Blog posts, webinars, and guides exploring ransomware prevention tips and platform capabilities against these attacks.
Key Takeaways
Play, also known as “PlayCrypt,” was discovered last summer disrupting government agencies in Latin America. Months later threat actors began using it for targets in the U.S. and Europe. Play, like most ransomware today, employs double-extortion tactics, stealing victim data before encrypting their networks.
Since August, the Adlumin MDR team has tracked separate Play ransomware attacks in different industries. In the attacks Adlumin observed, threat actors used the same tactics, techniques, and procedures (TTP) and followed the same order of steps — almost identically. Furthermore, the indicators of compromise (IOCs) for both incidents were almost indistinguishable.
One of those IOCs includes threat actors using the public music folder (C:\…\public\music) to hide malicious files. Another was using almost the same password to create high privilege accounts. And, in both attacks, many of the same commands were observed.
This high level of consistency in methods used by threat actors is telling. First, it highly suggests reliance on playbooks or step-by-step instructions supplied with RaaS kits. And second, the targeted victims shared a common profile; they were smaller organizations that possessed the financial capacity to entertain ransoms reaching or exceeding $1 million.
Purchasing RaaS kits is not difficult, it simply requires a TOR connection and membership to the right dark net forum or market. Once there, a highly experienced threat actor, or even a “script kiddie,” can browse RaaS advertisements.
Below are two ads that Adlumin acquired from RaaS operators peddling their products in the dark web.
Other ransomware ads obtained included those that offered “set-up assistance” “for as low was $200,” and those with “no fees.” Adlumin also observed advertisements offering full builds from $300 to $1100 “ready for deployment.”
One of the ads described the malware being offered as using “many cutting-edge evasion techniques including proprietary methods.”
And in some ads, RaaS operators boasted having ransomware kits for targeting MacOS systems.
“We have developed a new MacOS ransomware as we noticed a lack of it,” the ad read.
At least one post, stated that the ransomware for sale was what “the cool kids are using,” alluding that someone doesn’t have to be “cool” – or perhaps, highly skilled – to purchase and use it.
Script kiddies are individuals who possess fundamental hacking skills and the knowledge to deploy and execute exploits written by experienced threat actors. They’re able to learn new skills easily and eventually, often become “real hackers” themselves.
Since 2015, researchers have written about the ability script kiddies have for deploying ransomware and often working side-by-side with well-known threat actor organizations.
In March 2022, police in the UK arrested members of the Lapsus$ cybercriminal group known for targeting tech companies such as Okta, Nvidia, Samsung, and Microsoft. The raid included the arrest of teenagers and young adults with ages ranging from 13 to 21, according to the BBC. It’s not clear, however, if the youngsters were script kiddies simply due to their age.
With enough documentation and technical support – and with generative AI tools now being able to assist them as well – a script kiddie can be more than capable of carrying out an attack. However, attacks by these less-skilled individuals often include a higher degree of basic mistakes that make them easier for an organization with capable cybersecurity operation to stop.
For example, Adlumin has observed ransomware attacks foiled by its security operations platform or its MDR team during an attack’s early stages. In some cases, threat actors don’t even get the chance to encrypt files. There are also incidents where SOAR actions within the Adlumin platform disable accounts created by threat actors, effectively locking them out from the network. Sometimes attacks are carried out, but no data is exfiltrated.
Ransomware attacks are very lucrative, especially since 73% of companies attacked pay the ransom. And with double extortion becoming the norm, organizations that don’t pay are publicly shamed by RaaS operators on the clear or dark web.
For script kiddies of any age, ransomware may seem like a great way to make a living and become rich quickly. Also, with high unemployment rates in many countries in Latin America and other parts of the world, cybercrime may be seductive for underemployed or poorly paid computer programmers, or people in similar careers. According to DevelopmentAid.org, “[Poor countries] serve as training grounds for criminal groups in preparation for more ambitious attacks in developed countries.”
When RaaS operators advertise ransomware kits that come with everything a hacker will need, including documentation, forums, technical support, and ransom negotiation support, script kiddies will be tempted to try their luck and put their skills to use. And since there are probably more script kiddies than “real hackers” today, businesses and authorities should take note and prepare for a growing wave of incidents.
