Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Ransom Payment. Show all posts

How Ransomware is Draining Resources from Critical Infrastructure

How Ransomware is Draining Resources from Critical Infrastructure

The Rising Cost of Ransomware Attacks on Critical Infrastructure

The costs of ransomware attacks on critical national infrastructure (CNI) firms have soared over the last year.

According to Sophos' newest numbers, which were revealed today, the typical ransom payment increased to $2.54 million, more than 41 times last year's total of $62,500. The mean payment for 2024 is considerably greater, at $3.225 million, representing a less dramatic 6-fold rise.

IT, technology, and telecoms were the least likely to pay large sums to hackers, with an average payment of $330,000, but lower education and federal government organizations reported the highest average payments of $6.6 million.

The figures are based solely on ransomware victims who were willing to reveal the specifics of their mistakes, thus they do not provide the full picture.

The Escalating Financial Burden

Only 86 of the 275 CNI organizations surveyed provided statistics on ransom payments. There's a significant risk that the results would be distorted if all of the CNI ransomware victims polled were completely upfront with their information.

Costs to recover from ransomware attacks have also increased dramatically since the researchers' findings last year, with some CNI industries' costs quadrupling to a median average of $3 million per event.

The Impact on Critical Infrastructure

According to the report, only one in every five people were able to recover in a week or less, down from 41 percent the previous year and 50 percent the year before that. The percentage of victims who take more than a month to recuperate has also increased to 55%, up from 36% last year. 

Sophos stated in its analysis that this could be due to attacks getting more sophisticated and complicated, requiring more work from the IT team to effectively repair all of the damage caused by the crimes. However, the vendor's global field CTO, Chester Wisniewski, believes the industries should reevaluate their propensity to pay ransoms.

Cyber Criminals Seek $2 Million in Bitcoin After Siphoning Insomniac Games Data

 

The Rhysida hacker group is believed to have carried out a cyberattack against Insomniac Games and is now demanding a ransom, starting at 50 Bitcoin, or more than $2 million. Sony, which owns the Spider-Man 2 and Ratchet & Clank franchises, is actively investigating the incident. 

“We are aware of reports that Insomniac Games has been the victim of a cyber security attack. We are currently investigating this situation,” Sony stated. “We have no reason to believe that any other SIE or Sony divisions have been impacted.”

Rhysida hackers have given Insomniac a week to respond to their demands, but the alleged cyber attackers have already started auctioning off the data to the highest bidder, starting at 50 BTC.

"With only 7 days to go, seize the opportunity to bid on exclusive, one-of-a-kind, and impressive data," the hackers wrote on their leak site. "Open your wallets and prepare to purchase exclusive data."

"We only sell to one person, no resale, and you will be the exclusive owner!" The Rhyisda group has also been held accountable for breaches at a UK hospital and the British Library this year.

Back in 2021, Insomniac initially revealed their Wolverine game. However, it's not the first game to experience a cyberattack leading to leaks of the game. 

Around ninety-nine bits of Grand Theft Auto 6's content were leaked by hackers to Rockstar Games in 2022. Later, Rockstar Games confirmed the attack, and the teenage hacker was found guilty in August in the United Kingdom of fraud and extortion among other charges. 

This year has also seen hackers steal data from Sony. According to SecurityWeek, Sony acknowledged in October that hackers known as RansomedVC had infiltrated all of Sony's computer systems and announced plans to sell stolen items. 

A cybersecurity firm estimated that the Sony hack may have affected over 62 million users, but the number of people affected by the Insomniac hack is presently unknown.

Black Basta's Ransom Money Surpasses $100 million in Less Than Two Years

 

Researchers have discovered that since the Black Basta ransomware gang first surfaced early last year, victims of its double-extortion attacks have paid the gang more than $100 million. With the haul, which included taking over $1 million from at least 17 victims and $9 million from one victim, the Russian-affiliated gang is now among the highest-ranking ransomware operators. 

