Posts

Kaseya VSA Security Incidence

Overview | Kaseya VSA

On July 2, 2021, right before Americans started their long, Independence Day weekend, hackers once again made their way to the top of the news headlines. This time, the victim of the largest ransomware attack was Kaseya, a technology company that sells its technology to other third-party providers, mainly managed service providers (MSPs).

Speculations have suggested that the attack was yet another supply-chain ransomware attack. Multiple security firms and researchers have concluded that the attackers chose to exploit a zero-day vulnerability rather than tampering Kaseya’s codebase to distribute the malware. REvil/Sodinokibi ransomware threat actors were found to be responsible for the attack, exploiting a zero-day vulnerability to remotely access internet facing Kaseya VSA servers. Using this method, they hacked through less than 40 VSA servers and were able to deploy the ransomware to over a thousand enterprise networks.

What is Kaseya VSA?

Kaseya VSA, the Virtual System/Server Administrator is marketed as an endpoint management and network monitoring system that allows its client to have a unified remote monitoring and management platform. Users can perform functions such as remote controls to end-user computers, discovery and inventory on a client’s infrastructure, patch management to have a centralized system deploying software updates across all endpoints and monitoring and alerting of incident across the network. This makes it a convenient solution for MSPs to remotely manage their customer’s IT infrastructure and provide IT support and cybersecurity services to multiple enterprises. Kaseya VSA is also designed to have administrator rights provided down to all client systems.

In this incidence, an attacker had abused Kaseya VSA’s auto-update function and maliciously pushed the REvil ransomware onto Kaseya’s clients. This allowed the ransomware to reach to more victims, not only affecting Kaseya VSA customers but also the customers of MSPs that are using Kaseya VSA systems.

Kaseya Ransomware Timeline

Timeline of how the attack affected MSPs client systems

What Happened?

Various articles and researchers have concluded that attackers leveraged the standard VSA product functionality to deploy ransomware to the endpoint users. The attacker had exploited the zero-day vulnerability currently assigned the CVE-2021-30116 identifier.

The Kaseya zero-day vulnerability was discovered by Dutch Institute for Vulnerability Disclosure [DIVD] researcher Wietse Boonstra in early April, and had been shared with Kaseya prior to its exploitation in these ransomware attacks. Unfortunately, REvil attackers had managed to find the security flaw and attack by exploiting the vulnerability before Kaseya was able to issue or release a patch, resulting in this large-scale ransomware infection.

Given that the incident is currently in the middle of the investigation and patching stage, full details of the zero-day vulnerability “CVE-2021-30116” are currently not disclosed to the public. However, various research suggests that this vulnerability allows a remote non-authenticated attacker to compromise the affected system. To exploit this vulnerability, the attacker sends a specially crafted request to the affected application. Researchers have also concluded that the attacker managed to bypass authentication on the internet facing VSA web panel, exploit an arbitrary file upload, and execute commands via SQL injection on the VSA appliance.

Evidence of an executable code containing actions that would disable existing user sessions, remove IIS logs, and other cleanup activities has also been found. This attack appears to be geographically dispersed and the impact appears to have been restricted to systems running the Kaseya software.

The attack distributed its malicious payload in the form of a “Kaseya VSA agent hot-fix” launching the malicious software update package that targeted customers of MSPs and enterprise users of the on-site version of Kaseya’s VSA remote monitoring and management platform. The VSA appliance that had deployed a “Kaseya VSA agent hot-fix” package was observed to have bypassed antivirus solutions using an older and vulnerable version of the Microsoft Defender app, which it used to encrypt local workstations.

After compromising an MSP that utilizes Kaseya VSA, the attackers subsequently disabled the client’s administrative access to their respective Kaseya VSA platform, allowing the attackers to gain administrative access to all endpoints managed by Kaseya VSA. Upon gaining administrative access, the attackers were observed attempting to disable Microsoft Defender Real-Time Monitoring via PowerShell and deploy the ransomware.

REvil Ransomware

Various evidence, such as ransom notes dropped onto the infected systems, revealed that this cyber incident was closely tied with REvil/Sodinikibi ransomware group. The REvil ransomware group had also stepped forward to confirm associations with this attack after claiming the responsibility on its Dark Web leak site.

This is not the first time that the REvil ransomware group had topped news headlines. However, in this attack, REvil’s operators took a different approach in how they negotiate the ransom. REvil attacks can use multiple encrypted file extensions and typically will provide a decryptor that decrypts all encrypted extensions. In this attack, REvil demanded ransom payments made for each individual encrypted file extension found on a victim’s network, as opposed to their usual method of providing one decryptor to decrypt all encrypted file extensions.

The attackers are willing to provide a universal decryptor for victims of the attack, but only under the condition that they are paid $70 million in Bitcoin. The value has reportedly recently been lowered to $50 million.

REvil representatives have also responded to victims during the negotiation stage that in this attack, they had only encrypted networks and nothing more. Based on this information, it was suggested that REvil did not steal any victim’s data, which is typically what they utilize as a factor during the negotiation stage. This also indicates that the ransomware operation did not access the victim’s networks before the attack; however, it is still uncertain as to the extent of damage that was brought to the victim’s environment.

