Blog posts, webinars, and guides exploring ransomware prevention tips and platform capabilities against these attacks.

PlayCrypt Ransomware-as-a-Service Expands Threat from Script Kiddies and Sophisticated Attackers

November 21, 2023/in Blog Post/by Ellen Loughlin

Key Takeaways

Adlumin uncovered evidence that Play ransomware (also known as PlayCrypt) is now being sold “as a service.” Play ransomware has been responsible for attacks on companies and government organizations worldwide since it was first discovered in 2022. Making it available to affiliates that might include sophisticated hackers, less-sophisticated “script kiddies” and various levels of expertise in between, could dramatically increase the volume of attacks using the highly successful, Russia-linked Play ransomware.
In recent months, Adlumin has identified and stopped PlayCrypt attacks that had nearly identical tactics, techniques and procedures (TTPs). The unusual lack of even small variations between attacks suggests that they are being carried out by affiliates who have purchased the ransomware-as-a-service (RaaS) and are following step-by-step instructions from playbooks delivered with it.
Based on the attacks Adlumin has witnessed, small and mid-sized organizations are being targeted and are especially at risk. However, ransomware delivered as a service can often be easier to detect because of the common methods used to deploy it. Security teams should watch for indicators of compromise (IOCs) including malicious IP addresses, domains, TOR addresses, emails, hashes and executables, including the ones identified in the article below.

The Patterns

Play, also known as “PlayCrypt,” was discovered last summer disrupting government agencies in Latin America. Months later threat actors began using it for targets in the U.S. and Europe. Play, like most ransomware today, employs double-extortion tactics, stealing victim data before encrypting their networks.

Since August, the Adlumin MDR team has tracked separate Play ransomware attacks in different industries. In the attacks Adlumin observed, threat actors used the same tactics, techniques, and procedures (TTP) and followed the same order of steps — almost identically. Furthermore, the indicators of compromise (IOCs) for both incidents were almost indistinguishable.

One of those IOCs includes threat actors using the public music folder (C:\…\public\music) to hide malicious files. Another was using almost the same password to create high privilege accounts. And, in both attacks, many of the same commands were observed.

This high level of consistency in methods used by threat actors is telling. First, it highly suggests reliance on playbooks or step-by-step instructions supplied with RaaS kits. And second, the targeted victims shared a common profile; they were smaller organizations that possessed the financial capacity to entertain ransoms reaching or exceeding $1 million.

The RaaS Kit Market

Purchasing RaaS kits is not difficult, it simply requires a TOR connection and membership to the right dark net forum or market. Once there, a highly experienced threat actor, or even a “script kiddie,” can browse RaaS advertisements.

Below are two ads that Adlumin acquired from RaaS operators peddling their products in the dark web.

Other ransomware ads obtained included those that offered “set-up assistance” “for as low was $200,” and those with “no fees.” Adlumin also observed advertisements offering full builds from $300 to $1100 “ready for deployment.”

One of the ads described the malware being offered as using “many cutting-edge evasion techniques including proprietary methods.”

And in some ads, RaaS operators boasted having ransomware kits for targeting MacOS systems.

“We have developed a new MacOS ransomware as we noticed a lack of it,” the ad read.

At least one post, stated that the ransomware for sale was what “the cool kids are using,” alluding that someone doesn’t have to be “cool” – or perhaps, highly skilled – to purchase and use it.

Easy Enough for a Script Kiddie

Script kiddies are individuals who possess fundamental hacking skills and the knowledge to deploy and execute exploits written by experienced threat actors. They’re able to learn new skills easily and eventually, often become “real hackers” themselves.

Since 2015, researchers have written about the ability script kiddies have for deploying ransomware and often working side-by-side with well-known threat actor organizations.

In March 2022, police in the UK arrested members of the Lapsus$ cybercriminal group known for targeting tech companies such as Okta, Nvidia, Samsung, and Microsoft. The raid included the arrest of teenagers and young adults with ages ranging from 13 to 21, according to the BBC. It’s not clear, however, if the youngsters were script kiddies simply due to their age.

With enough documentation and technical support – and with generative AI tools now being able to assist them as well – a script kiddie can be more than capable of carrying out an attack. However, attacks by these less-skilled individuals often include a higher degree of basic mistakes that make them easier for an organization with capable cybersecurity operation to stop.

For example, Adlumin has observed ransomware attacks foiled by its security operations platform or its MDR team during an attack’s early stages. In some cases, threat actors don’t even get the chance to encrypt files. There are also incidents where SOAR actions within the Adlumin platform disable accounts created by threat actors, effectively locking them out from the network. Sometimes attacks are carried out, but no data is exfiltrated.

Money to be Made

Ransomware attacks are very lucrative, especially since 73% of companies attacked pay the ransom. And with double extortion becoming the norm, organizations that don’t pay are publicly shamed by RaaS operators on the clear or dark web.

For script kiddies of any age, ransomware may seem like a great way to make a living and become rich quickly. Also, with high unemployment rates in many countries in Latin America and other parts of the world, cybercrime may be seductive for underemployed or poorly paid computer programmers, or people in similar careers. According to DevelopmentAid.org, “[Poor countries] serve as training grounds for criminal groups in preparation for more ambitious attacks in developed countries.”