Blockchain analytics startup Elliptic and cyber insurance provider Corvus claimed in a joint research post published on November 29 that Black Basta had targeted at least 329 organisations and had received payments totaling at least $107 million from over 90 victims. The researchers said that based on the number of victims in the 2022–2023 period, the gang was the fourth most active strain of ransomware. 

“It should be noted that these figures are a lower bound – there are likely to be other ransom payments made to Black Basta that our analysis is yet to identify – particularly relating to recent victims,” the researchers explained. 

In June, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory stating that LockBit, a "prolific" rival gang, had received $91 million from victims in the United States between early 2020 and mid-2023, which puts the group's earnings into perspective. This year, Black Basta has taken down major victims such as ABB, a Swiss technology company, Capita, a British outsourcing company, and Dish Network. 

The gang is thought to have split off from the Conti Group, a notorious ransomware operator that disbanded last year. It employs double-extortion techniques, stealing confidential information from victims, encrypting their networks, and threatening to release the data if a ransom isn't paid. Qakbot malware was frequently used to spread the Black Basta ransomware. 

According to the Elliptic and Corvus report, Qakbot's botnet was taken down by authorities in August, which could account for the notable decline in Black Basta attacks in the second half of the year. Elliptic researchers discovered links between Black Basta and Qakbot on the Bitcoin blockchain, with parts of ransoms paid to Black Basta being transferred to Qakbot wallets. 

“These transactions indicate that approximately 10% of the ransom amount was forwarded on to Qakbot, in cases where they were involved in providing access to the victim,” the researchers added. “Our analysis of Black Basta’s crypto transactions also provides new evidence of their links to Conti Group. In particular, we have traced Bitcoin worth several million dollars from Conti-linked wallets to those associated with the Black Basta operator.”

Report: Retailers Face Challenges in Coping with Ransomware Attacks

 

In a disconcerting revelation, a recently released report suggests that retailers are finding themselves increasingly outmatched in the ongoing battle against ransomware operators. Conducted by cybersecurity experts Sophos, the survey enlisted the perspectives of 3,000 IT and cybersecurity leaders from small and medium-sized businesses (SMBs) and enterprises worldwide, with a particular focus on 355 respondents hailing from the retail sector. 

The findings are rather sobering, indicating that a mere 26% of retailers were successful in thwarting a ransomware attack before succumbing to having their valuable data encrypted. This figure represents a noticeable decline from the preceding year's 28%, and even more starkly from the 34% recorded two years prior.

Chester Wisniewski, the Director of Global Field CTO at Sophos, sounds a cautionary note, deeming the survey a resounding wake-up call for organizations within the retail industry. His message is clear: retailers must urgently fortify their security measures in the face of the escalating ransomware threat.

The report also sheds light on the protracted recovery process faced by victims who opt to meet the ransom demand. Among those who acquiesced, the median recovery cost, excluding the ransom payment itself, surged to four times that of those with a functional backup, reaching a staggering $3 million compared to $750,000. 

Approximately 43% of victims opted to pay the ransom, prompting Wisniewski to caution against shortcuts, underscoring the imperative of rebuilding systems to prevent cybercriminals from reaping the rewards of their malicious activities.

While there is a glimmer of optimism for retailers in the report - the percentage of firms targeted by ransomware threats dropped from 77% to 69% compared to the previous year - the recovery times have taken a hit. The proportion of companies able to recover in less than a day dwindled from 15% to a mere 9%, while those grappling with recovery periods exceeding a month increased from 17% to 21%.

Ransomware, as the report highlights, typically gains entry through the actions of unwitting employees, such as downloading malware or inadvertently providing attackers access to crucial endpoints. 

Consequently, the report underscores the critical importance of comprehensive employee education regarding the perils of cyberattacks. In addition to fostering employee awareness, safeguarding against ransomware necessitates strategic measures such as regular backups of critical systems and data, coupled with the implementation of robust endpoint protection services. The call to action is clear - retailers must fortify their cybersecurity defenses comprehensively to navigate the evolving threat landscape successfully.