Riding the Waves

It is not a surprise that upon a new zero-day vulnerability disclosure or vulnerability being exploited by a cybercriminal group, other threat actors would take advantage of this opportunity and ride on the waves. Not long after the Kaseya attack, a new malspam campaign was observed containing various subject titles claiming to contain patch for Kaseya vulnerability. The attachment found in this malspam campaign appears to drop Cobalt Strike malware likely targeting users utilizing Kaseya products. Cobalt strike malware attachments appear to be the first malware that was found in the wild exploiting the current Kaseya situation.

MITRE ATT&CK

The following are the MITRE ATT&CK Tactics and Techniques associated with the Kaseya attacks:

Tactics Techniques
Resource Development Obtain Capabilities: Vulnerabilities (T1588.006)
Resource Development Obtain Capabilities: Exploits (T1588.005)
Initial Access Exploit Public-Facing Application (T1190)
Execution Command and Scripting Interpreter: PowerShell (T1059.001)
Persistence Hijack Execution Flow : DLL Side-Loading (T1574.002)
Defense Evasion Masquerading : Rename system utilities (T1036.003)
Defense Evasion Impair Defences: Disable or Modify Tools (T1562.001)
Defense Evasion Deobfuscate/Decode Files or Information (T1140)
Defense Evasion Hijack Execution Flow: DLL Side-Loading (T1574.002)
Defense Evasion Indicator Removal on Host: File Deletion (T1070.004)
Defense Evasion Modify Registry (T112)
Defense Evasion Subvert Trust Controls: Code Signing (T1553.002)
Impact Data Encrypted for Impact (T1486)

General Recommendations

Given that the vulnerability is newly discovered, there is still a lot of uncertainty about this attack and how it would affect clients utilizing Kaseya VSA software. As such, it is advised for clients utilizing Kaseya VSA software to have all on-premises VSA Servers to remain offline until further instructions from Kaseya on when it is safe to restore operations when a patch is made available to the public.

We strongly recommend to follow the guidelines by Kaseya, FBI and CISA if you use Kaseya VSA for your IT infrastructure and/or to reach out to your MSP if you are currently leveraging one for any IT-related management.

It is important to note that Proficio does not use Kaseya or any of its products.  If you have questions, please do not hesitate to contact your Customer Success Manager or Security Advisor.

 

Lessons Learned: Ransomware Attacks in 2021

While ransomware attacks in 2021 never cease to stop, several high-profile occurrences in the first half of the year gained swift notoriety for either the scale of damage they inflicted or the targets they focused on. Here are four of the biggest attacks, and the lesson that can be learned from each.

Colonial Pipeline

A natural place to begin is with the most severe cyber-attack to ever target critical infrastructure in the United States. Instigated by the DarkSide ransomware group, this has been one of the most newsworthy ransomware attacks in 2021, targeting the IT environment tied to a pipeline system that extends from Texas to New York.

Hackers used a VPN account and a leaked password to gain access to the Colonial Pipeline network. The attack was noticed on May 7, 2021, when an employee saw a message on a computer screen in the control room, demanding a cryptocurrency payment. An operations supervisor decided to respond to the attack by taking the unprecedented step of shutting the entire pipeline down.

Colonial Pipeline decided to make the ransom payment of $4.4 million in bitcoin – and as a positive turn, with the help of the FBI, part of the payment has been recovered. The disruption to the pipeline lasted five days before normal operations resumed.

Takeaway: Use multi-factor authentication so that even if a password becomes compromised, hackers need to provide an additional category of evidence to access a resource on your network.

Acer

Taiwanese computer manufacturer Acer became the victim of another notable ransomware attack in March 2021. It’s believed a Microsoft Exchange vulnerability provided an entry route into Acer’s network.

The REvil ransomware group demanded a $50 million payment to return stolen data, releasing samples on the dark web. It’s not publicly known whether Acer paid the ransom.

 Takeaway: Hacking groups don’t keep a 9-5 schedule. It’s critical for organizations to use 24-7 monitoring solutions that constantly seek out new types of attacks, critical vulnerabilities, and suspicious behavior on your network. A dedicated security operations team can provide 24-7 incident monitoring, detection, and response.

Sierra Wireless

Among several high-profile technology companies hit by ransomware attacks in 2021 was the wireless communications equipment designer and manufacturer, Sierra Wireless. The attack targeted both the company’s internal IT systems and corporate website.

Production at the company’s manufacturing locations was temporarily halted while the company quickly initiated measures to counter and contain the damage. While the internal network and corporate website remained affected for a few days, any customer-facing products and services weren’t impacted.

Takeaway: The swift response during the Sierra Wireless attack is critical for rapid threat containment. Fast action can make the difference between an attempted hack and a devastating breach, which is why automated response solutions are essential for modern organizations.

Scripps Healthcare

Finishing things off is one of the most targeted industries – healthcare. In May 2021, a hospital in our own backyard was taken offline for almost a month due to a sophisticated ransomware attack.

