the Minneapolis police department and Minnesota State Senate’s servers.

What is Hacktivism?

The act of misusing a computer system or network for a socially or politically motivated reason. Individuals who perform hacktivism are known as hacktivists, according to TechTarget.

Hacktivism is typically non-violent, the tactics used are typically to achieve political, social, or religious justice. The tactics they typically use include:

DDoS – Distributed Denial-of-Service, a tactic used to overload systems and crash a website.
Doxxing – used to leak personal, confidential, or incriminating information against organizations or public figures.
Defacement – a tactic used to deface the data integrity of a website by changing the visual appearance.

Ethical Hackers

It may seem strange, but businesses are using ethical hackers to identify weak points in their cyber defenses, provide valuable insights into the actions of their less ethical counterparts and create better, stronger, and more resilient networks.

If you do not think that a hacker could help your business instead of hurting it, you may want to rethink those assumptions. Here are five business benefits ethical hackers can bring to your organization.

Learn more about how Ethical Hackers can help your business. 

Types of Hacktivism

Hacktivists are typically out for justice and not monetary gain like typical hackers. Instead, Panda Security says they their distinct agenda wages an informational war for political lean, social justice, religious intent, or anarchy.

• Political: Hacktivism as a form of political mobilization aims to lean or sway the population to the hacker’s agenda.
• Social: Social justice in hacktivism aims to bring about societal change.
• Religious: Hacktivism for a religious agenda aims to recruit or disavow a religious entity.
• Anarchist: Hackers can have an anarchist agenda to access or control civil infrastructure, military equipment, or the general population.

Evolution of Hacktivism

Ransomware (or cyber extortion) is on the rise. In 2020, there has been a spike in the number of reported incidents as well as the amount that cyber hackers are attempting to extort from organizations. It’s important that your organization does every they can to fight these cybercriminals and education is a key piece. Take a look at the top ransomware threats we’ve seen in 2020. 

2020 has been a roller coaster ride so far, and with all the news coverage of all the events that have impacted us (so far) ransomware has been sneaking into our world at a remarkable rate. Some sources say that ransomware spiked 25% in Q1 2020 over the previous quarter. (source)

Here Are The Top Ransomware Threats in 2020:

1. Maze
2. REvil
3. SNAKE (EKANS)
4. Tycoon
5. TrickBot
6. Qakbot trojan
7. PonyFinal
8. Mailto (aka Netwalker Ransomware)
9. Ragnar Locker
10. Zeppelin
11. TFlower
12. MegaCortex
13. ProLock
14. DoppelPaymer
15. Thanos

Maze Ransomware

According to an FBI advisory to the private sector, “Unknown cyber actors have targeted multiple US and international businesses with Maze ransomware since early 2019. Maze encrypts files on an infected computer’s file system and associated network file shares. Once the victim has been compromised, but prior to the encryption event, the actors exfiltrate data.”

“After the encryption event, the actors demand a victim specific ransom amount paid in Bitcoin (BTC) in order to obtain the decryption key. An international Maze campaign targeted the healthcare sector, while its deployment in the US has been more varied.”

“The FBI first observed Maze ransomware activity against US victims in November 2019. From its initial observation, Maze used multiple methods for intrusion, including the creation of malicious look-a-like cryptocurrency sites and malspam campaigns impersonating government agencies and well-known security vendors. Maze was initially distributed via the Spelevo Exploit Kit which targets known vulnerabilities in Internet Explorer and Adobe Flash such as CVE-2018-8174, CVE-2018-15982, and CVE-2018-4878.”

REvil Ransomware

You may have heard of REvil Ransomware because of a recent breach on media and entertainment lawyers Grubman Shire Meiselas & Sacks. They recently confirmed reports that their firm has fallen victim to a ransomware attack.

Several A-list celebrities that are clients of the law firm have potentially had data leaked on the dark web. Madonna’s tour contract was allegedly leaked. 