Cyberattack Responses at MGM and Caesars Required Brutal Actions

 

Twin assaults on MGM Resorts and Caesars Entertainment have offered an unusual perspective at what happens when two comparable organisations, under similar attack by the same threat actor, use divergent incident response techniques. 

Both parties in this case were the victims of a cyberattack called Scattered Spider /ALPHV. Caesars was able to resume operations very soon after engaging in a fast negotiation with the cyber attackers and paying a $15 million ransom demand. 

However, MGM firmly refused to pay and only recently declared that its operations had resumed after more than 10 days of operational downtime at its hotels and casinos, costing the company tens of millions of dollars in lost income. 

Although it may be tempting to judge which strategy was superior, experts believe that any direct comparison of the Caesars and MGM responses to the incident is oversimplified. 

As an example, Rob T. Lee, chief curriculum director and faculty lead at SANS Institute, emphasises that the fundamental idea behind incident response is to strive to make the "least worst decision." And this is typically a difficult choice with both favourable and unfavourable (some would say harsh) consequences.

He explains, "many business decisions can go into that. Only once an incident is over can you see different paths that could have led to different or at least worse outcomes. There is no 'win' in these situations, only decisions that can prevent it from worsening."

Caesars or MGM: Who was right? It's complex 

One of those difficult decisions incident responders are pressed to make under pressure is whether or not to pay a ransom after a hack. It is commonly known that paying a ransom does not ensure data security or system restoration.

Even worse, it encourages more attacks by establishing a market for these cybercrimes. Business risk decisions, however, don't always boil down to black-and-white choices of right or wrong, and expediency is always a factor.

"Caesars' more rapid recovery post-ransom might give the impression they made a better decision," stated Callie Guenther, senior manager of cyber threat research at Critical Start. "From a business continuity perspective, their decision to pay might seem effective." 

The chief security scientist of Delinea and advisory CISO Joseph Carson argues that there are other issues at play. Companies that deliberate over their choices may come to the conclusion that forgoing payment makes more sense. 

According to his observations, organisations only have a four-day opportunity to reach a compromise with ransomware threat actors before views on both sides harden. After that, ransomware attackers often lose patience and enterprise security teams tend to grow entrenched in their positions. 

Another factor to consider is the cost of recovery. If recovery is unsettling but only costs a few million dollars, it may be a better option than an eight-figure extortion payment, Carson added.

Ransomware Profits Shrink, as Victims Refuse to Pay

 

As per data from blockchain analysis firm Chainalysis, ransomware revenue for 2022 has dropped from $765.6 million to at least $456.8 million, representing a -40.3% year-over-year drop. The number of attacks is as high as it has ever been, but the number of victims who refuse to pay the ransom has increased as well. 

Working with Coveware, Chainalysis has observed a significant decrease in the number of ransomware victims willing to pay: 76% in 2019, but only 41% in 2022. According to Chainalysis, this is a "highly encouraging" trend that is likely influenced by a variety of factors. 

Ransomware victims have realized that even if they pay the ransom, there is no guarantee that their data will be handed back or that the ransomware actor will delete the "stolen" files instead of selling them on the dark web. But since the public perception of the ransomware phenomenon has matured, data leaks no longer pose the same risks to brand reputation as they did in previous years.

Companies and government agencies, which are the primary targets of modern ransomware operations, have also improved their backup strategies, making data recovery a much cleaner and easier process than it was only a few years ago.

Insurance companies are also much less likely to permit their customers to use an insurance payout to satisfy a ransom demand. Eventually, because many ransomware operations are based in Russia, victims who choose to pay may face harsh legal consequences as a result of the country's economic sanctions following the invasion of Ukraine.

Despite the fact that victims are not paying as much as they used to, the ransomware industry is far from dead: in 2022, the average lifespan of file-encrypting-malware strains has dropped from 153 days to just 70 days year on year. The "Conti" ransomware operation ended, while other ransomware-as-a-service (raas) operations, such as Royal, Play, and BlackBasta, went live. At the end of 2022, LockBit, Hive, Cuba, BlackCat, and Ragna were still in business (and still demanding ransom payments).