While not much is currently known about this attack, during the same timeframe, we saw a similar attack take down Ireland’s Health Service Executive. This attack was due to an employee that unknowingly clicked a malicious link, and the cybercriminals demanded almost €15 million to return 700 gigabytes of confidential patient data.

Takeaway: Opportunistic hackers don’t take ethical or moral considerations into account when looking for targets to exploit. Knowing the signs of a ransomware attack in its early stages is key to stopping cybercriminals before they get into your networks.

 

Conclusion

While the ransomware attacks in 2021 that make media headlines often involve public infrastructure, health services, and large corporations, these incidents can happen just as easily on small to medium businesses. As we often say – it’s not a matter of if you’ll be attacked, but when – so regardless of the size of your company, preparation is vital to staying safe.

DarkSide Ransomware

Overview | Darkside Ransomware

DarkSide ransomware was first discovered in the wild in August, 2020. It runs a Ransomware-as-a-Service (RaaS), whereby affiliates are able to deploy the ransomware for a fee or a cut of the proceeds from successful ransom payments.

The DarkSide ransomware group was brought to mainstream attention due to the recent ransomware attack against Colonial Pipeline. The Proficio Threat Intelligence Team posted information and articles about the Colonial Pipeline attack in our Twitter Feed. Below, we provide more detailed findings based on our research of DarkSide ransomware.

What We Know About the DarkSide Ransomware Group

DarkSide ransomware group attacks are highly targeted, and affiliates are able customize the ransomware executable for the specific organization they are attacking. Organizations that are targeted typically have the finances to pay large ransom amounts. After the attack on Colonial Pipeline, the DarkSide ransomware group has publicly stated that they are apolitical and their goal “is to make money, not create problems for society”.

However, affiliates are not allowed to attack organizations from the following sectors:

  • Healthcare
  • Funeral services
  • Education
  • Public sector
  • Non-profit organizations
  • Government sector

The DarkSide ransomware group also has a website where they publish data stolen from victims who refuse to pay the ransom. This is a method of further pressuring victims to pay, following a trend observed among ransomwares throughout 2020, including DoppelPaymer and REvil/Sodinokibi.

How DarkSide Ransomware Attacks Work

The initial entry method of DarkSide ransomware attacks can vary depending on the affiliate carrying out the attack. There is currently no public information on the initial entry method used in the attack on Colonial Pipeline, however example methods observed from past DarkSide ransomware attacks include:

  • Exploiting hardware/software vulnerabilities
  • Exploiting remote access services (such as RDP)
  • Access victim’s network using legitimate credentials, obtained by:
    • Phishing attacks
    • Password attacks (such as password spraying)
    • Purchasing from a third-party source

After gaining access to the victim’s environment, the attackers will move laterally throughout the network and perform internal reconnaissance to gather information before encrypting data. The following have been observed being utilized in previous attacks for reconnaissance/lateral movement:

  • PSExec
  • RDP connections
  • SSH
  • Mimikatz
  • Cobalt Strike
  • BloodHound

Information gathered during the internal reconnaissance also includes credentials stored in files, memory and domain controllers; the stolen credentials are then used to access privileged accounts. PowerShell commands are executed to delete shadow copies which wipes backups and file snapshots to prevent recovery.

Stolen data is exfiltrated before deploying DarkSide ransomware to encrypt the victim’s files. Upon successful encryption, the ransomware appends a victim’s ID as an extension to file names. A ransom note with the naming convention of “README.[victim’s_ID].TXT” is dropped onto the victim’s device with instructions for the victim to access a Tor website using a Tor browser to pay the ransom – and if unpaid, they threaten to publish the stolen data.

Example of a Ransom Note Darkside Ransomware

Figure 1- Example of a Ransom Note

Known DarkSide Affiliates

As previously mentioned, DarkSide ransomware can be used by different affiliates and as such, different Darkside attacks can utilize different tools and tactics depending on the affiliate. Below are examples of different attack flows by three affiliates that were identified by FireEye.

UNC2628

This affiliate group is suspected to have used a password spraying attack against the victim’s VPN to gain initial access into the environment. The attackers utilized Cobalt Strike beacons for C2 communications and Mimikatz for credential theft. Lateral movement was performed using RDP connections and Cobalt Strike.

The attackers exfiltrated stolen data using Rclone, a command line utility to manage files for cloud storage applications, to cloud-based storages. DarkSide ransomware is then deployed using PsExec.

The following is a MITRE ATT&CK table of this affiliate’s attack:

Tactics Techniques
Credential Access [TA0006] Brute Force: Password Spraying [T1110.003]
Initial Access [TA0001] Valid Accounts [T1078]
Resource Development [TA0042] Obtain Capabilities: Tool [T1588.002]
Credential Access [TA0006] OS Credential Dumping [T1003]
Lateral Movement [TA0008] Remote Services: Remote Desktop Protocol [T1021.001]
Command and Control [TA0011] Application Layer Protocol: Web Protocols [T1071.001]
Execution [TA0002] Command and Scripting Interpreter [T1059]
Execution [TA0002] System Services: Service Execution [T1569.002]
Exfiltration [TA0010] Exfiltration Over Web Service: Exfiltration to Cloud Storage [T1567.002]
Impact [TA0040] Data Encrypted for Impact [T1486]

UNC2659

This affiliate group gains initial access by exploiting the SonicWall vulnerability CVE-2021-20016. After gaining access to the victim’s environment, the attackers download the tool TeamViewer from the official website onto the victim host to establish persistence within the environment.