IOCs, such as malicious IP addresses, domains, TOR addresses, emails, hashes, executables, and others discovered from an attack can be very useful to analysts, researchers, and law enforcement. They serve as clues to help put together what transpired during the incident and how. They can also offer some insight about the level of sophistication of the attackers.
When threat actors follow RaaS-provided playbooks, they will likely adhere to them closely on the first few attacks. They’ll make mistakes, and if those mistakes are big enough, they could serve as breadcrumbs for the authorities to follow.
Anything an attacker does in a network can help authorities if they are contacted after an incident. This is why investigators request that victims share any IOCs that could help with their investigations. Even if a business pays the ransom, details like Bitcoin or Monero addresses and transaction IDs, communication or chat logs with threat actors, the decryptor file, and a sample of an encrypted file can be very useful.
If a newbie or script kiddie isn’t meticulous with their work, the FBI could soon be knocking on their door.Conclusion
Ransomware attacks continue to be among the most prevalent cyber threats and increased by 37% in 2023. Companies should expect more ransomware attacks in the future, not less. And if more novice attackers are finding that ransomware attacks can be carried out easily with the help and support provided by RaaS operators, they’ll continue to frequent dark net forums to join the most inviting ransomware affiliate group.
At the same time, novice attackers are more likely to make mistakes since they are not as experienced, potentially leaving behind significant IOCs that the authorities can use to help track and apprehend them.
The Adlumin MDR Team will continue to monitor and stop ransomware attacks carried out by newbies and experts alike. Our security operations platform’s SOAR actions have been successful at foiling these attacks in their early stages, stopping cybercriminals on their tracks.
Furthermore, Adlumin now offers Total Ransomware Defense (TRD), a service specifically designed to detect ransomware activity and stop it. In the unfortunate case that files are encrypted, TRD is able to generate decryption keys to restore systems and networks.
Usernames
Objects
Paths
C:\\Users\\Public\\Music
\\Device\\HarddiskVolume3\\CollectGuestLogsTemp
Hash: null
C:\\Users\\Public\\Music
Hash:
b042bc03144919c0fed9d60c1f68eb04ed7
2c2f6
C:\\windows
Hash:
51d3d661774cc50bb22e62beafc4bc6029d
f2392
\\Device\\HarddiskVolume2\\Users\\it.ad
min\\AppData\\Local\\Google\\Chrome\\
User Data\\Default\\Cache\\Cache_Data
Hash: null
C:\\Windows
Hash:
51d3d661774cc50bb22e62beafc4bc6029d
f2392
\\Device\\Mup\\10.20.0.15\\C$\\$Recycl
e.Bin\\S-1-5-21-3568089881-786281157-
4253494709-1103
Hash: null
\\Device\\HarddiskVolume2\\Users\\AAD
_00864e0326c2\\AppData\\Roaming\\Mi
crosoft\\Windows\\Recent\\AutomaticDe
stinations
Hash: null
C:\\Users\\Public\\Music
Hash:
b042bc03144919c0fed9d60c1f68eb04ed7
2c2f6
\\Device\\Mup\\10.20.0.15\\C$\\Users\\
administrator\\AppData\\Local\\ConnectedDevicesPlatform
Hash: null
\\Device\\Mup\\10.20.0.15\\C$\\Package
s\\Plugins\\Microsoft.EnterpriseCloud.Mo
nitoring.MicrosoftMonitoringAgent\\1.0.1
8067.0\\Status
Hash: null
\\Device\\HarddiskVolume2\\ProgramDat
a\\USOPrivate\\UpdateStore
Hash: null
C:\\Users\\Public\\Music
Hash:
b042bc03144919c0fed9d60c1f68eb04ed7
2c2f6
\\Device\\HarddiskVolume2\\Users\\it.ad
min\\AppData\\Local\\Microsoft\\Windo
ws\\INetCookies
Hash: null
\\Device\\HarddiskVolume4\\Program
Files\\Microsoft Monitoring
Agent\\Agent\\APMDOTNETCollector\\W
eb\\Scripts\\V7.0\\js
Hash: null
C:\\PerfLogs
Hash:
b042bc03144919c0fed9d60c1f68eb04ed7
2c2f6
Many do not realize that most ransomware gangs operate as fully functional businesses that seek out unconventional buyers for your organization’s data. From having a help desk to offering services to free organization’s from losing data, they attempt to do business like any Fortune 500 company, and no organization is safe. Join us here at Adlumin as we take you through a ransomware gang’s mind to explore the thoughts and motives behind their attack and learn how to best prepare your organization.
