Not so, Naughty?
Have bad actors had a change of heart? While most ransomware operators continue their relentless attacks against operators to target healthcare organizations during the pandemic, a handful of threat actors are extending an olive branch to hospitals and workers on the frontlines of the COVID-19 crisis. Staffers at BleepingComputer, who reached out to hacker collectives managing the Maze, DoppelPaymer, Ryuk, Sodinokibi/REvil, PwndLocker, and Ako Ransomware infections to get the lowdown. Traits of the infections enumerated below vary in impact and scope:
- Maze infects targets using boobytrapped macros inside Word documents pretending to come from governments, including the use of exploits against flaws in Internet Explorer (CVE-2018-8174) and Adobe Flash (CVE-2018-15982, CVE-2018-4878)
- DoppelPaymer Ransomware using an exploit that targeted unpatched servers using the vulnerability of CVE-2019-19781.
- Ryuk ransomware (tied to Wizard Spider Group) targets municipalities and local governments, academic, technology, healthcare, and media organizations. Ryuk is often the last piece of malware dropped in an infection cycle that starts with either Emotet or TrickBot. Ryuk is primarily spread via other malware dropping it onto an existing infected system. Finding the dropper on a system for analysis is difficult due to the fact that the main payload deletes it after the initial execution.
- Sodinokibi/REvil a zero-day vulnerability found in Oracle WebLogic (CVE-2019-2725) CVE-2018-8453
- CVE-2020-10257 ThemeREX PwndLocker has now been rebranded X after experiencing crypto issues
- AKo Ransomware attacks business delete shadow volume copies, clear recent backups, and disable the Windows recovery environment. It will also create the Windows Registry value EnableLinkedConnections under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System registry key and set it to 1. This step ensures that mapped drives are accessible even in a UAC launched process, leading to encryption of files by ransomware
In a surprising show of goodwill, a few collectives have decided to ratchet down their targeting of healthcare providers on the frontlines of the coronavirus pandemic. Shockingly, a few responded, "we are not enemies of humanity," promising to bypass healthcare providers whose public policies lay outside the crosshairs of their hacktivist motivated attacks. Ransomware dealers, however, continue to target those they feel are profiting from financial gains. Others have promised to "dial back" their activity during the pandemic.
The groups behind the DoppelPaymer campaigns are intentionally steer clear of hospitals and nursing homes. 911 communication lines have been deemed off-limits to attacks and kept clear for first responders and law enforcement. Where there are mistakes, the group claims that they are providing free decrypt keys for data retrieval.
The Really Naughty
Malicious actors like the Ryuk collectives are not as nice as those who've dialed back attacks. They have continued their aggressive targeting campaigns in proportion to the increased focus on the COVID-19 crisis. Anomali reports that 11 APT groups have been active, generating 6000+ indicators of compromise since January. Researchers have detected at least 15 campaigns utilizing at least 80 MITRE ATT&CK methods in part and whole. Bad actors have been particularly busy in March leading into April, according to the Anomali report.
Interpol has just indicated a spike in attacks against hospitals and first responders. Attackers seem fixated on hospital infrastructure and VPNs in particular. Interpol advises end-users to take extreme caution, clicking or downloading attachments from email, responding only to expected communications. Businesses should follow suit. Organizations should be rigorously and frequently backing up data and content and storing the backups on separate infrastructure.
Lares Builds Your Durability to Ransomware Attacks
In short, the goodwill of some is being overshadowed by the malicious deeds of others. We need more hacker olive branches. Extending olive branches has a storied history dating back several millennia throughout the ancient world as an indicator of “perpetual peace (St. Augustine).” Let’s hope that the few examples of digital ceasefires catch on out of respect for humanity and that others follow suit.
If you are currently being impacted by or suspect the onset of ransomware activity, Lares can step in as a partner to help mitigate these attacks and help build your resistance to them. We expect growing pressure on security operations to defend remote access channels and collaboration platforms. Building an organization's mettle to withstand such activity is Lares' core focus.
Lares helps organizations build durability against MITRE ATT&CK like scenarios through its continuous defensive improvement and adversarial simulation. We put our clients through the adversarial 'ringer' to make them more resilient and resistant to those targeting them. We, in effect, help our clients gain an adversarial advantage with our custom-built attacks.
Given the current state of pandemic affairs, Lares continues to lead from the front in preparing organizations to become attack resistant. Contact us today to learn how we can help your organization increase resiliency across all aspects of your security program.
Mark Arnold has a 15+ cybersecurity career, serving 8 of those years in leadership roles. As a transformational leader, Mark has built security teams and programs, authored maturity model blueprints to optimize risk management processes, and implemented security domain practices at large enterprises and service providers. Mark’s areas of interest include cloud security, threat intelligence, and vulnerability research, nation-state attack methods and related activities (e.g. information operations and disinformation campaigns) and their collective impact on nations and society. Mark recently completed an executive education cohort on the intersection of cybersecurity and technology at Harvard’s Kennedy School.