This group was also observed utilizing Rclone for data exfiltration, which is downloaded from the official website onto the victim host. The stolen data is exfiltrated to cloud-based storages.

The following is a MITRE ATT&CK table of this affiliate’s attack:

Tactics Techniques
Initial Access [TA0001] Exploit Public-Facing Application
Resource Development [TA0042] Obtain Capabilities: Tool [T1588.002]
Command And Control [TA0011] Remote Access Software [T1219]
Execution [TA0002] Command and Scripting Interpreter [T1059]
Exfiltration [TA0010] Exfiltration Over Web Service: Exfiltration to Cloud Storage [T1567.002]
Impact [TA0040] Data Encrypted for Impact [T1486]

UNC2465

This affiliate group utilized a backdoor named “SMOKEDHAM” to gain access to the victim’s environment, which is delivered via phishing emails and legitimate services such as Google Drive and Dropbox. Advanced IP Scanner, BloodHound, and RDP were used for internal reconnaissance, and Mimikatz was used for credential theft.

The attackers also used the NGROK utility to bypass firewalls and expose remote service ports such as RDP to the Internet. The DarkSide ransomware is deployed using PsExec and scheduled tasks.

The following is a MITRE ATT&CK table of this affiliate’s attack:

Tactics Techniques
Initial Access [TA0001] Phishing: Spearphishing Link [T1566.002]
Resource Development [TA0042] Obtain Capabilities: Tool [T1588.002]
Lateral Movement [TA0008] Remote Services: Remote Desktop Protocol [T1021.001]
Credential Access [TA0006] OS Credential Dumping [T1003]
Defense Evasion Impair Defenses [T1562]
Execution [TA0002] System Services: Service Execution [T1569.002]
Impact [TA0040] Data Encrypted for Impact [T1486]

General Recommendations

Although DarkSide ransomware attacks can involve different tactics and tools, based on which threat group is making use of their RaaS, the tactics, techniques and tools deployed are not completely different as they share the common DarkSide platform. The variety of tactics and techniques deployed should serve as a clear indication that focusing on any single threat will not provide adequate coverage, in terms of ensuring that an organization is well protected from the broad array of security threats.

The use of EDR solutions provide valuable visibility into endpoints and important systems, so they should play a big role in dealing with ransomware attacks. We also recommend a defense-in-depth approach for securing your network and environment, including ensuring there is proper segmentation and security device visibility between network segments, particularly critical network segments. Traditional security architecture, that focuses solely on securing the perimeter, are inadequate in dealing with modern day persistent threats, though they play an important part.

An organization with proper network segmentation and security device coverage can then make use of the following general suspicious indicators/activities that serve as a useful way to monitor for to identify potential DarkSide ransomware attacks:

  • Attacks on VPN infrastructure (exploiting vulnerabilities or through password spraying attacks)
  • Phishing emails
  • Deployment, use and download of common exploit and bypass tools like Mimikatz, Cobalt Strike and BloodHound
  • Unauthorized deployment, use and download of remote access tools (Teamviewer, Remote Desktop, etc)
  • Installation of suspicious or unknown services
  • Data exfiltration to cloud storage

Proficio has already deployed a wide variety of use cases that can be effectively utilized to detect such common indicators or activities. Of course, the effectiveness of the use cases depends on the log sources being monitored and their visibility into the environment or network. We recommend reaching out to your security advisors or client success managers to understand the use cases deployed for your environment and how we can work together to increase the efficacy of our monitoring, detection and discovery efforts.

The Proficio Threat Intelligence Team will continue to research and investigate all new threats to identify the best way to start a threat hunting campaign. And as always, we will keep all of our clients informed on our efforts in this area.

Precautionary Measures

Prevention is better than cure. It is advisable to safeguard you and your organization to avoid being the next victim of this ransomware attacks. We would recommend organization to consider the following measures.

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection and prevention from the spread of ransomware.
  • Performing regular backups on critical files and systems.
  • Keeping your operating systems and accessible services up to date on the latest security patches.
  • Make use of Multi-Factor Authentication to govern access as much as possible.
  • Make use of network segmentation alongside the zero-trust model.
  • Close unnecessary network ports to reduce entry points for attackers.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.

How Ransomware is Deployed and How to Stop an Attack in the Early Stages | A Cyber Chat with CrowdStrike pt. 3

How Organizations Protect Against Ransomware | A chat with CrowdStrike – Full Episode

While ransomware remains one of the biggest cyberthreats, there are steps that cybersecurity teams can take to keep themselves better protected. Threat intelligence experts, Ardan Toh of Proficio and Scott Jarkoff of CrowdStrike, share their thoughts on how organizations can stay safe.