When RaaS operators advertise ransomware kits that come with everything a hacker will need, including documentation, forums, technical support, and ransom negotiation support, script kiddies will be tempted to try their luck and put their skills to use. And since there are probably more script kiddies than “real hackers” today, businesses and authorities should take note and prepare for a growing wave of incidents.

Breadcrumbs

IOCs, such as malicious IP addresses, domains, TOR addresses, emails, hashes, executables, and others discovered from an attack can be very useful to analysts, researchers, and law enforcement. They serve as clues to help put together what transpired during the incident and how. They can also offer some insight about the level of sophistication of the attackers.

When threat actors follow RaaS-provided playbooks, they will likely adhere to them closely on the first few attacks. They’ll make mistakes, and if those mistakes are big enough, they could serve as breadcrumbs for the authorities to follow.

Anything an attacker does in a network can help authorities if they are contacted after an incident. This is why investigators request that victims share any IOCs that could help with their investigations. Even if a business pays the ransom, details like Bitcoin or Monero addresses and transaction IDs, communication or chat logs with threat actors, the decryptor file, and a sample of an encrypted file can be very useful.

If a newbie or script kiddie isn’t meticulous with their work, the FBI could soon be knocking on their door.Conclusion

Ransomware attacks continue to be among the most prevalent cyber threats and increased by 37% in 2023. Companies should expect more ransomware attacks in the future, not less. And if more novice attackers are finding that ransomware attacks can be carried out easily with the help and support provided by RaaS operators, they’ll continue to frequent dark net forums to join the most inviting ransomware affiliate group.

At the same time, novice attackers are more likely to make mistakes since they are not as experienced, potentially leaving behind significant IOCs that the authorities can use to help track and apprehend them.

The Adlumin MDR Team will continue to monitor and stop ransomware attacks carried out by newbies and experts alike. Our security operations platform’s SOAR actions have been successful at foiling these attacks in their early stages, stopping cybercriminals on their tracks.

Furthermore, Adlumin now offers Total Ransomware Defense (TRD), a service specifically designed to detect ransomware activity and stop it. In the unfortunate case that files are encrypted, TRD is able to generate decryption keys to restore systems and networks.

Indicators of Compromise (IOCs)

Usernames

admon
daksj
admin

Objects

exe
zip.json.PLAY
exe
exe
PLAY
exe
ini.PLAY
aut
omaticDestinations-
PLAY
exe
json.PLAY
cdp.PLAY
HeartBea
updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml.PLAY
exe
cookie.PLAY
js.PLAY
exe

Paths

C:\\Users\\Public\\Music

\\Device\\HarddiskVolume3\\CollectGuestLogsTemp

Hash: null

C:\\Users\\Public\\Music

Hash:

b042bc03144919c0fed9d60c1f68eb04ed7

2c2f6

C:\\windows

Hash:

51d3d661774cc50bb22e62beafc4bc6029d

f2392

\\Device\\HarddiskVolume2\\Users\\it.ad

min\\AppData\\Local\\Google\\Chrome\\

User Data\\Default\\Cache\\Cache_Data

Hash: null

C:\\Windows

Hash:

51d3d661774cc50bb22e62beafc4bc6029d

f2392

\\Device\\Mup\\10.20.0.15\\C$\\$Recycl

e.Bin\\S-1-5-21-3568089881-786281157-

4253494709-1103

Hash: null

\\Device\\HarddiskVolume2\\Users\\AAD

_00864e0326c2\\AppData\\Roaming\\Mi

crosoft\\Windows\\Recent\\AutomaticDe

stinations

Hash: null

C:\\Users\\Public\\Music

Hash:

b042bc03144919c0fed9d60c1f68eb04ed7

2c2f6

\\Device\\Mup\\10.20.0.15\\C$\\Users\\

administrator\\AppData\\Local\\ConnectedDevicesPlatform

Hash: null

\\Device\\Mup\\10.20.0.15\\C$\\Package

s\\Plugins\\Microsoft.EnterpriseCloud.Mo

nitoring.MicrosoftMonitoringAgent\\1.0.1

8067.0\\Status

Hash: null

\\Device\\HarddiskVolume2\\ProgramDat

a\\USOPrivate\\UpdateStore

Hash: null

C:\\Users\\Public\\Music

Hash:

b042bc03144919c0fed9d60c1f68eb04ed7

2c2f6

\\Device\\HarddiskVolume2\\Users\\it.ad

min\\AppData\\Local\\Microsoft\\Windo

ws\\INetCookies

Hash: null

\\Device\\HarddiskVolume4\\Program

Files\\Microsoft Monitoring

Agent\\Agent\\APMDOTNETCollector\\W

eb\\Scripts\\V7.0\\js

Hash: null

C:\\PerfLogs

Hash:

b042bc03144919c0fed9d60c1f68eb04ed7

2c2f6

Inside the Mind of a Ransomware Gang

November 1, 2023/in Videos/by Ellen Loughlin

Inside the Mind of a Ransomware Gang

Many do not realize that most ransomware gangs operate as fully functional businesses that seek out unconventional buyers for your organization’s data. From having a help desk to offering services to free organization’s from losing data, they attempt to do business like any Fortune 500 company, and no organization is safe. Join us here at Adlumin as we take you through a ransomware gang’s mind to explore the thoughts and motives behind their attack and learn how to best prepare your organization.