Ransomware Gangs are Starting to Forego Encryption

 

Criminal organisations are now employing a new strategy to ensure ransomware payouts: they skip the step of encrypting target companies' systems and instead go straight to demanding the ransom payment for the company's valuable data.

Malicious hackers are constantly looking for less-flashy but still effective ways to continue their ransomware attacks as law enforcement's focus on the problem grows.

Typically, a ransomware attack begins with the installation of malware that encrypts files onto a company's networks, followed by the appearance of a ransom note on each screen.

By concentrating only on data extortion, hackers can launch their attacks more quickly and without the need for encryption tools, which can occasionally go down in the middle of an attack. 

According to Drew Schmitt, a principal threat analyst at GuidePoint Security, law enforcement is also more interested in looking into attacks that use encryption because it results in more damage.

Schmitt added that businesses that have strong endpoint security tools, firewalls, ongoing monitoring, and security plans that restrict employees' access to internal files will be the most successful at thwarting ransomware attacks.

Security leaders must know how to lessen the effects of a ransomware attack. Here are a few of our suggestions: 

  • Keep encrypted backups of your data offline and make sure that your team consistently performs backups. Additionally, your team should prioritise restoring all crucial systems and data first and routinely test backups to determine how long data restoration efforts will take. 
  • Make it a company-wide rule that no device should be used to store corporate data locally. Unlike data stored in the cloud, if a device is infected, you risk losing all locally stored data. 
  • To prevent ransomware from spreading to other network devices, immediately isolate the infected device.
  • If at all possible, determine the type of ransomware used and/or the threat actors who carried out the attack to see if a decryption key may already be in existence. Engage an external incident response provider with digital forensics capabilities to lead the charge if you lack the expertise to carry out this investigation internally. 
  • Your team should have the relevant source code or executables backed up in addition to system images (or escrowed, have a licence agreement to obtain, etc.) so that you don't lose the application code entirely if the ransomware infection affects it. 

WordPress Sites Hacked in Fake Ransomware Attacks

 

A new wave of cyberattacks began late last week, hacking over 300 WordPress sites and displaying fraudulent encryption notifications in an attempt to mislead site owners into paying 0.1 bitcoin for recovery. 

These ransom requests include a countdown timer in order to create a feeling of urgency and perhaps terrify a web administrator into paying the ransom. While the 0.1 bitcoin ($6,069.23) ransom demand is little in contrast to what is seen in high-profile ransomware operations, it may still be a significant sum for many website owners. 

Sucuri, a cybersecurity firm hired by one of the victims to conduct incident response, identified these attacks. The researchers revealed that the websites had not been encrypted, but rather that the threat actors had altered an installed WordPress plugin to show a ransom message and countdown when the page was accessed. 

In addition to presenting a ransom note, the plugin would change the 'post status' of all WordPress blog entries to 'null,' leading them to become unpublished. As a result, the cyber actors developed a simple but strong illusion that gave the impression that the site had been encrypted. 

The site was restored to its usual state after deleting the plugin and running a command to republish the posts and pages. Sucuri discovered that the first place where the actor's IP address showed in the network traffic records was the wp-admin panel. This suggests that the infiltrators gained access to the site as administrators, either by brute-forcing the password or by obtaining stolen credentials from dark web markets. 

This was not an isolated attack, but rather part of a larger campaign, giving legitimacy to the second scenario. Sucuri discovered a plugin called Directorist, which is a tool for creating online company directory listings on websites. 

Sucuri has identified around 291 websites hit by this attack, with a Google search revealing a mix of cleaned-up and still-displaying ransom letters. All of the sites BleepingComputer found in search results utilise the same Bitcoin address, 3BkiGYFh6QtjtNCPNNjGwszoqqCka2SDEc, which has not received any ransom payments. 

