On June 23, 2020, the US Federal Bureau of Investigation sent out a security alert to K-12 schools about the increase in ransomware attacks during the coronavirus (COVID-19) pandemic, especially about ransomware gangs that abuse remote desktop connections to break into school systems.
The alert, called a Private Industry Notification, or PIN, tells schools that "cyber actors are likely to increase targeting of K-12 schools during the COVID-19 pandemic because they represent an opportunistic target as more of these institutions transition to distance learning." Schools are likely to open their infrastructure for remote staff connections, which in many cases would mean create Remote Desktop Protocol (RDP) accounts on internal school systems. Over the past two-three years, many ransomware gangs have utilized brute-force attacks or vulnerabilities in RDP to breach corporate networks and deploy file-encrypting ransomware.
Furthermore, the FBI also touches on the increased number of ransomware gangs that now steal data from infected networks and threaten to publish it if schools don't pay, suggesting that such threats, "may create an elevated urgency for schools to pay ransoms."
The FBI cited stats from antivirus company Emsisoft about the increase in attacks targeting K-12 schools, saying that 1,233 were potentially targeted in 2019, with another 422 schools targeted in Q1 2020 alone. According to the FBI, there were 867 known cyber-security incidents disclosed by US K-12 schools since 2016, but only a fraction of those were ransomware.
In particular, the FBI warns about attacks involving the Ryuk ransomware, which the Bureau said it observed in an increased number of attacks since September 2019, exploiting RDP endpoints as its initial point of entry.
Cyber threat investigators have conducted multiple incident response (IR) engagements responding to Ryuk infections in which TrickBot was also identified on hosts in the victim environment. They believe that the initial compromise is performed through TrickBot, which is typically distributed either via spam email or, through the use of the Emotet (developed and operated by MUMMY SPIDER) geo-based download function. Analysts have been monitoring the geo-based download activity from Emotet and, during 2018, MUMMY SPIDER has been an avid supporter of WIZARD SPIDER, predominantly distributing TrickBot to Emotet victims in the UK, the US, and Canada.
Some of TrickBot’s modules (such as pwgrab) could aid in recovering the credentials needed to compromise environments, the SOCKS module in particular has been observed tunneling PowerShell Empire traffic to perform reconnaissance and lateral movement. Through CrowdStrike IR engagements, WIZARD SPIDER has been observed performing the following events on the victim’s network, with the end goal of pushing out the Ryuk binary:
- An obfuscated PowerShell script is executed and connects to a remote IP address.
- A reverse shell is downloaded and executed on the compromised host.
- PowerShell anti-logging scripts are executed on the host.
- Reconnaissance of the network is conducted using standard Windows command line tools along with external uploaded tools.
- Lateral movement throughout the network is enabled using Remote Desktop Protocol (RDP).
- Service User Accounts are created.
- PowerShell Empire is downloaded and installed as a service.
- Lateral movement is continued until privileges are recovered to obtain access to a domain controller.
- PSEXEC is used to push out the Ryuk binary to individual hosts.
- Batch scripts are executed to terminate processes/servicesand remove backups, followed by the Ryuk binary.
Red Sky Alliance has been investigating many versions of ransomware, malware, Trojans and has maintained an extensive library of the cyber threat actors and their methods. Resources are available to INFOSEC professionals at no charge can be found at https://redskyalliance.org.
What can you do to better protect your organization today?
- Proper data back-up and off-site storage policies should be adopted and followed.
- Institute cyber threat and phishing training for all employees, with testing and updating with quarterly updates.
- Manage, review and update file permissions and access for all employees.
- Phishing is normally the first step in a broader attack campaign.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- RedXray customers can receive up to $100,000 in ransomware coverage at no additional expense to them.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org