A Threat Actor’s Playbook: 2023 Cyberattacks on Caesars Entertainment and MGM Casinos

October 12, 2023/in Blog Post/by Ellen Loughlin

By: Max Bernal, Technical Content Writer, and Adlumin’s Threat Research Team

A Threat Actor’s Playbook: 2023 Cyberattacks on Caesars Entertainment and MGM Casinos is a part of Adlumin’s Threat Bulletin Series content series.

In early September 2023, Caesars Entertainment in Las Vegas experienced a major cyberattack. The threat actors used a combination of social engineering tactics and ransomware to breach the casino’s networks and steal sensitive data. On September 10, another gambling conglomerate, MGM Resorts International, experienced a cyberattack by threat actors in the ALPHV ransomware-as-a-service (RaaS) group. The two attacks cost the casinos millions of dollars in losses.

Caesars Entertainment Cyberattack

Caesars Entertainment’s SEC filing on September 7, 2023, stated that it had suffered a social engineering attack “on an outsourced IT support vendor used by the company.” The exact date of the cyberattack was not disclosed, nor who carried out the assault.

In the filing, Caesars also stated that the cyberattack did not impact customer-facing operations like slot machines, guest services, and other services but that among the data stolen, the threat actor(s) had acquired a copy of the loyalty program database, which included member driver’s license and Social Security numbers.

Caesars also disclosed that it had taken steps to “ensure that the stolen data [was] deleted,” alluding that it had paid a ransom. Numerous news outlets, including Bloomberg, reported that the company paid “tens of millions of dollars.”1 Other news outlets, including CNBC, reported that Caesars paid $15 million.2

The company did not provide specific details on how the social engineering attack was carried out or identify the cybercriminal(s) by name. However, numerous news reports published statements from sources “familiar with the matter” that pinned the attacks on a hacker group called Scattered Spider, also known as “Scattered Swine,” “Muddled Libra,” and UNC3944 (by Mandiant), which is likely affiliated with the ransomware group, ALPHV.

The threat actor group is known for its sophisticated social engineering techniques and the ability to target and bypass Okta login security services.

MGM Resorts International Cyberattack

On September 12, 2023, MGM Resorts International issued a statement via PR Newswire stating that it had “identified a cybersecurity issue affecting the company’s systems.”3 MGM also stated that it had notified law enforcement to help protect networks and data, including by “shutting down certain systems.”

According to the Associated Press, MGM began experiencing disruptions on Sunday, September 10,4 and its reservations website was down that day. Soon after, numerous other media outlets reported that slot machines were out-of-service or were displaying errors across MGM-owned casinos, including at the MGM Grand, Bellagio, Aria, Mandalay Bay, Delano, Cosmopolitan, New York-New York, Excalibur, and Luxor. In addition, it was reported that thousands of guests had to wait in long lines for hotel check-ins and that credit card point of sales systems were down, forcing guests to pay cash.5

However, some of the same news outlets published statements from unvetted sources citing that the attack on MGM was carried out by the “same threat actors” that attacked Caesars Entertainment, Scatted Spider. On September 14, the ransomware-as-a-service (RaaS) group ALPHV issued a rare statement claiming sole responsibility for the attack and condemned news media and cybersecurity firms for publishing “false” and “unsupported” details on the attack.

“The ALPHV ransomware group has not before privately or publicly claimed responsibility for an attack before this point. Rumors were leaked from MGM Resorts International by unhappy employees or outside cybersecurity experts prior to this disclosure. Based on unverified disclosures, news outlets decided to falsely claim that we had claimed responsibility for the attack before we had,” part of the statement read. “Tech Crunch & others: neither you nor anybody else was contacted by the hacker who took control of MGM. Next time, verify your sources more thoroughly, or at the very least, give some hint that you do.”

In an earlier version of the statement, ALPHV had also distanced itself from the Twitter/X account, “vx-underground,” which had published a post on September 12 stating that the attack was carried out by looking up employee information on LinkedIn and that a 10-minute phone call to the company’s help desk was all it took to “defeat” the multi-million-dollar company.

Numerous news media erroneously believed the threat actors had published the post to explain how they gained access to the MGM networks and used it in their reporting.

1. Screen capture of the 9/12/2023 post published by vx-underground.

At some point, ALPHV removed the reference to “vx-underground” and issued another update:

“As of September 16, 2023, we have not spoken with journalists, news organizations, Twitter/X users, or anyone else. Any official updates are only available on this blog. You would think that after the tweet below, people would know better than to believe anything unreliable they would hear about this incident. If we talk to a reporter, we will share it here. We did not and most likely won’t,” ALPHV wrote.

