Archive for the ‘ransomware’ Category
It would be hard to miss the rise of ransomware attacks given how visible some have been this year. With multiple state and local governments set back on their heels by ransomware—including the RobbinHood ransomware attack in May that the City of Baltimore is still recovering from, to the tune of $10 million in recovery costs and $8 million in lost revenue—ransomware attacks have become an almost daily part of the news. But these attacks against municipal and state governments are only the most high profile part of a much larger trend, according to a report issued by IBM's X-Force Incident Response and Intelligence Services (IRIS) today.
According to data from X-Force IRIS, the ransomware problem is part of a much larger overall increase in destructive malware attacks that has been spiking over the past six months. X-Force's response to cases of destructive malware increased 200 percent between January to July 2019 in comparison to the previous six-month period.
"Of those destructive malware cases, 50% targeted organizations in the manufacturing industry," the researchers noted. "Other sectors significantly affected included oil and gas and education. Most of the destructive attacks we have observed hit organizations in Europe, the United States, and the Middle East."
Whitehats used a novel denial-of-service hack to score a key victory against ransomware criminals. Unfortunately, the blackhats have struck back by updating their infrastructure, leaving the fight with no clear winner.
Researchers at security firm Intezer performed the DoS technique against ransomware dubbed QNAPCrypt, a largely undetected strain that, as its name suggests, infects network storage devices made by Taiwan-based QNAP Systems and possibly other manufacturers. The hack spread by exploiting secure shell, (or SSH) connections that used weak passwords. The researchers’ analysis found that each victim received a unique bitcoin wallet for sending ransoms, a measure that was most likely intended to prevent the attackers from being traced. The analysis also showed that QNAPCrypt only encrypted devices after they received the wallet address and a public RSA key from the command-and-control server.
Intezer researchers soon noticed two key weaknesses in that process:
A spokesman for Georgia's Administrative Office of the Courts has confirmed that the AOC's information technology team discovered ransomware on the organization's servers on Saturday. While the spokesman could not provide specific details about the ransomware involved in the attack, its characteristics are consistent with the Ryuk ransomware that has struck multiple companies and government agencies over the past few months—including at least two Florida cities.
Bruce Shaw, communications and outreach specialist for the AOC, told Ars that a file containing contact information for the ransomware operators was left on the affected servers but that no specific ransom was demanded. "After an assessment of our system, it was determined that it would be best to take our network offline," Shaw said.
The attack's affects were isolated to servers providing the AOC's applications—including case management. "Individual courts' networks are not affected," Shaw said. "Only courts who use applications hosted by our network might experience some delay in their local operations. Our understanding is that all courts are operational, but some processes normally handled by our applications may be impacted."
Georgia's Judicial Council and Administrative Office of the Courts is the victim of the latest ransomware attack against state and local agencies. And this looks like the same type of attack that took down the systems of at least two Florida municipal governments in June.
Administrative Office of the Courts spokesman Bruce Shaw confirmed the ransomware attack to Atlanta's Channel 11 News. The Administrative Office of the Courts' website is currently offline.
Shaw told 11 News that some systems had not been affected by the ransomware but that all systems connected to the network had been taken offline to prevent the ransomware from spreading. The Courts' IT department was in contact with "external agencies" to coordinate a response to the attack, Shaw said.
A third Florida local government has reported that it has been struck by ransomware. Key Biscayne joins Lake City as a victim of Ryuk, a form of ransomware first spotted in August of 2018. Ryuk was the final piece of what has been labeled the "Triple Threat' attack, the other two threats being Emotet and Trickbot malware.
While the attack on Riviera Beach, Florida revealed last week was similar—all three cases start with a city employee clicking on an attachment in email and unleashing malware—it's not certain if that attack was also based on Ryuk.
Ryuk is targeted ransomware, originally linked to the North Korean "Lazarus" threat group, but now it appears to have been adopted by non-state criminal ransomware operators as well. It comes with a tailored ransom note that directs victims to contact the attacker via email. It has been known to lay dormant for up to a year before executing.
Last weekend, Cybersecurity and Infrastructure Security Agency Director Christopher Krebs issued a statement warning about elevated malicious Internet activity from state-sponsored actors in Iran. The notice corresponded to new warnings from private security research firms, including Recorded Future, of a surge in preparatory activity over the past three months by APT33, a threat group connected to the Iranian government and Iranian Revolutionary Guard Corps (IRGC, Iran's military).
In an interview with Ars, Krebs explained that the reason for the warning went beyond that "regional activity"—attacks on Saudi Arabian companies and other organizations in the Persian Gulf and South Asia.
"Over the course of the last couple of weeks, and in particular last week I'd say, [the activity] became specifically directed," he said. A "sense of the community"—reports from US intelligence and other agencies, as well as private sector cybersecurity vendors—showed a significant leap in spear-phishing attacks connected to infrastructure associated with APT33 against targets in the US over the past week, Krebs said. "So you combine that increase in activity with a historic intentionality and demonstrated ability, after previous destructive campaigns, and it was time to make a statement and say, 'Hey look, everybody, this is heating up. And politically it is also heating up... We need to step up our game.'"
An ongoing operation that’s installing ransomware and other malware on the computers of unsuspecting website visitors is one of the most potent drive-by attack campaigns researchers have seen in recent memory.
The attacks install three pieces of malware using an exploit kit called GreenFlash Sundown, which researchers identified in 2015 and have continued to follow since. Attacks in recent weeks have spiked again as ShadowGate—one of the names given to the hacker group behind the campaign—has unleashed a highly revamped version of the exploit kit on hacked ad servers run by Web publishers. The most notable compromise is of an ad server belonging to onlinevideoconverter[.]com, a site with more than 200 million visitors per month that converts YouTube videos into video files that can be stored on a computer hard drive.
“They are ongoing and with a scale we haven’t seen in a couple of years when it comes to exploit kit-related attacks,” Jérôme Segura, a Malwarebytes researcher tracking the campaign, said of the attacks on onlinevideoconverter[.]com visitors. “We literally noticed a huge spike in our telemetry starting a few days ago, which is very unusual. Given what we see in our telemetry, this is the most successful drive-by campaign we have seen in quite a while, so we can infer many people were affected by it.”
It's been nearly two weeks since the City of Baltimore's networks were shut down in response to a ransomware attack, and there's still no end in sight to the attack's impact. It may be weeks more before the city's services return to something resembling normal—manual workarounds are being put in place to handle some services now, but the city's water billing and other payment systems remain offline, as well as most of the city's email and much of the government's phone systems.
The ransomware attack came in the midst of a major transition at City Hall. Mayor Bernard C. “Jack” Young assumed office officially just days before the attack, after the resignation of former mayor Catherine Pugh, who is facing an ever-expanding corruption investigation. And some of the mayor's critical staff positions remained unfilled—the mayor's deputy chief of staff for operations, Sheryl Goldstein, starts work today.
To top it off, unlike the City of Atlanta—which suffered from a Samsam ransomware attack in March of 2018—Baltimore has no insurance to cover the cost of a cyber attack. So the cost of cleaning up the RobbinHood ransomware, which will far exceed the approximately $70,000 the ransomware operators demanded, will be borne entirely by Baltimore's citizens.