Safeguarding against website encryptions

Sucuri recommends the following security procedures to keep WordPress sites safe from hackers: • Review the site's admin users, delete any fraudulent accounts, and update/change any wp-admin passwords. 
  • Protect the wp-admin administrator page. 
  • Modify the passwords for all other access points (database, FTP, cPanel, etc). 
  • Protect your website using a firewall. 
  • Adhere to dependable backup techniques that will make restoration simple in the event of a genuine encryption incident. 
Because WordPress is frequently targeted by threat actors, it is also critical to ensure that all of your installed plugins are up to date. 

BleepingComputer was notified about a recent fix for the Directorist plugin, which addressed an issue that enabled low-privilege users to run arbitrary code. While Sucuri's analysis does not identify the plugin as an infiltration point, the presence of this vulnerability makes sense in the context of the specific assault. 

This also implies that eradicating the virus and restoring the site would not prevent the attackers from striking again as long as the Directorist plugin is still in an older, vulnerable version.

Phishing Emails Deliver Scary Zombie-themed MirCop Ransomware

 

A new phishing campaign that poses as supply lists attacks users with the MirCop ransomware, which encrypts a target PC in less than fifteen minutes. 

The perpetrators start the attack by sending an unsolicited email to the victim, claiming to be following up on a previous order arrangement. The email body includes a hyperlink to a Google Drive URL that, when clicked, downloads an MHT file (webpage archive) to the victim's device. 

The use of Google Drive lends credibility to the email and is in accordance with standard business procedures. Simple but crucial choices like this can determine whether the victim clicks the URL or sends the email to the spam folder for threat actors. When people open the file, all they see is a fuzzy image of what appears to be a supplier list, stamped and signed for added legitimacy. 

When the MHT file is opened, it will download a RAR archive from “hXXps://a[.]pomf[.]cat/gectpe.rar” containing a.NET malware downloader. The EXE file in the RAR archive uses VBS scripts to drop and run the MirCop payload on the affected machine. 

The ransomware starts capturing screenshots right away, locks files, changes the background to a terrifying zombie-themed graphic, and instructs victims on what to do next. The entire procedure, according to Cofense, takes less than 15 minutes from the time the victim opens the phishing email. 

Following that, the user is only able to use certain web browsers to contact the actors and arrange for the ransom payment. The actors have no interest in infiltrating the victim's computer discreetly or staying there for long to conduct cyber espionage or acquire files for extortion. On the contrary, the attack happens swiftly, and the source of the problem is noticeable to the victim instantly. 

About the ransomware

MicroCop is an outdated ransomware strain that is used to send its victims ridiculous ransom demands. That was until Michael Gillespie broke the encryption and released a free decryptor. 

As per BleepingComputer, it was not able to verify whether that old decryptor still works with the payloads delivered in the most recent campaign, but it's possible that it can still unlock the files.

According to Cofense, the identical variant has been circulating since June of this year, indicating that MicroCop is still active and that people should be wary when dealing with unwanted emails.

FBI: Ransomware Targets Firms During Mergers and Acquisitions

 

The FBI cautions that ransomware groups are targeting companies in "time-sensitive financial events" such as corporate mergers and acquisitions in order to extort their victims. 

The FBI stated in a private industry notice issued on Monday that ransomware operators would utilize financial information gathered before assaults as leverage to compel victims to pay ransom demands. 

The federal law enforcement agency stated further, "The FBI assesses ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections." 

"During the initial reconnaissance phase, cybercriminals identify non-publicly available information, which they threaten to release or use as leverage during the extortion to entice victims to comply with ransom demands. Impending events that could affect a victim's stock value, such as announcements, mergers, and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion where access is established." 

For example, last year, the REvil (Sodinokibi) ransomware gang stated that they were considering introducing an auto-email script that would notify stock exchanges, such as NASDAQ, that firms had been affected by ransomware, potentially affecting their stock price. REvil is also looking into stolen data after breaching firms' systems to identify destructive material that may be used to force victims to pay ransoms.