The Adlumin Threat Research Team cannot confirm what tactics ALPHV used to break into MGM servers nor provide more details on the attack until MGM discloses what transpired.

According to ALPHV’s statement, the group was able to deploy ransomware once inside MGM’s network, encrypting about 100 ESXi hypervisors at the onset of the attack. The group also alluded to targeting the casino’s Okta services.

MGM operations resumed normal customer-facing operations on September 20. According to news reports, MGM lost about $8 million each day its servers were down, which adds up to $40 million.6

Adlumin contacted MGM for more details on the attack, but the company only referred us to their original September 12 statement.

Recommendations

How to Protect Yourself from Social Engineering

Verify

In Caesars Entertainment’s case, a simple vishing tactic, where a cybercriminal attempts to obtain information via phone call, was used to impersonate a legitimate employee and request a password reset. How? While the exact details are still unclear, we can surmise that personally identifiable information (PII) was obtained by the threat actors and used to reset an account.

An organization’s IT or cybersecurity department should verify an individual’s identity using information that cannot be found on social platforms, such as a unique company-issued ID, and not just a full name and date of birth, for example. If the individual calling can provide you with all the correct information, you may need to think outside the box; what are the circumstances surrounding this issue? Is the caller experiencing the issue they’re asking about? For example, if the caller asks for a password reset due to an ‘account lockout,’ you should verify that the account is locked out before proceeding with assistance. Most organizations have a form of internal communications platform used for employee-to-employee messaging and the like. Some organizations even have a call roster with the employee’s personal number. Therefore, give the employee a quick call to verify that the individual is contacting you.

Training

Training is the most crucial defense against social engineering tactics. With incidents happening daily, remaining vigilant is essential. However, mere vigilance is not enough; frequent proactive security awareness training is vital to mitigate this type of threat. By consistently providing training, users gain a deeper understanding of the risks and measures to counter social engineering attacks.

This continuous education keeps cybersecurity at the forefront of their minds, ensuring they are better equipped to identify and respond to potential threats. Employing various training techniques and approaches helps to reinforce key principles and enhance overall cybersecurity proficiency among users. By prioritizing proactive cybersecurity awareness programs, organizations can establish a culture of security awareness and significantly reduce the propensity for successful social engineering attacks.

How Adlumin Can Help Protect Your Organization

Proactive Security Awareness: Adlumin offers a managed Proactive Security Awareness Program, which, as stated previously, is the best defense to counter social engineering tactics. Adlumin will develop and run monthly customized phishing simulations to educate and equip your users on how to identify phishing attempts. Learn more here.

Illuminate Threats and Eliminate Risks

Learn more about how Adlumin’s Managed Detection and Response Services and Security Operations Platform can empower your team to illuminate threats, eliminate cyber risk, and command authority. Contact us today, schedule a demo, or sign-up for a free trial.

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts. Join our community and be part of the frontlines against cyber threats.

Trending Ransomware Attacks and How to Stop Infection Before Payment

June 1, 2023/in Blog Post/by Brittany Demendi

By: Brittany Demendi, Corporate Communications Manager

With the rise of ransomware attacks, it is more important than ever to be proactive when it comes to protecting your organization’s devices and networks. Knowing about the various types of ransomware, such as LockBit, BlackCat, and Medusa, is important. Additionally, it is essential to understand how ransomware affects a system and device, and the steps you should take to detect and stop ransomware before it is too late.

In this blog, we will discuss some of the most dangerous and widespread ransomware attacks, how they affect a system, and the steps you should take to prevent them from wreaking havoc on your organization.

Trending Ransomware Attacks

The following section references trending ransomware attacks/gangs from Adlumin’s Threat Research Team.

LockBit:

LockBit is malicious software that blocks users’ access to their computer systems in exchange for a ransom payment. LockBit will automatically spread the infection, vet for other valuable targets, and encrypt systems on the network. Attackers have targeted organizations globally and have made their mark by threatening data theft, extortion, and operational disruption.

It is a self-spreading type of malicious software that does not require manual direction from the attacker. In addition, it uses tools like Server Message Block (SMB) and Windows Powershell to target an organization’s user rather than spread like spam malware.

LockBit attacks in three stages:

Exploit
Infiltrate
Attack

BlackCat:

BlackCat, also known as ALPHV, has been deemed one of the most threatening and sophisticated types of malware in recent years. BlackCat is considered ransomware-as-a-service (RaaS). Although there has been a decline, BlackCat is still dangerous as they target organizations globally using triple-extortion tactics. Cybercriminals use a malware-infected email or website link to lure in victims, quickly spreading across an entire system.

After BlackCat attackers gain initial access to a network, they begin lateral movement phases identifying sensitive data to later encrypt. It is difficult to remove and will attempt to disable anti-virus software and other security measures. Cybercriminals will also modify system files and settings to make a recovery more complex.

One of the main differences between BlackCat and other types of ransomware is that it is written in Rust programming language. There has been an increase in this type of language because it is stable, fast, and secure to evade existing capabilities while allowing for better memory management. BlackCat can also run on non-Windows operating systems like Linux.