One of the most frequent targets are the healthcare industry, especially with all the research around COVID-19. Scott and Ardan discuss why they’re commonly the victims and how Nation State actors have played more of a role in recent years. But how has this evolved in recent years? Tune in to find out!

Ryuk Ransomware

OVERVIEW
Ryuk ransomware was first discovered in the wild in 2018. It is known for using manual hacking techniques and open-source tools to move laterally through private networks and gain administrative access to as many systems as possible before initiating the file encryption.

This ransomware group was one that did not stop attacks on healthcare organizations despite the Coronavirus pandemic in 2020, made clear by their recent attack against Universal Health Services (UHS). In this blog, we will share the common IOCs for this type of attack and ways to stay protected.

RANSOMWARE DETAILS
Since 2019, the most common method for Ryuk threat actors to gain entry to a victim’s environment is with the use of Trickbot and Emotet malware, often starting with phishing attacks. In the case of the UHS attack, both Emotet and TrickBot were detected within the UHS’ environment.

The attack chain often starts with delivering Emotet to a victim host via phishing email, which subsequently downloads Trickbot onto the host. After harvesting data, Trickbot opens a reverse shell to provide Ryuk ransomware threat actors with entry to the victim’s environment, allowing the actors to manually deploy the ransomware on the victim host.

Ryuk ransomware has been found to contain commands for killing services related to antivirus products, and Trickbot has the capability to disable Microsoft Defender as well. A UHS employee has stated online that during the attack, “multiple antivirus programs were disabled”.

Ryuk Ransomware Commands Example

Fig 1. An example of commands in Ryuk ransomware

According another UHS employee, one of the infected computers displayed a ransom note that read “Shadow of the Universe”, which is similar to the phrase “balance of shadow universe” seen in previous Ryuk ransom notes. Names of files were observed being appended with the file extension “.ryk”, which is the extension used by Ryuk ransomware after successfully encrypting a file.

Ryuk Ransomware Note Example

Figure 2 – Example of a ransom note

While there are limited details on the UHS attack, there are some common activities and IOCs of Ryuk ransomware attacks involving Trickbot and Emotet:

  • Phishing email containing Microsoft Office attachments (.doc, .xls etc.) with Macros
  • PowerShell commands executed by Macros
  • Downloading of PowerShell Empire/Cobalt Strike/PsExec
  • Exploitation of EternalBlue vulnerability which is over port 445 (SMB)
  • Unusual scheduled tasks, registry keys created
  • Recurring traffic towards Trickbot C2 servers over ports such as ports 446, 447, 449, 8082
  • Privilege escalation
  • Files with the file extension “.ryk”
  • “RyukReadMe.txt” or “RyukReadMe.html”

PRECAUTIONARY MEASURES
Prevention is better than cure. It is advisable to safeguard yourself and your organization to avoid being the next victim of this ransomware attacks. We would recommend the following measures:

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection and prevention from the spread of ransomware
  • Consider Managed EDR services that will enable you to quickly react and contain any ransomware vendor
    • These services can also play a big part in monitoring and alerting on attacked vectors used as a distribution method
  • Have a cold or distributed backup system in place
    • At a minimum, have backups separate from production systems for your critical files or systems
  • Keep your operating systems up to date on the latest security patches
  • Make use of network segmentation alongside the zero-trust model
  • Close unnecessary network ports to reduce entry points for attackers
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise
  • Educate your employees and users to improve cybersecurity awareness

REFERENCES

  • https://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/
  • https://techcrunch.com/2020/09/28/universal-health-services-ransomware/
  • https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
  • https://research.checkpoint.com/2018/ryuk-ransomware-targeted-campaign-break/
  • https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware
  • https://www.bleepingcomputer.com/news/security/new-trickbot-version-focuses-on-microsofts-windows-defender/
  • https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
  • https://www.cpomagazine.com/cyber-security/ryuk-ransomware-still-targeting-hospitals-during-the-coronavirus-pandemic/
  • https://www.bleepingcomputer.com/news/security/ryuk-ransomware-keeps-targeting-hospitals-during-the-pandemic/
  • https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/

WastedLocker Ransomware

OVERVIEW
First discovered in May, WastedLocker ransomware is a relatively new strain from the group known as Evil Corp, which was previously associated with the Dridex banking Trojan and BitPaymer ransomware. This ransomware group was brought to our attention with the recent ransomware attack against Garmin. In our research, we discovered why these targeted attacks are even harder to defend against. Read on to learn what to look for and how to avoid this new strain.

RANSOMWARE DETAILS
WastedLocker attacks start with a drive-by compromise to gain initial entry. The attackers use the SocGholish framework to hack legitimate websites that display fake software update alerts to visitors. Attempting to download these fake alerts will deliver PowerShell scripts onto the user’s device, which subsequently download Cobalt Strike. Cobalt Strike then allows the attackers to gain access, move laterally through the target’s network, and deliver the WastedLocker ransomware to the victim host.

