Summary
The first half of 2020 has yielded multiple significant developments on ransomware and related disruptive attacks “ including new targets and evolving tactics, techniques and procedures (TTPs). These trends require priority attention across all functions with security-related responsibilities. By better understanding these events and their risk implications, our clients and partners can more effectively manage ransomware risk and apply appropriate safeguards.
Recent Events
- In June 2020, Honda Motor Company was victimized by a ransomware attack that impacted the American Honda Finance Corporation, rendering the group unable to answer calls, fund contracts, provide payoff quotes or service customer accounts. Factory production was temporarily suspended due to safety concerns. [1]
- In addition, in May, Europe’s largest private hospital operator, Fresenius, was infected by ransomware which disrupted some IT operations but not patient care. [2]
- In April, several Israeli water sector asset owners reported abnormal equipment operations now believed to be the result of coordinated cyber attacks on internet-accessible programmable logic controllers (PLCs). [3]
- Earlier this year, foreign exchange company Travelex paid one of the largest ransom payments ever reported – $2.3 million, after its systems were impacted by the Sodinokibi ransomware virus. [4]
- Starting late last year, developers of Maze ransomware (which attackers use to steal data before encrypting it, launched a “shaming site” to expose victims and their data if payment is delayed. [5] Maze has recently victimized major IT services firms and a nuclear weapons contractor. [6]
- Finally, in late June 2020, Symantec also reported detecting plans for a string of attacks against U.S. companies by attackers attempting to deploy a relatively new form of ransomware, WastedLocker, attributed to Russian crime group, EvilCorp. Symantec has thus far uncovered 31 major US corporations targeted with WastedLocker with a focus on the manufacturing sector. [7]
What has changed, and why is it important?
- Industrial Environments Targeted: The malware in the Honda and Fresenius attacks has been linked to the EKANS/SNAKE ransomware family. [8] Unlike other ransomware families, EKANS/SNAKE specifically targets operational technology (which includes technologies like Industrial Control Systems). Historically, ransomware attacks have infected enterprise environments to encrypt sensitive corporate data and systems. While highly disruptive and costly, these attacks have generally not caused industrial impacts or safety concerns. As identified in the Honda attack, the EKANS ransomware strain possessed additional functionality to forcibly stop a number of processes, including multiple items related to ICS operations “ although it is not clear that EKANS was successful in impacting industrial systems. [9] While the attack on Israeli water systems did not appear to include ransomware, it demonstrates the level of exposure of such systems to potentially disruptive attacks.
- Ransomware attacks now also combine data theft as precursor to operational disruption: As observed in recent Maze ransomware incidents, attackers are using data exfiltration and exposure as an additional extortion tool. As organizations improve their ability to back-up and restore data following a ransomware attack, malicious actors have used data theft for additional leverage. [10] Maze “shaming” sites are used to post victims’ names and stolen data, including sensitive information. If victims delay ransom payment, additional information is exposed. Unfortunately, other ransomware groups Sodinokibi and DoppelPaymer are being observed using this technique to pressure victims for expedited payments. [11]
- Targeting of healthcare entities during COVID-19 pandemic. Attackers appear to be capitalizing on the urgency facing the healthcare community during coronavirus pandemic by activating ransomware deployments, in some cases months after first establishing access and maintaining persistence in victim networks. For example, NetWalker ransomware operators recently targeted hospitals and healthcare providers via emails claiming to offer information about COVID-19. [12] Related, Parkview Medical Center in Colorado fell victim to a ransomware attack that shut down its IT systems, forcing it to rely on paper records while treating COVID-19 patients. [13]
- Size of ransomware demands grows. Recent reporting reveals that Russian crime group EvilCorp, mentioned above, has demanded ransoms as high as $10M. [14] Separate reports indicate that attackers have threatened in April 2020 to publish 10 TB of data from Energias de Portugal unless it meets a ransom demand of £10 million ($11 million USD). [15]