Medusa:

Medusa has been picking up media coverage this past year with increased activity and the launch of their ‘Medusa Blog,’ where they leak data for victims who do not pay a ransom. They target globally and demand millions in ransom.

Medusa is known to shut down over 280 Windows processes and servers, including database servers, backup servers, and security software, and will prevent files from being encrypted. They claim to exfiltrate data from organizations and perform a double-extortion attack where the threat actor encrypts compromised systems and releases or sells the data publicly on their blog. Since they are relatively new, additional capabilities are still being discovered.

How Ransomware Affects a System of Device

Ransomware is used in several different methods to infect an organization’s device or network. Some of the most common ransomware infection vectors include:

Social Engineering Attacks and Phishing Emails: Phishing emails entice employees and victims to download and run malicious attachments, which contain ransomware disguised as a link, PDF, Word document…etc. An attacker can access their system once that link or attachment is opened or downloaded. IBM recently reported that 45% of all ransomware attacks successfully infiltrate through a phishing email or a social engineering tactic.
Account Compromise: Cybercriminals buy authorized users’ credentials off the dark web or steal or obtain them via brute force. They then use the credentials to log into a computer or network to deploy ransomware directly. A widespread credential theft technique that cybercriminals use is the remote desktop protocol to access a victim’s computer remotely.
Software Vulnerabilities: It is common for cybercriminals to exploit software vulnerabilities by injecting malicious code into the network or device. Attackers know how common it is for organizations to not have everything patched, making known vulnerabilities the easiest point of entry or technique to plan their attack.

Detection Before Ransomware Execution

One of the most important steps for all organizations to protect themselves from ransomware is taking a proactive approach to cybersecurity by investing in the right solutions and technologies. In conjunction with a Security Operations Platform and Managed Detection and Response Services, implementing a solution specific to ransomware adds multiple layers of protection to an organization to proactively block ransomware from executing. If signs of a ransomware attack are detected, the attack can be stopped before the files are encrypted.

Typically, when a ransomware attack occurs, removing ransomware alone does not give you access to your files again. It will still require a solution and tool to prevent you from having to pay the ransom, with an encryption key to unlock it. Specifically, a multilayer ransomware defense solution will stop the ransomware before this stage is even needed. These solutions are not a replacement for threat management solutions but an added necessity to enhance your cybersecurity protection.

Adlumin’s threat experts work as an extension to your security team and can detect ransomware before havoc is reached and reduce an event’s impact. They can empower your team to illuminate threats, eliminate cyber risk, and command authority. Contact us today, schedule a demo, or sign-up for a free trial.

Cyber Tide Podcast - Episode 6: Knowing Your Cyber Adversary: The Latest on Ransomware

May 17, 2023/in Podcasts/by Adlumin Staff

On this week’s episode of Cyber Tide, VP and Chief of Strategy Mark Sangster and Co-founder and EVP Tim Evans are joined by Kevin O’Connor, former U.S National Security Agency (NSA) and Director of Threat Research at Adlumin. Listen in as O’Connor dives deep into the latest 2023 Threat Report, examining the rise of advanced persistent threats, emerging trends, and the changing tactics of adversaries.

Learn more about the increase in ransomware attacks and the strategies you can use to protect yourself from them. Don’t miss this essential episode as these experts uncover the world of threats lurking in dark corners.

You can subscribe to CyberTide via Apple and  Spotify.

About the Cyber Tide Series

Dive beneath the surface of infamous cybersecurity attacks to learn the means and motives of cyber adversaries. In each episode, we invite an expert to reveal the contributing factors and costs of cyber incidents and how your firm can protect itself from business-disrupting cyberattacks.

The Need to Know: Black Basta Ransomware Gang

January 26, 2023/in Blog Post/by Adlumin Staff

By: Mark Sangster, Chief of Strategy, and Kevin O’Connor, Director of Threat Research

Virulent Ransomware Gang Has Ties to FIN7 State-Sponsored Group

Discovery of Ransomware Gang FIN7

I discovered a rather clever adversary targeting investment firms in New York almost ten years ago. At the time, the group used Microsoft Macros to launch a fake Windows log-in pane to harvest credentials. Once an account was compromised, the adversaries would use it to send the phishing to the next victim. From that account, they moved to the next, and so on, until they captured key accounts at 70 funds. The number might sound small, but these firms managed billions in funds, so much so that the Security Exchange Commission (SEC) was concerned about a campaign to destabilize the economy, slowly crawling back from the 2008 subprime lending market collapse. The Russian-affiliated group was eventually labeled FIN7.

Black Basta Ransomware Gang Emerges

Fast forward to the present, and FIN7 crosses my desk. Yahoo! Finance asked me to comment on several ransomware attacks on food services and a grocery chain. It turns out the culprit, another Russian gang, Black Basta, had left its ransomware mark on over 50 victims since April of this year. According to SentinelOne research, there are trademark FIN7 (also called Carbanak) tactics and tools, including evasion tools and backdoor malware.