A screenshot of a legal document from Madonna’s recent Madame X tour surfaced on the dark web, apparently bearing signatures from an employee and tour company Live Nation.

Another screenshot depicts dozens of computer files bearing the names of celebrities including Bruce Springsteen, Bette Midler, and Barbra Streisand.

Stars such as Robert De Niro, Madonna, Drake, Nicki Minaj, Mariah Carey, Elton John, U2 and Rod Stewart are among those whose personal information may have been compromised.

The attackers have doubled the ransom request to $42 million and threatened to release damaging information on President Trump.

Continue reading

SNAKE (EKANS) Ransomware

Ekans Ransomware is a malware variant that infects industrial control systems to disrupt factory operations until a ransom is paid. Security analysts say that Ekans is a spin-off of Snake Ransomware and has so far infected factories related to the automobile and electronics sector, most notably Honda.

Reports are in that hackers have targeted the Honda servers with a file encryption malware variant dubbed Ekans forcing the company authorities to send the production unit workers to home as the installed automated devices became non-operational.

Although Honda never admitted that its servers were disrupted due to a cyberattack, it did agree that it’s IT infrastructure was down due to unspecified reasons.

“On Sunday, June 7th, 2020, Honda experienced a disruption in a computer network which affected the operations across Europe and Japan. And we are currently investigating and assessing the situation” said a spokesperson in a statement released on June 8th, 2020.

Tycoon Ransomware

A new ransomware strain called Tycoon is seeking to wheel and deal its way into the Windows and Linux worlds, using a little-known Java image format as part of its kill chain.

The ransomware is housed in a trojanized version of the Java Runtime Environment (JRE), according to researchers at BlackBerry Cylance, and has been around since December. Its victims so far have largely consisted of small- and medium-sized organizations in the education and software industries, researchers said, which it targets with customized lures.

“Tycoon has been in the wild for at least six months, but there seems to be a limited number of victims,” the researchers noted, in a posting on Thursday. “This suggests the malware may be highly targeted. It may also be a part of a wider campaign using several different ransomware solutions, depending on what is perceived as more successful in specific environments.”

Trickbot Ransomware

A phishing email campaign asking you to vote anonymously about Black Lives Matter is spreading the TrickBot information-stealing malware.

Started as a banking Trojan, the TrickBot has evolved to perform a variety of malicious behavior.

This behavior includes spreading laterally through a network, stealing saved credentials in browsers, stealing Active Directory Services databases, stealing cookies and OpenSSH keys, stealing RDP, VNC, and PuTTY Credentials, and more. TrickBot also partners with ransomware operators, such as Ryuk, to give access to a compromised network to deploy ransomware. Read more. 

Qakbot Trojan

Qakbot is a banking trojan that has been active for over a decade and relies on the use of keyloggers, authentication cookie grabbers, brute force attacks and windows account credential theft, among other techniques.

One of the authors of the research regarding the Qakbot trojan explained the following reasons why cybercriminals are relying on trojans such as Qakbot to launch ransomware attacks:

“The ultimate reason is to maximize their profits. Within the past 18 months, Kroll has observed multiple cases where a trojan infection is the first step of a multi-phased attack—hackers infect a system, find a way to escalate privileges, conduct reconnaissance, steal credentials (and sometimes sensitive data), and then launch a ransomware attack from an access level where it can do the most damage. They can make money on the ransom payment and potentially on the sale of stolen data and credentials—plus the stolen data helps force infected companies to pay the ransom.”

PonyFinal Ransomware

Microsoft has warned organizations globally about a new type of data-stealing Java-based ransomware dubbed “PonyFinal”. The tech giant described the malware as human-operated ransomware, which is distributed in an automated way by attackers.

“PonyFinal is a Java-based ransomware that is deployed in human-operated ransomware attacks. While Java-based ransomware is not unheard of, they are not as common as other threat file types. However, organizations should focus less on this payload and more on how it’s delivered,” Microsoft said in a post.

Read more. 