- Litigation trends evolve. Litigation continues related to the 2017 notPetya ransomware incident [16] – attributed to Russia [17], that impacted numerous global companies including Merck, Maersk and FedEx, among many others. Merck took its insurers to court when they denied coverage (on “act of war” grounds) for its estimated $1.3 billion in costs. [18] Likewise, FedEx is facing class action shareholder litigation alleging it gave investors false assurances that the impact from NotPetya was minimal, that customer volumes were being restored to pre-attack levels. [19]
Cyber Risk Management
Consider reviewing the following points with security, IT and business stakeholders:
- Review authoritative guidance on ransomware from the Department of Homeland Security (https://www.us-cert.gov/Ransomware and https://www.us-cert.gov/ncas/tips/ST19-001) and MITRE ATT&CK guidance on data encrypted for impact (https://attack.mitre.org/techniques/T1486/)
- Risk-based layered defense. Achieve visibility to your most critical assets and ensure commensurate defenses are in place, including both at the boundary and assuming an adversary has obtained initial access. Conduct focused testing and audit to ensure that hygiene is maintained, and security tools are fully implemented and operating effectively. Initial access vectors for ransomware have included the use of malicious websites and spoofed news alerts, invoices and other documents sent via email to users “ ensure user awareness.
- Resiliency. Ransomware has become a very popular form of malware. What if your organization is victimized by an EKANS or Maze variant? Will the incident response and business continuity/disaster recovery program limit the damage? Are there protocols in place for containment and remediation? If payment became necessary, how would you access bitcoin?
- Information sharing. Discuss whether your firm participates in an Information Sharing and Analysis Organization (ISAO) so that, as new threat information becomes available on ransomware variants or other malware attacks, your security teams know about it and can act on it.
The Chertoff Group has deep experience helping organizations of all sizes rapidly implement threat and risk-informed cyber defenses. Contact info@chertoffgroup.com for more information.
—
[1]https://www.nytimes.com/2020/06/12/business/ransomware-honda-hacking-factories.html. Energy firm Enel Group was also targeted, although the company asserted that œno critical issues have occurred concerning the remote control systems of its distribution assets and power plants, and ¦ customer data have not been exposed to third parties. See https://www.bleepingcomputer.com/news/security/power-company-enel-group-suffers-snake-ransomware-attack/
[2]https://krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware/
[3]https://wawarn.org/documents/cyber-threat-actor-disrupts-israeli-water-infrastructure.pdf
[4]https://www.wsj.com/articles/travelex-paid-hackers-multimillion-dollar-ransom-before-hitting-new-obstacles-11586440800
[5]https://www.darkreading.com/threat-intelligence/maze-ransomware-operators-step-up-their-game/d/d-id/1337756
[6]https://threatpost.com/nuclear-contractor-maze-ransomware-data-leaked/156289/
[7]https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us
[8]https://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/
[9]https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations
[10]https://blog.malwarebytes.com/threat-spotlight/2020/05/maze-the-ransomware-that-introduced-an-extra-twist/
[11]https://www.darkreading.com/threat-intelligence/maze-ransomware-operators-step-up-their-game/d/d-id/1337756
[12]https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/
[13]https://healthitsecurity.com/news/ransomware-shuts-down-colorado-hospital-it-network-amid-covid-19
[14]https://www.zdnet.com/article/new-wastedlocker-ransomware-demands-payments-of-millions-of-usd/
[15]https://www.cpomagazine.com/cyber-security/ransomware-attack-on-portuguese-energy-company-edp-shows-increasing-trend-toward-public-leaking-of-sensitive-information/
[16]https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
[17]https://www.whitehouse.gov/briefings-statements/statement-press-secretary-25/
[18]https://www.bloomberg.com/news/features/2019-12-03/merck-cyberattack-s-1-3-billion-question-was-it-an-act-of-war
[19]https://www.lexology.com/library/detail.aspx?g=7dcd757c-1555-4f5b-8a83-4b7a48941b24