While FIN7’s original focus was financial data and institutions, a shift to a broader market, associations and the food industry is no surprise. Destabilizing food supply or heat utilities in the winter tend to create social angst and lead to eroded faith in the government to protect its citizens. While groups like Black Basta are primarily driven by financial gain, ideological impact as a byproduct is a free benefit.

A Political Big Brother: Russia

Given the hostilities in Ukraine, Russian retaliation against western countries providing support to Ukraine was deemed fair game for cybercriminals (like they were ever offside). Many of these groups (like Black Basta) either operate with impunity in Russia or some level of collusion or coordination with Russian agents.

FIN7 and Black Basta share more than ideology; a political big brother to protect them and target organizations. FIN7 technology brought nation-state capabilities to smaller ransomware gangs before ransomware-as-a-service with a thing (RaaS). They set the benchmark for researching their targets and using tactics that emulate insiders or actors that appear to be “in the know” of confidential information.

Ransomware Tactics Used

Ransomware gangs, like Black Basta, leveraged multi-extortion techniques (not unique), with enviable defense evasion and late manifesting symptoms that hide their presence until the ransomware detonation. They also rely on commodity malware like living off-the-land exploitation techniques, including the ever-growing popularity of Quakbot, PowerShell, WMI, netcat (used for lateral tunneling), mimikatz, CobaltStrike, and Coroxy. They’re also known for using the PrintNightmare vulnerability (CVE-2021-34527) for lateral movement, which can run on Linux against VMWare hypervisors to encrypt multiple hypervisor-hosted systems.

While sophisticated, they still rely on unpatched vulnerabilities, broad administrative access, and unguarded entry points. Consider Black Basta master chefs who can make delicious meals with reliable ingredients. Similarly, their encryption algorithm, ChaCha20, uses a robust RSA-4096 key but requires administrative privilege to execute.

Now What? CIS Controls to Implement

It’s a good news / bad news story. The bad news is that one of the most sophisticated ransomware gangs is back on the prowl. The good news is that they are mortal and can be stopped. They still use conventional tactics to infiltrate their targets: open vulnerabilities, unencrypted remote access points, exposed credentials, and over-provisioning administrative privilege. All of these tactics are detectable. Unfortunately, your insurance firm’s paneled incident response firm usually finds them as part of your claim.

The Center for Internet Security (CIS) is an excellent place for organizations to build a strong cybersecurity posture. CIS provides 18 controls for organizations of all sizes to safeguard data and mitigate cyber-attacks or ransomware attacks against their networks and systems. Here are just a few to get started with:

CIS Security Controls

CIS Control 7: Continuous Vulnerability Management (CVM)
- CVM covers one of the 18 controls by closing the gaps between significantly reducing risk and security assessments. Managing vulnerabilities and understanding is a continuous activity requiring the focus of resources, time, and attention. CVM assesses and tracks vulnerabilities on all enterprise assets within the infrastructure. It minimizes and remediates the window of opportunity for cybercriminals.
CIS Control 8: Audit Log Management
- Audit log management is the process of recording any activity used across an organization within the software systems. Audit logs document any occurrence of an event, the impacted entity, when it occurred, and who is responsible. In addition, compliance regulations require logs to be kept for a certain amount of time. Ensuring organizations collect, review, retain, and alert audit logs of events helps recover from an attack quicker.
CIS Control 14: Proactive Security Awareness
- Employees are every organization’s first line of defense. It is critical to arm them with the proper knowledge and skills to properly identify and report any suspicious activity. A Proactive Security Awareness Program empowers employees with the needed expertise. Security software can only defend for so long until someone clicks a malicious link- take the proactive approach.
CIS Control 18: Penetration Testing
- A penetration test or ‘ethical hacking’ evaluates the security of a system by attempting to breach accessibility, integrity, or confidentiality. A test provides real-world penetration scenarios covering industry-specific threat assessments offering actionable recommendations and rapid results.

The Adlumin Advantage

As co-founder and CEO of Adlumin, Robert Johnston is fond of saying even the biggest hacks had common factors and tactics. While companies were spending millions in the wake of massive data breaches, for a fraction of that cost, they could stop these common criminal chokepoints.

The Adlumin Security Operations Platform is designed to detect sophisticated tactics used by state-sponsored actors and provide simple response capabilities to disable compromised accounts, deactivate remote access services when suspicious activity is present, and identify event manipulation like creating unreconciled users or promoting account privileges. With Adlumin, you can stop these attacks early in the life cycle and prevent them from disrupting your business.

Are your Security Defenses Ready?

For more information, contact one of our cybersecurity experts for a demo to get started.

Inside the Mind of a Ransomware Gang

January 24, 2023/in Blog Post/by Adlumin Staff

Inside the Mind of a Ransomware Gang

December 9, 2022/in Resources/by Adlumin Staff

Human Error Continues to Drive Numbers on Cybersecurity Attacks

June 27, 2022/in Blog Post/by Adlumin Staff

Checking the box for your organization’s cybersecurity training annually doesn’t quite cut it anymore. Cyberattacks are rising yearly, and one of the top reasons is human error. Taft dives into the best approach to managing privacy and cybersecurity and how to create a more innovative, more attentive security culture.