Mailto (aka Netwalker Ransomware)

NetWalker appeared on the scene in mid-2019. Similar to other well-supported ransomware families, the operators target high-value, global, entities. The group’s targets range across multiple industries and span the education, medical, and Government sectors.

As we have seen with Maze, Ragnar, REvil and others, NetWalker harvests data from its targets and is used by the operators as leverage via threats to post or release the data in the event that the target does not comply with their demands. To date, stolen data belonging to twelve different NetWalker victims has been publicly posted. The attackers behind NetWalker campaigns are known to use common utilities, post-exploit toolkits, and Living-off-the-Land (LOTL) tactics to explore a compromised environment and siphon off as much data as possible. These tools can include mimikatz (and variations thereof), various PSTools, AnyDesk, TeamViewer, NLBrute and more.

Over the last few months, we have seen NetWalker transition to a RaaS (Ransomware as a Service) delivery model, which will potentially open up the platform to an increased number of enterprising criminals. More recently, we have observed NetWalker spam campaigns using COVID-19-related lures to entice victims into initiating infection.

Read more. 

Ragnor Locker Ransomware

A ransomware called Ragnar Locker is specifically targeting software commonly used by managed service providers to prevent their attack from being detected and stopped.

Attackers first began using the Ragnar Locker ransomware towards the end of December 2019 as part of attacks against compromised networks.

According to the attackers, one of these pre-deployment tasks is to first steal a victim’s files and upload it to their servers. They then tell the victim that they will release the files publicly if a ransom is not paid.

“Also, all of your sensitive and private information were gathered and if you decide NOT to pay, we will upload it for public view !,” the attackers state in the Ragnar Locker ransom note.

When ready, the attackers build a highly targeted ransomware executable that contains a specific extension to use for encrypted files, an embedded RSA-2048 key, and a custom ransom note that includes the victim’s company name and ransom amount.

Ragnar Locker is specifically targeting remote management software (RMM) commonly used by managed service providers (MSPs), such as the popular ConnectWise and Kaseya software.

Read more. 

Zeppelin Ransomware

Zeppelin is the newest member of the Delphi-based Ransomware-as-a-Service (RaaS) family initially known as Vega or VegaLocker. Although it’s clearly based on the same code and shares most of its features with its predecessors, the campaign that it’s been part of differs significantly from campaigns involving the previous versions of this malware.

The recent campaign that utilizes the newest variant, Zeppelin, is visibly distinct. The first samples of Zeppelin – with compilation timestamps no earlier than November 6, 2019 – were discovered targeting a handful of carefully chosen tech and healthcare companies in Europe and the U.S. In a stark opposition to the Vega campaign, all Zeppelin binaries (as well as some newer Buran samples) are designed to quit if running on machines that are based in Russia and some other ex-USSR countries.

Zeppelin appears to be highly configurable and can be deployed as an EXE, DLL, or wrapped in a PowerShell loader. The samples are hosted on water-holed websites and, in the case of PowerShell, on Pastebin. There are reasons to believe at least some of the attacks were conducted through MSSPs, which would bear similarities to another recent highly targeted campaign that used a ransomware called Sodinokibi.

Read more. 

TFlower Ransomware

The strain dubbed TFlower splashed onto the scene in late July 2019. It infects organizations through unprotected or poorly secured RDP ports. As soon as the furtive infiltration takes place, the ransomware runs several commands to disable Volume Shadow Copy Service (VSS) and thereby thwart easy data recovery. When traversing the plagued computers for valuable data to be encrypted, it ignores critical system files and objects stored in the Sample Music folder.

This pest does not modify the names of hostage files. However, when analyzed using a hex editor, every encrypted item turns out to have a “tflower” file marker at the beginning of its deep-level data representation. The ransomware also sprinkles a bevy of rescue notes named “!_Notice_!.txt” across all affected folders. Although TFlower ransomware doesn’t appear to be a particularly sophisticated sample, it encrypts files flawlessly and thus poses a serious risk to companies.