Before deploying the ransomware, the attackers perform the following tasks within the target’s network:

  • Escalates privileges via UAC bypass method
  • Disables Windows Defender
  • Gathers information about victim’s environment
  • Performs credential dumping

WastedLocker attackers have also been observed in previous attacks to utilize living-off-the-land (LOFT) tools to perform tasks. For example, using the Windows Sysinternals tool PsExec to disable Windows Defender, using PowerShell and WMIC to profile the target’s environment.

Upon successful encryption of a victim’s file, the ransomware appends a file extension that is a combination of the target organization’s name and the string “wasted”. In the case of the Garmin attack, the file extension “.garminwasted” was appended to encrypted files. For each encrypted file, the ransomware also creates a ransom note with the same name appended with “_info” at the end of the file extension, such as “.garminwasted_info”.

Example of a ransom note

Figure 1 – Example of a ransom note

Aside from encryption, the WastedLocker ransomware is also capable of deleting Windows shadow copies to wipe backups and file snapshots to make recovery impossible.

The method of payment provided to decrypt WastedLocker is to contact one of the emails listed within the ransom notes. As of now, email addresses that have been used by the attackers are can belong to either ProtonMail, Eclipso, Tutanota, or Airmail.

Unlike many other ransomwares this year, WastedLocker ransomware does not steal victims’ files but simply encrypt them. However, it is worth noting that WastedLocker attacks are highly targeted and ransomware samples used are each customized for the target organization. This means that standard IOCs such as the file hashes of previous samples would not be very helpful or useful in detections.

PRECAUTIONARY MEASURES
Prevention is better than cure. It is advisable to safeguard you and your organization to avoid being the next victim of this ransomware attacks. We would recommend organization to consider the following measures.

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection and prevention from the spread of ransomware.
  • Make use of a managed EDR service to quickly react and contain any ransomware vendor
  • Managed EDR services can also play a big part in monitoring and alerting on attacked vectors used as a distribution method
  • Have a cold or distributed backup system in place, or at minimum have backups separate from production systems, for your critical files or systems.
  • Keeping your operating systems up to date on the latest security patches.
  • Make use of network segmentation alongside the zero-trust model.
  • Close unnecessary network ports to reduce entry points for attackers.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.

ABOUT PROFICIO

Proficio’s Managed, Detection and Response (MDR) solution surpasses the capabilities of traditional Managed Security Services Providers (MSSPs). Our MDR service is powered by next-generation cybersecurity technology and our security experts partner with you to become an extension of your team, continuously monitoring and investigating threats from our global networks of security operations centers. Learn More About Proficio’s Services

REFERENCES

  • https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
  • https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us
  • https://www.bleepingcomputer.com/news/security/new-wastedlocker-ransomware-distributed-via-fake-program-updates/
  • https://www.bleepingcomputer.com/news/security/dozens-of-us-news-sites-hacked-in-wastedlocker-ransomware-attacks/
  • https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/
  • https://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/

Details on Threat Group That Claims to Have Obtained President Trump’s Legal Documents

REvil/Sodinokibi Ransomware
OVERVIEW
The REvil/Sodinokibi threat group has taken ransomware attacks to a new level. While most variants, like the recent strain of DoppelPaymer ransomware, encrypt victim’s files, Proficio’s Threat Intelligence Team has seen an uptick of strains that also steal data to further pressure victims into paying ransoms. This group, infamously known as the one claiming to have obtained President Donald Trump’s legal documents, more recently attacked the law firm Grubman Shire Meiselas & Sacks (GSMLaw) which resulted in the exfiltration of multiple celebrities’ legal documents.

In this blog, we will be sharing additional details we discovered based on our research on the REvil/Sodinokibi ransomware.

RANSOMWARE DETAILS
REvil/Sodinokibi ransomware was discovered back in April 2019, where it was initially found to propagate via exploitation of a vulnerability in Oracle WebLogic. REvil/Sodinokibi is a ransomware-as-a-service (RaaS) and was suspected to be associated with GandCrab, a RaaS that had shut down operations in May 2019. REvil/Sodinokibi was found to share similar codes with GandCrab ransomware, such as the random URL generation.

Within the past year, REvil/Sodinokibi threat actors have been observed to utilize multiple techniques to spread ransomware to targets. Based on our research, some of distribution methods used are:

  • Oracle WebLogic vulnerability (CVE-2019-2725)
  • Malspam campaigns
  • Hack WordPress sites and fake forum posts containing a link to the ransomware installer
  • Breach managed service providers (MSPs) via exposed RDP
  • Webroot SecureAnywhere console in MSPs that deploys ransomware on the MSPs’ customers systems
  • RIG exploit kit
  • Pulse Secure VPN vulnerability (CVE-2019-11510)

Once the ransomware is delivered to a victim device, it can perform the following tasks:

  • Exploit the CVE-2018-8453 vulnerability to elevate privileges
  • Terminate blacklisted processes prior to encryption to eliminate resource conflicts
  • Wipe the contents of blacklisted folders
  • Encrypt non-whitelisted files and folders on local storage devices and network shares
  • Exfiltrate basic host information

Upon successful encryption of the victim’s files, the ransomware appends a randomly generated file extension to the file name made up of 5 to 10 alphanumeric characters. A ransom note is dropped onto the victim’s device with instructions on how the victim can pay the ransom.