You might think your run-of-the-mill privacy and cybersecurity training is sufficient. You might think that by “checking the box” on generic training you have fulfilled your duty and obligation to mitigate data privacy and cybersecurity attacks. You might think that general malware protection adequately secures your company’s data and you can move on with your everyday business efforts without concern. Think again. Human error continues to be the number one driver of data breaches. Over 85% of all data breaches are caused by an employee mistake. (Source: Psychology of Human Error by Stanford University Professor Jeff Hancock and Tessian, a cybersecurity firm.) “Human error” can take many forms from the use of stolen credentials and misuse of company information to phishing or malware links. Cybercriminals and hackers have developed advanced and creative tactics in efforts to access and steal confidential information. Malware attacks, for example, are attacks where hackers attempt to infiltrate networks, individual computers, and mobile devices with malicious software. An unassuming click to open a link or download software is all it takes to enable a malware attack. Social engineering tactics are often used to get employees to send bank account information, provide usernames and passwords, among other confidential information. Psychological manipulation is the bread and butter of social engineering. Such efforts intentionally target human interactions by tricking persons into thinking they are receiving an email from a trusted source, perhaps a friend or a business partner. Email content may consist of an urgent request, portray legitimate branding to make the email appear trustworthy, request your “verification” of information, or pose as a boss or coworker. Employees need to be trained and continuously reminded to be mindful when conducting business. Technology can only take us so far in protecting businesses and securing information from cybersecurity attacks, especially with respect to social engineering. In the hustle and bustle of everyday business, it is easy to flit from email to email, shooting off quick responses without even glancing at the subject line, or the name or email address of the sender. Some of the simplest requests from a seemingly innocuous email can lead to the leak of very valuable information. Do you recognize the sender’s email address? Are there spelling mistakes in the content of the email? Is the company or individual name familiar to you? Cybersecurity attacks can be incredibly costly, causing financial, mental, and emotional heartache from the click of a button. Aside from financial ramifications, data breaches and cybersecurity attacks may reflect negatively on your business’s reputation, cause you to lose clients or customers, and may even lead to significant litigation proceedings and hefty government fines from breach of regulatory violations. The best approach in managing privacy and cybersecurity training is a proactive one. A primary goal should be to create a smarter, more attentive security culture within your business.

Read the full article here.

Adlumin Inc. is a patented, managed security services platform built for corporate organizations that demand innovative cybersecurity solutions and easy-to-use, comprehensive reporting tools.

North Carolina, the First State to Ban Ransom Payments

May 11, 2022/in Blog Post Mark Sangster/by Adlumin Staff

Al Capone had it right. He once said, “Prohibition has made nothing but trouble.” One hundred years on, we will see if he was right. It never stopped the rum runners—will it stop the cybercriminals?

Earlier this year, North Carolina became the first state to prohibit government agencies from paying ransoms in the wake of a cyberattack. As part of the latest 2021-2022 budget appropriations, North Carolina bars communications with adversaries and funds transfers. The law applies to agency, department, institution, board, commission, committee, division, bureau, officer, official, or other entity of the executive, judicial, or legislative branches of State government and other entities for which the state has oversight responsibility.

While the law applies to institutions like the University of North Carolina, it does not apply to private sector businesses. Other states are pursuing similar legislation, with New York pushing legislation to ban ransom payments across both public agencies and private businesses and Pennsylvania’s Senate approving a bill to ban the use of taxpayer funds to pay ransoms.

Congress is also considering a bill (by a representative from North Carolina) to make it illegal for financial firms to pay ransoms over $100,000 without prior government approval. This move is contrary to FBI advice to not ban payments which could result in companies facing alternate extortion tactics or hiding payments from authorities. Of course, the FBI does not officially support the paying of ransoms in response to cyberattacks.

Before considering the merit and efficacy of ransom payment prohibition, it is important to mention that US Treasury published an advisory warning of risks facilitating or paying ransoms to recipients on the Office of Foreign Assets Control (OFAC) sanctions list. I cannot complete this point without noting that the Internal Revenue Service (the largest bureau in the Treasury department) allows ransom payments (partner of a larger list of theft acts) as a tax deduction. (Play canned laugh track here.)

Should ransom payments be made illegal? Well, by their very nature, they are illegal. The question is should payment by victims be banned, prohibited, or governed?

Pro-ban advocates argue that ransoms are, after all, illegal, and banning payments would break the economic supply-demand engine that makes ransomware so profitable. This tough-love approach might cause short-term pain to unprepared victims who cannot recover without purchasing decryption keys.

Pro-pay (or choice) advocates argue that banning payments will not discourage ransomware gangs and will only leave victims helpless in the wake of costly operational disruptions. In fact, they often invoke scenarios in which hospitals and clinics are disrupted for weeks and months, patient care suffers and causes medical chaos, and payment prohibition costs lives and not just money. Their approach is the lesser-of-two-evils ethos.

Here is an insightful article on the debate.

