The CyberWire Staff | thecyberwire.com
At a glance.
- Criminal attacks on medical organizations continue.
- Cybercriminals pester their victims through call centers.
- School districts recover from ransomware attacks.
- Foxconn attackers demand hefty ransom.
- Update on the Randstad incident.
Ransomware attacks on US medical organizations continue.
Greater Baltimore Medical Center (GBMC) in Maryland was added to the growing list of US medical institutions targeted by ransomware. GBMC announced Sunday that they’d experienced a “ransomware incident.” The Baltimore Sun reports that while no patient data were compromised, some scheduling was affected. Impacted patients have been notified of any changes.
Hello, it’s your attacker on the line.
When a ransomware victim can rely on system backups instead of agreeing to their attackers’ demands, the attackers have to get creative. ZDNet reports that ransomware gangs like Conti and Ryuk are using call centers to contact their victims and pressure them to pay up. “We think it’s the same outsourced call center group that is working for all the [ransomware gangs] as the templates and scripts are basically the same across the variants,” said Bill Siegel of cybersecurity company Coveware. The callers supply enough detail to prove they have insider information about the attack, then attempt to convince the victim that any tactics they’re using to restore their systems will not work and that forking over the ransom is the only solution. Galstan & Ward Family and Cosmetic Dentistry in the US state of Georgia were actually unaware they’d been hit by ransomware until the attackers called the office to demand payment, reports HackRead. Recent targets Arete IR and Emsisoft noted that the callers even reached out to their customers.
School districts rally after cyberattacks.
As the CyberWire recently noted, threat actors have been targeting US school districts, capitalizing on their reliance on virtual learning during the pandemic. This week several districts are recovering from attacks. Huntsville City Schools in Alabama returned to classes on Monday after an attack interrupted teaching last week, reports WAAY-TV. WesternMassNews.com reports that Springfield Public Schools in Massachusetts is offering free credit monitoring to current and former employees impacted by the district’s October breach. Similarly, Baltimore County Public Schools in Maryland is receiving emergency county government funds to cover credit monitoring costs for staff and students after the attack that took their systems down the day before Thanksgiving, WBAL-TV reports.
Foxconn discloses a ransomware attack (with a hefty ransom demand).
Foxconn, the largest electronics manufacturing company globally with annual revenue of $172 billion and over 800,000 employees, was the victim of a ransomware attack that targeted their facility in Mexico over Thanksgiving weekend, reports Bleeping Computer. The ransom note the attackers left on Foxconn’s servers demanded a staggering $34 million in bitcoin. As further incentive, the DoppelPaymer group has now published stolen Foxconn business documents on their ransomware site, just a small sampling of the one hundred GB they claim to have stolen. The Foxconn facility’s website is currently down as the electronics giant works to investigate the attack and bring the affected system back online. The DoppelPaymer gang told BleepingComputer, “We encrypted NA segment, not whole foxconn, it’s about 1200-1400 servers, and not focused on workstations. They also had about 75TB’s of misc backups, what we were able to – we destroyed (approx 20-30TB).”
We heard from a number of industry sources about the event. Andrea Carcano, co-founder of Nozomi Networks, draws two lessons: hitting deep-pocketed organizations is much more profitable than petty larceny attacks on individuals, and thus organizations should include ransomware response in their plans.
“Successful attacks such as DoppelPaymer demonstrate that extorting large organizations can be much more profitable than attacking unsuspecting individuals. The DoppelPaymer ransomware made headlines last year after attacking and extorting various large organizations. Targeted ransomware like DoppelPaymer, BitPaymer, SamSam, Ryuk and others attack large businesses because this tactic can be much more profitable than attacking unsuspecting individuals. Disruption to a company’s operations can be costly, which is something that threat actors leverage in their attempts to force victims to pay the requested ransom.
“DoppelPaymer isn’t the first ransomware to exfiltrate data and threaten to leak it if the requested ransom isn’t paid. We’ve also seen this with Maze ransomware, where exfiltrated data was released after companies refused to pay. Ransomware can pose a further threat in relation to the General Data Protection Regulation (GDPR).
“These kinds of ransomware scenarios should be factored into an organization’s incident response plans. Beyond a technical response, decision makers need to be prepared to weigh the risks and consequences of alternate actions. Ransomware threat actors typically rely on spear phishing links or vulnerable public services to gain initial entry into a network. Afterwards, they move laterally to gain access to as many nodes of the network as possible, allowing them to increase the magnitude of the disruption.
“To protect OT and IoT environments from ransomware, cybersecurity best practices such as strong segmentation, user training, proactive cyber hygiene programs, multi-factor authentication and the use of continuously updated threat intelligence, should be considered.”
Chloé Messdaghi, VP of Strategy at Point3 Security, taking note of the threat to operations as well as data security, also advises companies to work through ransomware response in their contingency planning:
“It’s most likely the attackers may have gotten into the operations side of things. This is a case that showcases a lack of zero trust practice and data backup done poorly.
“The very best way to avoid the havoc that ransomware can cause is to have a working plan in place. The first of four steps is to identify your business critical data, where it will be stored and how often it should be backed up. Next, create a backup plan that includes storage that’s not readily accessible through your network, and that’s protected by 2FA that’s complex, frequently changed, and known by only one or two people. We refer to the 3-2-1 approach: three copies of data stored across two mediums and one cloud storage provider. Third, take this approach and work it into a disaster recovery playbook. Finally, revisit and update that playbook at least quarterly – are your tools the same? Are your personnel the same? Are the data flows and regulatory requirements the same? A playbook that’s more than 60 days old is bound to be at least a little moldy, and likely outdated. With the recent spate of attacks, more companies are adopting the air gap approach.”
Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, sees the attack as an example of growing criminal sophistication and capability:
“This is the new normal. Ransomware gangs have evolved from unsophisticated ‘Script kiddies’ to hacking experts with multimillion dollar budgets. Unfortunately, most businesses have not comparably improved their defensive posture, with many lacking even basic security hardening and monitoring capabilities to combat these skilled adversaries. The days of simply installing anti-virus and a firewall to protect organizations have long since passed. It’s too easy to get a phishing email through spam filters that contains a file attachment obfuscated such that the embedded exploit code isn’t caught by anti-virus. From there it’s off to the races for cybercriminals if you don’t have a hardened environment with continuous monitoring for suspicious activities. To protect themselves, organizations must adopt a culture of security starting with executive leadership to prioritize the safety and security of the systems and data in their company. Security awareness training to spot phishing emails as well as best information security best behaviors is a crucial component of an effective security program, but it is only the first step. Organization wide convergence on information security best practices as well as capabilities to identify suspicious behaviors either by cybercriminals or trusted insiders are essential to mitigating costly breaches.”
Saryu Nayyar, Gurucul‘s CEO, also sees the attack as evidence of greater criminal capability:
“This is the second major breach of an OEM fab in as many months. It shows the attackers are becoming more sophisticated, going after bigger game, and improving their business model. We can expect this to become their new standard model. Break in. Steal data to use for extortion. Deploy ransomware. Profit. It is a win-win for them, and a lose-lose for the victim even if they have backups in place to deal with a ransomware attack.
“Organizations need to up their game if they want to avoid becoming the next news-worthy breach. User education, MFA, and a solid perimeter can help keep attackers from getting in. While inside, a robust security stack, with security analytics, can help identify a breach and mitigate it before the attackers steal data or encrypt systems.
“We can only hope the international law enforcement community will rise to the occasion and do their part, because these cybercriminals show no sign of stopping on their own.”
James McQuiggan, Security Awareness Advocate at KnowBe4, observes that, not only did the attackers demand a noticeably large ransom, but that their successful attack on backups calls into question simple backup as a hedge against ransomware:
“Over the past year, Doppelpaymer and the Maze cybercriminal groups have been requesting significantly higher ransom amounts for data encryption and exploitation. Usually, they target around one to two percent of the organization’s overall profits, but the amount requested is lower. Thirty-four million out of 172 billion dollars is no small amount, but it is undoubtedly payable in the grand scheme of things.
“The cybercriminals were able to delete many of the servers’ primary backups, so it’s crucial to reduce the risk of productivity loss and have offline backups, so there is the opportunity to recover quicker.”
And ImmuniWeb’s Ilia Kolochenko sees more such attacks to come in the near future:
“There is no doubt that ransomware is poised to surge in 2021: it offers a safe harbor for cybercriminals to make a lot of money rapidly and virtually with no risk. Usage of crypto-currencies enable the wrongdoers to enjoy safe and untraceable payments, while sophistication of attacks make forensics and investigation extremely time-consuming and expensive. Moreover, even in rare cases when law enforcement manages to identify the perpetrators, they are usually located in overseas jurisdictions reluctant to cooperate with the Western judicial system. The FBI has urged victims of ransomware not to pay the extortionists but under some circumstances payment is the sole economically sound avenue to get your data back. Importantly, payment of a ransom is no guarantee that your data won’t eventually end up on the Dark Web.”
Comment on the Randstad ransomware incident.
Randstad is in the process of recovering from an attack that deployed Egregor ransomware against the staffing company’s systems. We received reactions to the attack from some security industry executives. For one, Saryu Nayyar, Gurucul’s CEO, sees the attack as more of the same.
“The attack on Randstad follows a now-familiar pattern. The attackers get in, exfiltrate valuable data, plant ransomware to encrypt their victim’s data, then demand a ransom while extorting them with the threat of releasing the stolen data. It is a win/win for the attacker, with the victim losing either by paying up, or suffering the public disclosure of their sensitive data. Organizations need to improve their entire cybersecurity stack, including everything from user training to advanced security analytics, to stay ahead. An up-to-date security stack and appropriate process will let them quickly identify a breach before it can escalate and, hopefully, prevent it from happening in the first place.”
Chloé Messdaghi, VP of Strategy at Point3 Security, thinks Randstad appears to have had a fairly well-thought-through response plan in place:
“As far as we know, Randstad never received a ransom note related to this attack, which is interesting. Since what makes ransomware so effective is if the attackers can slow down or shut down operations, they can then demand a ransom. In this case, though, from what we have learned, their operations weren’t slowed down, and companies typically pay ransom when they are. And kudos to Randstad for that – they did a good job at making sure that if they WERE ever compromised, that their data would be safe in other areas. We refer to the 3-2-1 approach: three copies of data stored across two mediums and one cloud storage provider, so you can recover from any of those three locations. The only way to avoid ransomware on backup systems is to have a plan in place, revisit it regularly, and back up very often. And there’s a good chance this is the exact kind of plan Randstad had in place.
“It’s important to note, though, that this HAD to have come from a phishing email, which means someone DID click on a link. This is yet another reminder to ensure your entire organization is always aware. Every single employee needs to understand how important they are in this chain of security. Every single person has the potential to be compromised, which could open up the entire organization. Just one person! Making sure everyone understands the potential effects of clicking on a link without confirming it first is so very important. Look at the details of the sender, make sure you’re fully awake, make sure you’ve had your caffeine, be on your toes at all times.”