By: Max Bernal, Technical Content Writer, and Adlumin’s Threat Research Team
A Threat Actor’s Playbook: 2023 Cyberattacks on Caesars Entertainment and MGM Casinos is a part of Adlumin’s Threat Bulletin Series content series.
In early September 2023, Caesars Entertainment in Las Vegas experienced a major cyberattack. The threat actors used a combination of social engineering tactics and ransomware to breach the casino’s networks and steal sensitive data. On September 10, another gambling conglomerate, MGM Resorts International, experienced a cyberattack by threat actors in the ALPHV ransomware-as-a-service (RaaS) group. The two attacks cost the casinos millions of dollars in losses.
Caesars Entertainment’s SEC filing on September 7, 2023, stated that it had suffered a social engineering attack “on an outsourced IT support vendor used by the company.” The exact date of the cyberattack was not disclosed, nor who carried out the assault.
In the filing, Caesars also stated that the cyberattack did not impact customer-facing operations like slot machines, guest services, and other services but that among the data stolen, the threat actor(s) had acquired a copy of the loyalty program database, which included member driver’s license and Social Security numbers.
Caesars also disclosed that it had taken steps to “ensure that the stolen data [was] deleted,” alluding that it had paid a ransom. Numerous news outlets, including Bloomberg, reported that the company paid “tens of millions of dollars.”1 Other news outlets, including CNBC, reported that Caesars paid $15 million.2
The company did not provide specific details on how the social engineering attack was carried out or identify the cybercriminal(s) by name. However, numerous news reports published statements from sources “familiar with the matter” that pinned the attacks on a hacker group called Scattered Spider, also known as “Scattered Swine,” “Muddled Libra,” and UNC3944 (by Mandiant), which is likely affiliated with the ransomware group, ALPHV.
The threat actor group is known for its sophisticated social engineering techniques and the ability to target and bypass Okta login security services.
On September 12, 2023, MGM Resorts International issued a statement via PR Newswire stating that it had “identified a cybersecurity issue affecting the company’s systems.”3 MGM also stated that it had notified law enforcement to help protect networks and data, including by “shutting down certain systems.”
According to the Associated Press, MGM began experiencing disruptions on Sunday, September 10,4 and its reservations website was down that day. Soon after, numerous other media outlets reported that slot machines were out-of-service or were displaying errors across MGM-owned casinos, including at the MGM Grand, Bellagio, Aria, Mandalay Bay, Delano, Cosmopolitan, New York-New York, Excalibur, and Luxor. In addition, it was reported that thousands of guests had to wait in long lines for hotel check-ins and that credit card point of sales systems were down, forcing guests to pay cash.5
However, some of the same news outlets published statements from unvetted sources citing that the attack on MGM was carried out by the “same threat actors” that attacked Caesars Entertainment, Scatted Spider. On September 14, the ransomware-as-a-service (RaaS) group ALPHV issued a rare statement claiming sole responsibility for the attack and condemned news media and cybersecurity firms for publishing “false” and “unsupported” details on the attack.
“The ALPHV ransomware group has not before privately or publicly claimed responsibility for an attack before this point. Rumors were leaked from MGM Resorts International by unhappy employees or outside cybersecurity experts prior to this disclosure. Based on unverified disclosures, news outlets decided to falsely claim that we had claimed responsibility for the attack before we had,” part of the statement read. “Tech Crunch & others: neither you nor anybody else was contacted by the hacker who took control of MGM. Next time, verify your sources more thoroughly, or at the very least, give some hint that you do.”
In an earlier version of the statement, ALPHV had also distanced itself from the Twitter/X account, “vx-underground,” which had published a post on September 12 stating that the attack was carried out by looking up employee information on LinkedIn and that a 10-minute phone call to the company’s help desk was all it took to “defeat” the multi-million-dollar company.