Example of a ransom note

Figure 1 – Example of a ransom note

REvil/Sodinokibi threat actors usually provide two methods of payment. The first method is to access a Tor site using a Tor browser; the other is to use their secondary website. Earlier attacks provided “decryptor[.]top” as their secondary payment site, however more recent attacks appear to have switched to “decryptor[.]cc” instead.

Since January 2020, the threat actors behind the REvil/Sodinokibi ransomware have started to publish data stolen from victims that did not pay their ransom on time. This method of pressuring victims was inspired by Maze ransomware, which started this trend among ransomwares.

ADDITIONAL ACTIONS BY THE THREAT INTELLIGENCE TEAM

PRECAUTIONARY AND DETECTION MEASURES
Prevention is better than a cure, and given the popularity of ransomware attacks, you always need to be prepared. When possible, you must safeguard yourself and your organization to avoid being the next victim of ransomware attacks. We recommendthe use of a managed EDR service to help you deal with any ransomware attack quickly.

We also recommend organizations consider the following measures:

  • Keep your anti-virus software / EDR solutions and other security tools update to date to provide detection and prevention from the spread of ransomware.
  • Make use of managed EDR services to quickly react and contain any ransomware identified before any major damage can be done.
    • Managed EDR services can also play a big part in monitoring and alerting on attack vectors that are often used as distribution methods for ransomware.
  • Perform regular backups on critical files and systems.
  • Keep your operating systems up to date with the latest security patches.
  • Make use of network segmentation alongside the zero-trust model.
  • Close any unnecessary network ports to reduce entry points for attackers.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.

 

REFERENCES

  • https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html
  • https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-distributed-by-hackers-posing-as-german-bsi/
  • https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-spreads-via-fake-forums-on-hacked-sites/
  • https://www.zdnet.com/article/ransomware-gang-hacks-msps-to-deploy-ransomware-on-customer-systems/
  • https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-targeting-asia-via-the-rig-exploit-kit/
  • https://www.zdnet.com/article/vpn-warning-revil-ransomware-targets-unpatched-pulse-secure-vpn-servers/
  • https://www.secureworks.com/research/revil-sodinokibi-ransomware
  • https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/
  • https://www.bleepingcomputer.com/news/security/shared-code-links-sodinokibi-to-gandcrab-minus-the-fun-and-games/
  • https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html?m=1
  • https://www.pcrisk.com/removal-guides/14942-sodinokibi-ransomware

DoppelPaymer Ransomware

OVERVIEW
Recently, Proficio’s Threat Intelligence Team has observed a surge in ransomware cases that take advantage of the current COVID-19 situation. In this blog, we will discuss a variant of ransomware named “DoppelPaymer”, which has significantly raised its popularity over the last month, and provide additional details discovered during our research.

RANSOMWARE DETAILS
“DoppelPaymer” is said to be the evolution from “BitPaymer Ransomware”. This strain of ransomware is an enterprise-targeting variant. Based on its history of attacks and the information within the ransom notes, we believe that the threat actor group is targeting English-speaking victims.

While earlier builds of the malware were identified back in April 2019, the first known victims of DoppelPaymer ransomware were seen in June 2019. DoppelPaymer ransomware is likely a variant of BitPaymer Ransomware, where initial ransom notes would contain the string of text “BitPaymer”. The name “DoppelPaymer” was given by researchers to identify this new variant of ransomware found in the wild. Following that, the threat actor appears to have adopted this name and has changed the string of text from “BitPaymer” to “DoppelPaymer” within the ransom notes. Based on the similarities between both ransomware variants, the threat actor groups for DoppelPaymer are suspected to be likely a split from INDRIK SPIDER cybercrime group.

DoppelPaymer ransomware is known to consist of both Dridex and BitPaymer source code. Several other interesting traits that were observed, including:

  • Encryption method 2048-bit RSA + 256-bit AES
  • Encrypted files are renamed with a “.locked” extension
  • Latest version of variants mark data with “.doppeled” appendix
  • Ability to terminate processes and services that may interfere with file encryption using the technique ProcessHacker

DoppelPaymer ransomware is usually dropped by the Dridex trojan; however, this ransomware is not limited to one distribution method. Based on our research, the following are some of the distribution methods that have been observed over the year:

  • Insecure RDP configuration
  • Email spam and malicious attachments
  • Deceptive downloads
  • Botnets
  • Exploits
  • Malicious advertisement
  • Web injects
  • Fake updates
  • Repackaged
  • Infected installers

Upon successful infection and encryption of data on the victim’s computer, the victim’s files would be renamed, and a ransom note in text file format could be found within the victim’s system.

Ransom notes sample

Figure 1 Ransom notes

It’s interesting to note that there is no ransom amount stated within the text file. Instead, a list of instructions was being provided to the victim to follow strictly. The victims were requested to download “Tor Browser” and to subsequently type into an address bar provided to access the DoppelPaymer portal.