MegaCortex Ransomware

MegaCortex made its debut in May 2019. It mainly targets businesses located in the US, Canada, the Netherlands, and France. According to security experts’ findings, MegaCortex affects enterprise networks previously compromised by notorious info-stealing Trojans called Qakbot and Emotet. This fact suggests that the distribution of this ransomware might rely on backdoors created by other malware in a business ecosystem.

The convoluted infection methodology MegaCortex employs leverages both automated and manual components and appears to involve a high amount of automation to infect a greater number of victims. In attacks we’ve investigated, the attackers used a common red-team attack tool script to invoke a meterpretercyber criminals’ reverse shell in the victim’s environment. From the reverse shell, the infection chain uses PowerShell scripts, batch files from remote servers, and commands that only trigger the malware to drop encrypted secondary executable payloads (that had been embedded in the initially dropped malware) on specified machines.

The attack was triggered, in at least one victim’s environment, from a domain controller inside an enterprise network whose administrative credentials the attacker seems to have obtained, in what appears to be a hands-on break-in.

The malware’s name is a misspelled homage to the faceless, bureaucratic corporation where the character Neo worked in the first Matrix movie. The ransom note reads like it was written in the voice and cadence of Lawrence Fishburne’s character, Morpheus.

ProLock Ransomware

According to KrebsOnSecurity, Diebold Nixdorf, a major provider of automatic teller machines (ATMs) and payment technology to banks and retailers, recently suffered a ransomware attack that disrupted some operations.

An investigation determined that the intruders installed the ProLock ransomware, which experts say is a relatively uncommon ransomware strain that has gone through multiple names and iterations over the past few months.

For example, until recently ProLock was better known as “PwndLocker,” which is the name of the ransomware that infected servers in Lasalle County, Ill. in March. But the miscreants behind PwndLocker rebranded their malware after security experts at Emsisoft released a tool that let PwndLocker victims decrypt their files without paying the ransom.

Diebold claims it did not pay the ransom demanded by the attackers, although the company wouldn’t discuss the amount requested. But Lawrence Abrams of BleepingComputer said the ransom demanded for ProLock victims typically ranges in the six figures, from $175,000 to more than $660,000 depending on the size of the victim network.

DoppelPaymer Ransomware

The DoppelPaymer Ransomware is the latest family threatening to sell or publish a victim’s stolen files if they do not pay a ransom demand.

A new tactic being used by ransomware operators that perform network-wide encryption is to steal a victim’s files before encrypting any devices. They then threaten to publish or sell this data if the victim does not pay the ransom.

This new tactic started in November 2019 when Maze Ransomware publicly released stolen files belonging to Allied Universal for not paying a ransom.

The most recent victim of the DoppelPaymer Ransomware Gang is the City of Florence, AL. 

Thanos Ransomware

Thanos is the first ransomware family to feature the weaponized RIPlace tactic, enabling it to bypass ransomware protections.

Researchers have uncovered a new ransomware-as-a-service (RaaS) tool, called Thanos, which they say is increasing in popularity in multiple underground forums.

Thanos is the first ransomware family observed that advertises the use of the RIPlace tactic. RIPlace is a Windows file system technique unveiled in a proof of concept (PoC) last year by researchers at Nyotron, which can be used to maliciously alter files and which allows attackers to bypass various anti-ransomware methods.

Beyond its utilization of RIPlace, Thanos does not incorporate any novel functionality, and it is simple in its overall structure and functionality. But this ease-of-use may be why Thanos has surged in popularity amongst cybercriminals, shared with Threatpost.

The Financial Industry’s Biggest Threat

REvil Ransomware affiliates have been ramping up their threats to sell stolen data from law firms, Trump, celebrities, and now a food distributor and a 3D printer manufacturer. Learn more about the threats and how others have handled their responses to the attacks.

What is Sodinokibi or REvil Ransomware?