Numerous news media erroneously believed the threat actors had published the post to explain how they gained access to the MGM networks and used it in their reporting.
1. Screen capture of the 9/12/2023 post published by vx-underground.
At some point, ALPHV removed the reference to “vx-underground” and issued another update:
“As of September 16, 2023, we have not spoken with journalists, news organizations, Twitter/X users, or anyone else. Any official updates are only available on this blog. You would think that after the tweet below, people would know better than to believe anything unreliable they would hear about this incident. If we talk to a reporter, we will share it here. We did not and most likely won’t,” ALPHV wrote.
The Adlumin Threat Research Team cannot confirm what tactics ALPHV used to break into MGM servers nor provide more details on the attack until MGM discloses what transpired.
According to ALPHV’s statement, the group was able to deploy ransomware once inside MGM’s network, encrypting about 100 ESXi hypervisors at the onset of the attack. The group also alluded to targeting the casino’s Okta services.
MGM operations resumed normal customer-facing operations on September 20. According to news reports, MGM lost about $8 million each day its servers were down, which adds up to $40 million.6
Adlumin contacted MGM for more details on the attack, but the company only referred us to their original September 12 statement.
How to Protect Yourself from Social Engineering
Verify
In Caesars Entertainment’s case, a simple vishing tactic, where a cybercriminal attempts to obtain information via phone call, was used to impersonate a legitimate employee and request a password reset. How? While the exact details are still unclear, we can surmise that personally identifiable information (PII) was obtained by the threat actors and used to reset an account.
An organization’s IT or cybersecurity department should verify an individual’s identity using information that cannot be found on social platforms, such as a unique company-issued ID, and not just a full name and date of birth, for example. If the individual calling can provide you with all the correct information, you may need to think outside the box; what are the circumstances surrounding this issue? Is the caller experiencing the issue they’re asking about? For example, if the caller asks for a password reset due to an ‘account lockout,’ you should verify that the account is locked out before proceeding with assistance. Most organizations have a form of internal communications platform used for employee-to-employee messaging and the like. Some organizations even have a call roster with the employee’s personal number. Therefore, give the employee a quick call to verify that the individual is contacting you.
Training
Training is the most crucial defense against social engineering tactics. With incidents happening daily, remaining vigilant is essential. However, mere vigilance is not enough; frequent proactive security awareness training is vital to mitigate this type of threat. By consistently providing training, users gain a deeper understanding of the risks and measures to counter social engineering attacks.
This continuous education keeps cybersecurity at the forefront of their minds, ensuring they are better equipped to identify and respond to potential threats. Employing various training techniques and approaches helps to reinforce key principles and enhance overall cybersecurity proficiency among users. By prioritizing proactive cybersecurity awareness programs, organizations can establish a culture of security awareness and significantly reduce the propensity for successful social engineering attacks.
Proactive Security Awareness: Adlumin offers a managed Proactive Security Awareness Program, which, as stated previously, is the best defense to counter social engineering tactics. Adlumin will develop and run monthly customized phishing simulations to educate and equip your users on how to identify phishing attempts. Learn more here.
Learn more about how Adlumin’s Managed Detection and Response Services and Security Operations Platform can empower your team to illuminate threats, eliminate cyber risk, and command authority. Contact us today, schedule a demo, or sign-up for a free trial.
Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts. Join our community and be part of the frontlines against cyber threats.
By: Brittany Holmes, Corporate Communications Manager
In an interconnected world, the digital landscape has become the breeding ground for opportunities and dangers. Cybercriminals have taken advantage of this evolution every step of the way and have become more prevalent. As a result, all organizations are now targets. Staying one step ahead is imperative. For organizations to protect themselves and their assets effectively, they need to understand how threat actors adapt and refine their strategies.
The 2023 Cybersecurity Awareness Month’s theme celebrates 20 years of cybersecurity awareness. In relevance, we want to look back on the past 20 years to shed light on the significance of understanding a few prominent threat actors’ evolutions.
