Ransomware was one of the most observed cyber threats this year to date. Ryuk and Sodinokibi, were the most observed villains in Red Sky Alliance’s client investigations, have been joined by Maze as the top three ransomware variants so far in 2020. After launching several high-profile attacks earlier in 2020, the actors behind Ryuk ransomware seem to have gone on a vacation near the end of Q2. According to cyber threat analysts, Crimeware and their developers often have periods where they go dormant or spend time re-tooling, followed by a resurgence of activity.
This appears to be the case as there has been a spike in Ryuk related investigations recently, while a large US hospital system has also reportedly become a Ryuk victim as of September 28, 2020. Recently, open and closed sources have speculated that Ryuk has emerged with a new identity: Conti. Based on similarities in code, Conti ransomware is believed to be a descendent or similar variant of Ryuk ransomware, and it has been observed that operators have been hosting a victim “shaming” blog since August 2020. While ransomware figures prominently in myriad security alerts and media reports, business email compromise (BEC) remains a top threat for organizations worldwide with its associated risks like wire fraud and misdirected payroll.
Data exfiltration risks have been present in nearly half of all ransomware incidents. Ransomware actors have been plaguing victims by encrypting files, paralyzing operations, and demanding increasingly higher ransom amounts. Many groups are also exfiltrating data and threatening publication on the dark web, a relatively new tactic that gained momentum in early 2020. Since the introduction of Ransomware-as-a-Service (RaaS) made it easier for groups to deploy this threat, these new players have added exfiltration and publication to their demands. In addition, groups like Maze and Sodinokibi that pioneered the shaming sites have evolved their capabilities; Maze now boasts of a “cartel” that allows other ransomware variants to cross-post victims on their shaming site. In May 2020, Sodinokibi added an auction site to their shaming site where they offer data to the highest bidder.
While cyber threat actors say they will delete data upon payment of the ransom, recent events belie that claim. Incident responders have learned that rogue members of ransomware groups have approached and demanded a second payment from at least two victims who had already paid a ransom. When one of the victims balked at paying the second time, the data, which was supposed to be destroyed upon the first payment, ended up on an actor-controlled site. Caveat Emptor, “Let the buyer beware,” you cannot even trust a ransomware actor anymore.
Threat actors continue to leverage open remote desktop protocol (RDP) and Microsoft’s proprietary network communications protocol and most attacks were traced back to a phishing email. While ransomware strikes organizations of all sizes across every sector, investigators have observed four (4) sectors being struck especially hard this year: professional services, healthcare, and technology and telecommunications. Some threat actor groups claimed that they would avoid targeting healthcare organizations during COVID-19, others are either not so civic-minded or have done so unintentionally. This seems to have been the case when threat actors thought they were targeting a university in Germany, whereas, in reality, they struck an affiliated hospital system. Open-source reporting notes the threat actors exploited a VPN vulnerability to gain initial access to the system.
Red Sky Alliance has been tracking cybercriminals for years. Throughout our research, we have painfully learned through our clients that the installation, updating and monitoring of firewalls, cybersecurity, and proper employee training are keys to success, yet woefully not enough. Our current tools provide a valuable look into the underground, where malware like all the different variants of Ransomware are bought and sold, and help support current protections with proactive underground indicators of compromise. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis for your organization.
Red Sky Alliance has been analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports. Malware comes and goes, but often is dusted off and reappears in current campaigns.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/8782169210544615949
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Comments