Since its arrival in April 2019, it has become very clear that the new kid in town, “Sodinokibi” or “REvil” is a serious threat. The name Sodinokibi was discovered in the hash ccfde149220e87e97198c23fb8115d5a where ‘Sodinokibi.exe’ was mentioned as the internal file name; it is also known by the name of REvil.

At first, Sodinokibi ransomware was observed propagating itself by exploiting a vulnerability in Oracle’s WebLogic server. However, similar to some other ransomware families, Sodinokibi is what we call a Ransomware-as-a-Service (RaaS), where a group of people maintains the code and another group, known as affiliates, spread the ransomware.

The ransomware appends a random extension to encrypted files and reports double the price of the ransom if not paid on time. The malware is actively being distributed in the wild through Managed Service Providers, taking advantage of server flaws, spam campaigns, and exploit kits.

McAfee has more information in their detailed report.

History of Attacking Celebrities

You may have heard of REvil Ransomware because of a recent breach on media and entertainment lawyers Grubman Shire Meiselas & Sacks. They recently confirmed reports that their firm has fallen victim to a ransomware attack.

Several A-list celebrities that are clients of the law firm have potentially had data leaked on the dark web. Madonna’s tour contract was allegedly leaked. 

A screenshot of a legal document from Madonna’s recent Madame X tour surfaced on the dark web, apparently bearing signatures from an employee and tour company Live Nation.

 

Another screenshot depicts dozens of computer files bearing the names of celebrities including Bruce Springsteen, Bette Midler, and Barbra Streisand.

 

Stars such as Robert De Niro, Madonna, Drake, Nicki Minaj, Mariah Carey, Elton John, U2, and Rod Stewart are among those whose personal information may have been compromised.

The attackers have doubled the ransom request to $42 million and threatened to release damaging information on President Trump.

Although Trump reportedly has never been a client of Grubman Shire Meiselas & Sacks, the New York Post Page Six noted, that the hackers posted a message online saying that the ransom had been doubled and that “The next person we’ll be publishing is Donald Trump. There’s an election going on, and we found a ton of dirty laundry…”  Read more on SCMagazine. 

Latest News on REvil – Targeting Food Distributors and Manufacturers

A major food company, Harvest Food Distributors, and its parent company, Sherwood Food Distributors have recently been the targets of REvil affiliates.

The threat actors posted a notice about their new target around 3 pm MST 5/15.

 

This notice contained a link to download a portion of Sherwood’s proprietary files as “previews” which they plan on releasing one at a time (8 in total). The first link to leaked information contains roughly 2,300 files. These files contain highly sensitive data including cash-flow analysis, sub-distributor info, detailed insurance information, proprietary vendor information – including that of Kroger, Albertsons, Sprouts – scanned drivers’ license images for drivers in their distribution networks, etc. The threat actors also posted a conversation they had with Coveware, a leading ransomware mitigation company, dating back to at least May 3rd.

According to HackRead: 

Both of these have various supermarket chains as their clients including but not limited to three large ones, namely Kroger, Albertsons, and Sprouts. Hence, at stake is not only the data of the food distributors themselves but also their client chains.

For this, the attackers have demanded a sum of $7.5 million, lesser than their most recent heist on Grubman but a substantial sum nonetheless.

The data exposed is believed to include 2300 files composed of the following:

1. Cash flow analysis details
2. Sub-distributor information
3. Detailed insurance information
4. Scanned images of the drivers’ licenses they use as a part of their logistical network.

DarkOwl reports that FARO Technologies, a leading 3D printing/manufacturing Co. – is revealed to be the latest victim of REvil hackers’ ransomware attacks. Read more from DarkOwl. 

Download our REvil Ransomware Advisory

Created in partnership with Cyberint, download our REvil Ransomware Advisory and you’ll learn:

• Background of the REvil Ransomware
• Information on the Dark Web Stolen Data Repository
• Potential Data Exposure
• Risk and Potential Damage from REvil
• Recommendations from Cyberint and Cybriant

Click here to learn more