During the early 2000s, the internet was crawling with cybercriminals and script kiddies as primary threat actors. A script kiddie is a cybercriminal who uses existing code or computer scripts to hack into a computer. They usually lack the knowledge to come up with it on their own.
Motivated by a thirst for knowledge and the desire to showcase their technical skills, these individuals exploited vulnerabilities across networks. Their targets varied, encompassing everything from corporate entities to personal computing systems. Using a wide range of techniques, script kiddies mimicked the actions of their more experienced counterparts on a less sophisticated level. As time went on, their motivations began shifting towards financial gain.
As a result, advanced phishing and malware attacks started gaining traction within the digital world. These malicious actors honed their skills in deceiving unsuspecting individuals, often using highly sophisticated techniques to harvest personal information and turn it into profits. This transition marked a turning point in the world of cyber threats, setting the stage for more organized and financially driven attacks in the years to come.
The rise of nation-state actors has significantly impacted cybersecurity. One trend is the emergence of state-sponsored cybercriminals, who are employed by governments to sabotage operations and carry out cyber espionage. These cybercriminals are motivated by various factors, including gathering intelligence, financial gain, and gaining a competitive edge in certain industries. Their targets often include government agencies, defense contractors, and critical infrastructure.
Two Notable Cyberattacks:
These incidents demonstrate the extent to which countries are now leveraging cyberattacks as a strategic tool for achieving their geopolitical goals.
Between 2010 and 2015, groups such as Anonymous and LulzSec came onto the scene. Their targets and motivations were wide-ranging, as they aimed to challenge authority, expose secrets, and promote freedom of information. Using tactics like data breaches and DDoS attacks, these groups looked to disrupt and damage the systems and credibility of their targets.
Two Notable Hacktivist Groups:
Ultimately, hacktivist groups demonstrate cyber activism to challenge authority and expose injustices. Their actions, whether through DDoS attacks or data breaches, highlighted the potential power of the internet in promoting transparency and holding institutions accountable. This period also raised questions about the lines between activism, vigilantism, and criminal activity, forcing governments and corporations to adapt their cybersecurity measures in response to this new digital landscape.
Over the past few years, we have seen a significant shift in threats with a rise in APT groups. These groups have a specific goal and aim to infiltrate and maintain long-term access to systems and networks. Another growing threat in the cyber landscape is ransomware attacks. Unlike APTs, ransomware attacks focus on quickly encrypting or disabling systems data until a ransom is paid. The reason behind these attacks is usually financial gain. Ransomware groups target small and large businesses. What is particularly concerning about ransomware attacks is the evolution and sophistication of the strains being used.
Notable ATP Examples:
These attacks often target governments, corporations, and other high-value organizations, stealing sensitive information or conducting espionage.
Notable Ransomware Attacks:
The overall evolution of threat actors will continuously change and become more sophisticated. They are growing in scale, posing a significant risk to organizations of all sizes. Educating yourself and your organization on the latest threat actors can help prepare you.
The past two decades have shown a significant evolution in the cybersecurity landscape, particularly in the sophistication and complexity of threat actors. The market has shifted and now every organization, big or small, is a target. Organized groups have emerged, adding a new level of threat to mid-market organizations that previously believed they were too small to be targeted. The financial gains associated with cyber threats have become the main motivator, and it is crucial to recognize the evolving nature of these attacks in order to stay protected.
Stay tuned for our blog next week to explore the next steps to protect your organization from cyber threats.
Unleash the power of knowledge and stand a chance to win big in the ‘Defeat the Lurker’ contest. Download Adlumin’s 2023 Threat Report Round-Up, shine a light on hidden threats and equip yourself with the tools to protect your network while entering for a chance to win amazing prizes.
Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.
By: Brittany Demendi, Corporate Communications Manager
With the rise of ransomware attacks, it is more important than ever to be proactive when it comes to protecting your organization’s devices and networks. Knowing about the various types of ransomware, such as LockBit, BlackCat, and Medusa, is important. Additionally, it is essential to understand how ransomware affects a system and device, and the steps you should take to detect and stop ransomware before it is too late.
In this blog, we will discuss some of the most dangerous and widespread ransomware attacks, how they affect a system, and the steps you should take to prevent them from wreaking havoc on your organization.