More recently, DarkSide malware declared that it will share insider information about firms operating on the NASDAQ or other stock exchanges with traders looking to short the stock price for a quick profit. The FBI also highlighted numerous examples of ransomware gangs targeting susceptible firms using inside or public information about active merger or acquisition negotiations: 
  • In early 2020, a ransomware actor using the moniker "Unknown" made a post on the Russian hacking forum "Exploit" that encouraged using the NASDAQ stock exchange to influence the extortion process. Following this posting, unidentified ransomware actors negotiating payment with a victim during a March 2020 ransomware event stated, "We have also noticed that you have stocks. If you will not engage us for negotiation we will leak your data to the nasdaq and we will see what's gonna (sic) happen with your stocks." 
  • Between March and July 2020, at least three publicly traded US companies actively involved in mergers and acquisitions were victims of ransomware during their respective negotiations. Of the three pending mergers, two of the three were under private negotiations. 
  • A November 2020 technical analysis of Pyxie RAT, a remote access trojan that often precedes Defray777/RansomEXX ransomware infections, identified several keyword searches on a victim's network indicating an interest in the victim's current and near-future stock share price. These keywords included 10-q1, 10-sb2, n-csr3, nasdaq, marketwired, and newswire. 
  • In April 2021, Darkside ransomware4 actors posted a message on their blog site to show their interest in impacting a victim's share price. The message stated, "Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges. If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares. Write to us in 'Contact Us' and we will provide you with detailed information." 
As per the FBI, paying a ransom to ransomware groups is not encouraged and should be avoided by organizations since there's no certainty doing so would safeguard them against data leaks or future assaults. Paying ransoms encourages the crooks behind ransomware operations to target even more victims and encourages other cybercrime groups to follow their lead and join them in unlawful activities. 

The FBI, on the other hand, realises the harm a ransomware assault can do a firm, as executives may be compelled to contemplate paying a ransomware actor to safeguard shareholders, customers, or staff. The FBI highly advises that such events be reported to their local FBI field office.

New 'SnapMC' Hacker Group Breaches Networks in Under 30 Minutes

 

Cybersecurity researchers have unearthed a new threat group known as SnapMC, that aims to secure access to the company’s files, steal their sensitive data and demand ransom to keep it from being leaked.

According to NCC Group’s Threat Intelligence team, SnapMC has not been linked as of yet to any known threat actors. The name is derived from the actor’s lightning-fast hacks, typically completed in under 30 minutes, and the exfiltration tool mc.exe it uses.

To perform the attack, SnapMC scans for multiple vulnerabilities in both web servers and virtual private networking solutions. In particular, the threat group utilizes the so-called Blue Mockingbird vulnerability that affects older versions of the Telerik UI for ASP.NET applications. 

Once inside, the group sends extortion emails to victims. Typically, a victim is given 24 hours to respond to the email and another 72 hours to negotiate a ransom payment; a list of stolen data as evidence that the group has gained access to the victim’s infrastructure is included by the actors. 

To intimidate victims to begin negotiations, the threat group releases small portions of the data, threatens to leak the files online, threatens to tell media outlets regarding the breach or notify a victim’s customers about the hack. 

“There are multiple reasons for the success of these attacks: First, regulation and public awareness make victims more inclined to have the certainty of containing the incident by paying,” said Christo Butcher, global head for threat intelligence at the NCC Group Research and Intelligence Fusion Team. “Second, the threat actors behind various data breach extortion attacks are gaining more experience with every breach and subsequent extortion negotiation, which allows them to improve their skills in both negotiating as well as understanding the mindset of their victims.”

SnapMC does not deploy ransomware, despite having access to a victim’s internal network – the group focuses solely on data exfiltration and the subsequent extortion, the researchers observed while tracking the group.

Earlier this week, researchers published a technical report containing the tools and methodologies employed by SnapMC in their intrusions – in the hopes that organizations deploy proper defenses. 

NCC Group recommends that organizations should keep all their web-facing assets up to date; doing so will help in mitigating the risks. Gaining visibility into susceptible software and putting in place effective detection and response systems can also help in combating the attacks.