Beyond the philosophical or political charge, it remains to see if ransomware bans will have the desired effect of diminishing ransomware attacks. Ransomware attacks continued to increase after Treasury’s saber-rattling about OFAC sanctions. It doesn’t seem the courts are clogged with cases filed against companies that paid ransoms to parties they could not verify as OFAC sanctions. That said, anecdotally, a cottage industry is popping up to conduct OFAC checks, and insurance companies will refuse coverage if payments violate Treasury regulations.

The other question is whether paying the ransom improves the outcome for the victim organization and its operations. Indicators suggest paying ransoms is simply adding insult to injury. One study that surveyed 5,000 companies found that the cost of a ransomware attack doubled for companies that paid the ransom. That same report also noted that 92 percent of ransom payers never recovered the entirety of their data and systems.

I am often asked how best a firm can avoid paying a ransom. And my answer is always this: the best way is to avoid being hit by a ransomware attack. Awareness, training, preparation, and rapid detection can stop ransomware attacks before they disrupt your business. The second-best way is a rapid response based on well-tested business continuity and disaster recovery planning. The interruptions are short, with fail-over to hot backup systems minimizing the impact.

The companies that face the to-pay-or-not-to-pay dilemma are the ones that were not prepared, thought their insurance would solve the problem or the ones that never tested their backup systems. Backup systems were designed for business continuity scenarios like power outages, floods, or fires. They were not designed with out-of-the-box resilience to withstand intentional sabotage by criminals.

Most frustrating is the oft-quoted statements that there were no signs before the attack. This inaccurate statement is misleading and absolves the affected parties of all responsibility. I am not shaming the victim here. But events like ransomware attacks are like airline accidents. It takes a confluence of many factors that culminate in an incident.

Cybercriminals are more chefs than Jason Bourne or James Bond. The sophistication in their attacks lies in the way they stage the attack and use expertise where it counts. The actual ingredients they use are well-known malware or practices, referred to as tactics, techniques, and procedures (TTPs). And ransomware disruptions require longer dwell times and multiple touchpoints within your environment. Each touch, step, file change, login, upload, and so on is another chance for you to detect their presence and do something about it before it is too late.

Adversaries combine publicly available documents and information with stolen credentials or data sold on the dark web to build convincing phishing emails and fake websites. These lures are designed to trick unwitting victims into surrendering their passwords. In the early stages, you can search for compromised credentials on the dark web, detect concurrent log-ins, impossible travel events (consecutive log-ins from two geo locations in a time frame that eliminates travel as a possibility), or failed log-in attempts when criminals hit controls like multi-factor authentication. They aren’t even in, and you can catch them checking the door locks and rattling the windows.

Assuming they gain initial access, we can catch establishing, persistent access. Unusual administrative access, bandwidth spikes, new user accounts, and other well-documented tactics give away their presence. User and Entity Behavioral Analytics (UEBA) identifies suspicious actions committed by authorized accounts and devices, and the endpoint can detect changes and flag attempted sabotage of defensive controls. And then, of course, there are beacons calling back to bad guy headquarters, payloaders, lateral movement, and a plethora of TTPs that give away malicious activity.

There were plenty of signs. Post-event, your insurance company will find them, or their appointed incident response firm will. So, pretending there were no signs won’t help. As I say, ignorance is not bliss—it’s potential negligence or liability.

So why do ransomware attacks go unnoticed if there are so many early signs of compromise? Simple. Most companies don’t know where to look in the shadows to find the indicators. What you can’t see poses the most significant risk. Between the cloud, hybrid networks, and the darknet, there are countless gaps where threats can hide. Most companies are in the dark regarding what is happening in their environment. And no one likes to be in the dark alone.

That’s where Adlumin comes in. We illuminate threats to eliminate the risks. We illuminate threats that would have otherwise gone unseen with powerful automation that enables rapid action and continuous compliance. And our platform is backed by an expert team delivering human insights and trusted support.

That might sound like marketing (and it is) but is more than a well-honed tagline. I have been in the cybersecurity business for over 25 years, and I helped define Managed Detection and Response. I’ve seen nation-state attacks, rampaging ransomware gangs, and clever criminals take down companies of all sizes.

I joined Adlumin because they get it. They know where to look and how to respond to protect their customers. And I am proud to represent the experts who develop our products and analysts that work in our security operations centers. They face these sophisticated adversaries every day and stop their attacks before they shutter our customer’s operations.

There are ways of stopping ransomware attacks before you need to consider paying extortion fees or crossing regulatory lines. You can stop attackers before they stop you.

Will prohibition work for ransomware payments when it has failed to control alcohol and narcotics use and distribution? If we ask the pundits, the answer is no. The Nobel prize-winning economist Milton Friedman once likened prohibition to making water run uphill.

While payment ban legislation and bills line up like planes on final approach at a major airport at Thanksgiving, pragmatism and market pressures will decide the matter. As insurance coverage decreases, claim denials increase, and (fingers crossed) companies invest in cybersecurity strategies that reduce their risk, the efficacy of ransomware will erode, and criminals will find a new tactic.