The following section references trending ransomware attacks/gangs from Adlumin’s Threat Research Team.
LockBit:
LockBit is malicious software that blocks users’ access to their computer systems in exchange for a ransom payment. LockBit will automatically spread the infection, vet for other valuable targets, and encrypt systems on the network. Attackers have targeted organizations globally and have made their mark by threatening data theft, extortion, and operational disruption.
It is a self-spreading type of malicious software that does not require manual direction from the attacker. In addition, it uses tools like Server Message Block (SMB) and Windows Powershell to target an organization’s user rather than spread like spam malware.
LockBit attacks in three stages:
BlackCat:
BlackCat, also known as ALPHV, has been deemed one of the most threatening and sophisticated types of malware in recent years. BlackCat is considered ransomware-as-a-service (RaaS). Although there has been a decline, BlackCat is still dangerous as they target organizations globally using triple-extortion tactics. Cybercriminals use a malware-infected email or website link to lure in victims, quickly spreading across an entire system.
After BlackCat attackers gain initial access to a network, they begin lateral movement phases identifying sensitive data to later encrypt. It is difficult to remove and will attempt to disable anti-virus software and other security measures. Cybercriminals will also modify system files and settings to make a recovery more complex.
One of the main differences between BlackCat and other types of ransomware is that it is written in Rust programming language. There has been an increase in this type of language because it is stable, fast, and secure to evade existing capabilities while allowing for better memory management. BlackCat can also run on non-Windows operating systems like Linux.
Medusa:
Medusa has been picking up media coverage this past year with increased activity and the launch of their ‘Medusa Blog,’ where they leak data for victims who do not pay a ransom. They target globally and demand millions in ransom.
Medusa is known to shut down over 280 Windows processes and servers, including database servers, backup servers, and security software, and will prevent files from being encrypted. They claim to exfiltrate data from organizations and perform a double-extortion attack where the threat actor encrypts compromised systems and releases or sells the data publicly on their blog. Since they are relatively new, additional capabilities are still being discovered.
Ransomware is used in several different methods to infect an organization’s device or network. Some of the most common ransomware infection vectors include:
One of the most important steps for all organizations to protect themselves from ransomware is taking a proactive approach to cybersecurity by investing in the right solutions and technologies. In conjunction with a Security Operations Platform and Managed Detection and Response Services, implementing a solution specific to ransomware adds multiple layers of protection to an organization to proactively block ransomware from executing. If signs of a ransomware attack are detected, the attack can be stopped before the files are encrypted.
Typically, when a ransomware attack occurs, removing ransomware alone does not give you access to your files again. It will still require a solution and tool to prevent you from having to pay the ransom, with an encryption key to unlock it. Specifically, a multilayer ransomware defense solution will stop the ransomware before this stage is even needed. These solutions are not a replacement for threat management solutions but an added necessity to enhance your cybersecurity protection.
Adlumin’s threat experts work as an extension to your security team and can detect ransomware before havoc is reached and reduce an event’s impact. They can empower your team to illuminate threats, eliminate cyber risk, and command authority. Contact us today, schedule a demo, or sign-up for a free trial.
On this week’s episode of Cyber Tide, VP and Chief of Strategy Mark Sangster and Co-founder and EVP Tim Evans are joined by Kevin O’Connor, former U.S National Security Agency (NSA) and Director of Threat Research at Adlumin. Listen in as O’Connor dives deep into the latest 2023 Threat Report, examining the rise of advanced persistent threats, emerging trends, and the changing tactics of adversaries.
Learn more about the increase in ransomware attacks and the strategies you can use to protect yourself from them. Don’t miss this essential episode as these experts uncover the world of threats lurking in dark corners.
Dive beneath the surface of infamous cybersecurity attacks to learn the means and motives of cyber adversaries. In each episode, we invite an expert to reveal the contributing factors and costs of cyber incidents and how your firm can protect itself from business-disrupting cyberattacks.