Accessing Tor link in Ransom Notes Sample

Figure 2 Accessing Tor link found in ransom notes

DoppelPaymer Ransomware Payment Portal Sample

Figure 3 DoppelPaymer Ransomware Payment Portal

After the portal was accessed from the Tor browser, the victim would be provided with several key pieces of information, such as a countdown timer for a “special price”, a unique reference ID used to identify the victim, the ransom amount and a BTC address where the ransom payment can be sent to.

Further research on DoppelPaymer ransomware reveals that, in the earlier days, victims who are not willing to pay the ransom would have their data sold on the darknet. Following the trends from various ransomware groups such as Maze , the DoppelPaymer threat actor group was inspired to launch a public website for use as a shaming platform to victims who are not willing to pay the ransom.

A video demonstration of file encryption can also be seen on YouTube.


PRECAUTIONARY MEASURES
Prevention is always better than a cure. It is advisable to safeguard yourself and your organization to avoid being the next victim of a ransomware attack. We advise using a managed EDR service to better prepare yourself for dealing with a ransomware attack. We also recommend organizations consider the following measures:

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection and prevention from the spread of ransomware.
  • Make use of a managed EDR service to quickly react and contain any ransomware vendor
  • Managed EDR services can also play a big part in monitoring and alerting on attacked vectors used as a distribution method
  • Perform regular backups on critical files and systems.
  • Keep your operating systems up to date with the latest security patches.
  • Make use of network segmentation alongside the zero-trust model.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.

For the latest information from our Threat Intelligence Team on the DoppelPaymer attacks and other threats, please visit our Twitter Feed.

Mailto and Mailto-2 Ransomware

OVERVIEW
In October of 2019, a group of relatively new ransomware strains called Mailto and Mailto-2 were found in the wild. These two ransomware types were also known as “Kokoklock” and “Kazkavkovkiz” where the names have been used interchangeably with no clear definitions at this point of time.

This ransomware group gained attention with the recent ransomware attack against the Australian Toll Group. The Australian Toll Group has subsequently disclosed that their network was being attacked by the Mailto ransomware prior to a service disruption and system shut down.

The Proficio Threat Intelligence Team posted information about Toll Group attacks in our Twitter Feed. In this blog, we share some of our findings pertaining to this new ransomware’s behavior in the wild.

RANSOMWARE DETAILS
This type ransomware is relatively new and first surfaced in late 2019, and as such there is limited information available. Mailto ransomware was seen in the wild during the month of September where Mailto-2 ransomware was seen around October. They are recognizable by the extension that is appended to encrypted victims’ files.

There is some evidence that Mailto actors may have utilized techniques such as phishing and password spray attacks, and then used compromised accounts to send further phishing emails to the users’ address book to spread malware. At this time, there is no known information on the cyber groups that are responsible for these types of ransomware, nor is there information on the C2 activities on them.

Upon successful infection of the victims’ systems, both variants of ransomware include a personal extension on infected files, a ransom note and a readme text file to instruct victims on how to make the ransom payment. The main visible difference between “Mailto / Kokoklock” and “Mailto-2 / Kazkavkovkiz” is the personal extensions appended onto the encrypted file.

At this time, the only other notable information that distinguishes this ransomware strain from others operating in the wild is that the targets are instructed to communicate with the attacker via an email provided in the ransom notes. Ransom notes associated with this ransomware include two email addresses with the email domains “@cock[dot]li” and “@tutanota[dot]com”. “Tutanota” is a free and open-source, end-to-end encrypted email. “Cock[dot]li” appears to be a free anonymous email service also known as “Cockmail”, which has been seen to be used in multiple malicious activities.

Figure 1 – An example of ransom notes

Beyond the ransom notes, we are also able to differentiate Mailto ransomware based on the file extension appended on the encrypted files. Following the file extension “[dot]mailto”, “Mailto / Kokoklock” ransomware would append six random alphanumerical digits onto the encrypted files while “Mailto-2 / Kazkavkovkiz” ransomware would append four or five random digits onto the encrypted files. While these extensions are the only ones currently seen in the wild, they may vary over time.

Other noticeable differences between both ransomware variants include the following:

  Mailto / Kokoklock Mailto-2 / Kazkavkovkiz
Decryptor tool Netwalker NIL
Encryption Method Suspected Salsa20 Stream Cipher AES
Format of encrypted files .mailto[<email_address>].<6_alphanumerical_random_digits> .mailto[<email_address>].<random_digits>
Readme file format <6_alphanumerical_random_digits>-Readme.txt <random_digits>-Readme.txt
Other behaviour Seen to masquerade as a legitimate program [Sticky password] NIL

 

PRECAUTIONARY MEASURES
Prevention is better than a cure. It is advisable to safeguard your organization to avoid being the next victim of this ransomware attack. We recommend your organization consider the following measures:

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection of and prevention from the spread of ransomware.
  • Perform regular backups on critical files and systems.
  • Keep your operating systems up to date on the latest security patches.
  • Make use of network segmentation alongside the zero-trust model.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.

The Proficio Threat Intelligence Team will continue to monitor developments around this this new ransomware and provide updates as applicable.