By: Mark Sangster, Chief of Strategy, and Kevin O’Connor, Director of Threat Research
Virulent Ransomware Gang Has Ties to FIN7 State-Sponsored Group
I discovered a rather clever adversary targeting investment firms in New York almost ten years ago. At the time, the group used Microsoft Macros to launch a fake Windows log-in pane to harvest credentials. Once an account was compromised, the adversaries would use it to send the phishing to the next victim. From that account, they moved to the next, and so on, until they captured key accounts at 70 funds. The number might sound small, but these firms managed billions in funds, so much so that the Security Exchange Commission (SEC) was concerned about a campaign to destabilize the economy, slowly crawling back from the 2008 subprime lending market collapse. The Russian-affiliated group was eventually labeled FIN7.
Fast forward to the present, and FIN7 crosses my desk. Yahoo! Finance asked me to comment on several ransomware attacks on food services and a grocery chain. It turns out the culprit, another Russian gang, Black Basta, had left its ransomware mark on over 50 victims since April of this year. According to SentinelOne research, there are trademark FIN7 (also called Carbanak) tactics and tools, including evasion tools and backdoor malware.
While FIN7’s original focus was financial data and institutions, a shift to a broader market, associations and the food industry is no surprise. Destabilizing food supply or heat utilities in the winter tend to create social angst and lead to eroded faith in the government to protect its citizens. While groups like Black Basta are primarily driven by financial gain, ideological impact as a byproduct is a free benefit.
Given the hostilities in Ukraine, Russian retaliation against western countries providing support to Ukraine was deemed fair game for cybercriminals (like they were ever offside). Many of these groups (like Black Basta) either operate with impunity in Russia or some level of collusion or coordination with Russian agents.
FIN7 and Black Basta share more than ideology; a political big brother to protect them and target organizations. FIN7 technology brought nation-state capabilities to smaller ransomware gangs before ransomware-as-a-service with a thing (RaaS). They set the benchmark for researching their targets and using tactics that emulate insiders or actors that appear to be “in the know” of confidential information.
Ransomware gangs, like Black Basta, leveraged multi-extortion techniques (not unique), with enviable defense evasion and late manifesting symptoms that hide their presence until the ransomware detonation. They also rely on commodity malware like living off-the-land exploitation techniques, including the ever-growing popularity of Quakbot, PowerShell, WMI, netcat (used for lateral tunneling), mimikatz, CobaltStrike, and Coroxy. They’re also known for using the PrintNightmare vulnerability (CVE-2021-34527) for lateral movement, which can run on Linux against VMWare hypervisors to encrypt multiple hypervisor-hosted systems.
While sophisticated, they still rely on unpatched vulnerabilities, broad administrative access, and unguarded entry points. Consider Black Basta master chefs who can make delicious meals with reliable ingredients. Similarly, their encryption algorithm, ChaCha20, uses a robust RSA-4096 key but requires administrative privilege to execute.
It’s a good news / bad news story. The bad news is that one of the most sophisticated ransomware gangs is back on the prowl. The good news is that they are mortal and can be stopped. They still use conventional tactics to infiltrate their targets: open vulnerabilities, unencrypted remote access points, exposed credentials, and over-provisioning administrative privilege. All of these tactics are detectable. Unfortunately, your insurance firm’s paneled incident response firm usually finds them as part of your claim.
The Center for Internet Security (CIS) is an excellent place for organizations to build a strong cybersecurity posture. CIS provides 18 controls for organizations of all sizes to safeguard data and mitigate cyber-attacks or ransomware attacks against their networks and systems. Here are just a few to get started with:
As co-founder and CEO of Adlumin, Robert Johnston is fond of saying even the biggest hacks had common factors and tactics. While companies were spending millions in the wake of massive data breaches, for a fraction of that cost, they could stop these common criminal chokepoints.
The Adlumin Security Operations Platform is designed to detect sophisticated tactics used by state-sponsored actors and provide simple response capabilities to disable compromised accounts, deactivate remote access services when suspicious activity is present, and identify event manipulation like creating unreconciled users or promoting account privileges. With Adlumin, you can stop these attacks early in the life cycle and prevent them from disrupting your business.
For more information, contact one of our cybersecurity experts for a demo to get started.
1140 3rd St. NE, Suite 340
Washington, DC 20002
(202) 570-7907
Copyright 2024 Adlumin, Inc. All Rights Reserved