In its Mid-Year Cyberthreat Report published on August 24, 2022, cybersecurity firm Acronis reports that ransomware continues to plague businesses and governmental agencies, primarily through phishing campaigns.

According to the report over 600 malicious email campaigns were launched in the first half of 2022, with the goal of stealing credentials to launch ransomware attacks. Other attack vectors included vulnerabilities to cloud-based networks, targeting unpatched or software vulnerabilities, and cryptocurrency and decentralized finance systems.

According to Acronis, “ransomware is worsening, even more so than we predicted.” It estimates that global damages related to ransomware attacks will top $30 billion by 2023.

The FBI and CISA recently issued a Cybersecurity Alert entitled “#StopRansomware: Zeppelin Ransomware” providing an alert to organizations about the proliferation of Zeppelin ransomware attacks and information on the indicators of compromise and techniques to combat them.

According to the Advisory, “From 2019 through at least June 2022, actors have used this malware to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the health care and medical industries. Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars.”

The Advisory explains how the ransomware is deployed:

“Zeppelin actors gain access to victim networks via RDP exploitation, exploiting SonicWall firewall vulnerabilities, and phishing campaigns. Prior to deploying Zeppelin ransomware, actors spend one to two weeks mapping or enumerating the victim network to identify data enclaves, including cloud storage and network backups. Zeppelin actors can deploy Zeppelin ransomware as a .dll or .exe file or contained within a PowerShell loader.

“Prior to encryption, Zeppelin actors exfiltrate sensitive company data files to sell or publish in the event the victim refuses to pay the ransom. Once the ransomware is executed, a randomized nine-digit hexadecimal number is appended to each encrypted file as a file extension, e.g., file.txt.txt.C59-E0C-929. A note file with a ransom note is left on compromised systems, frequently on the desktop.”

What is particularly alarming is that the FBI has observed that the attackers execute the malware multiple times in the network, which “ results in the victim needing several unique decryption keys.” The Advisory lists in detail the indicators of compromise, which organizations may wish to review, as well as ways to detect and mitigate the risk of compromise. The Advisory can be accessed here.

A recently-issued joint advisory by the FBI, the Cybersecurity and Infrastructure Security Agency, the Financial Crimes Enforcement Network, and the Treasury Department warns that MedusaLocker ransomware “targets vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks.” The alert encourages “network defenders to examine their current cybersecurity posture and apply the recommended mitigations,…including:

  • Prioritize remediating known exploited vulnerabilities.
  • Train users to recognize and report phishing attempts.
  • Enable and enforce multifactor authentication.”

MedusaLocker exploits vulnerabilities in RDP, encrypts the victim’s data, and sends a ransom note embedded in the encrypted files demanding payment in Bitcoin to obtain the encryption key.

The alert (linked here) provides technical details and mitigation steps.

According to the 2022 State of Ransomware Report issued recently by Sophos, it surveyed 5,600 IT professionals from 31 countries, including professionals in the health care sector. Those professionals in the health care sector shared that 66 percent of them had experienced a ransomware attack in 2021, which was an increase of 69 percent over 2020. This was the largest increase of all sectors surveyed.

If you look at the Office for Civil Rights data breach portal, you will see that a vast majority of breaches reported by health care providers and business associates are related to “Hacking/IT incident.” This confirms that the health care sector continues to be attacked by threat actors seeking to steal protected health information of patients.

If you are a patient who receives a breach notification letter from a health care provider or business associate, the letter will provide guidance on how to protect yourself following a data breach and may offer some protection guidance, including credit monitoring or fraud resolution. Such a letter has been sent to patients to comply with the breach notification requirements of HIPAA and state law. Part of those requirements includes that the patients be provided mitigation steps following the breach to protect themselves from fraud. Avail yourself of these protections in the event your information is compromised. Take the time to sign up for the mitigation offered. It is clear that these attacks will not subside any time soon.

The Chicago Public Schools system is in the process of notifying students, families and some current and former employees that their personal information was compromised as a result of a ransomware attack against a technology vendor, Battelle for Kids.

According to the notification letter, parents of students who attended a Chicago public school between 2015 and 2019 are being notified that their personal information may have been compromised by a ransomware attack against its vendor, Battelle, on December 1, 2021. The letter states that the personal information that an unauthorized party gained access to included: “name, date of birth, gender, grade level, school, Chicago Public Schools student ID number, State Student ID number, and information about the courses your student took, and scores from performance tasks used for tech evaluations.” The letter specifically states that “No Social Security numbers, no financial information, no health data, no current course or schedule information, and no course grades or standardized test scores were involved in this incident.”

The school system is offering those affected, reported as over 500,000 individuals, with free credit monitoring and identity theft protection for 12 months. It also has issued FAQs, which can be accessed here.

This week, AGCO, a U.S. agricultural machinery manufacturer, suffered a ransomware attack that affected its business operations and shut down its systems.

AGCO, headquartered in Duluth, Georgia, designs, produces, and sells tractors, combines, foragers, hay tools, self-propelled sprayers, smart farming technologies, seeding and tillage equipment. AGCO first discovered this attack through its subsidiary, Massey-Ferguson, when its websites in France, Germany, and China were targeted. At that time, more than 1,000 employees were sent home from production facilities in France. Operations across the globe have been affected.

In order to mitigate and remediate the attack, AGCO shut down portions of its IT systems, but it will likely take several days to fully repair them. It is currently unknown when business operations will fully resume.

This attack is likely a result of a recent donation to a Ukrainian relief fund. The day before this attack, AGCO Agriculture Foundation donated $50,000 to the BORSCH initiative, which assists Ukrainian farming communities affected by the war with Russia. A few weeks ago, the FBI released a warning on ransomware attacks targeting the U.S. agricultural industry and timed to coincide with critical seasons in the industry.

The FBI’s warning recommended the following steps to mitigate against ransomware attacks:

  • Regularly back up data, air gap (a security measure that involves isolating a computer or network and preventing it from establishing an external connection), and password protect backup copies offline.
  • Ensure copies of critical data are not accessible for modification or deletion from the system in which the data reside.
  • Implement a recovery plan that includes maintaining and retaining multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
  • Identify critical functions and develop an operations plan in the event that systems go offline. Think about ways to operate manually should it become necessary.
  • Implement network segmentation.
  • Install updates/patch operating systems, software, and firmware as soon as they are released.
  • Use multifactor authentication where possible.
  • Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable timeframe for password changes. Avoid reusing passwords for multiple accounts and use strong pass phrases where possible.
  • Disable unused remote access/RDP ports and monitor remote access/RDP logs.
  • Require administrator credentials to install software.
  • Audit user accounts with administrative or elevated privileges and configure access controls with least privilege in mind.
  • Install and regularly update anti-virus and anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a virtual private network (VPN).
  • Consider adding an email banner to messages coming from outside your organizations.
  • Disable hyperlinks in received emails.
  • Focus on cyber security awareness and training. Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).

In the short term, the agricultural industry (as well as all U.S. businesses) should be on high alert, and, in addition to patching all systems in your organization’s environment, the best thing to do is to have robust monitoring of the environment. Businesses cannot defend what they can’t see; every asset must be monitored.

According to Emsisoft, the education sector continues to experience ransomware attacks, with a whopping 1,043 schools affected by ransomware in 2021. This statistic breaks down to include 62 school districts and 26 colleges and universities.

Emsisoft estimates that data of employees and students were stolen in at least half of those attacks in 2021.

2022 looks to be even worse for higher education than 2021 for ransomware attacks. In the beginning of 2022, higher education institutions continued to be targeted by ransomware gangs. In March and April, BlackCat (a/k/a ALPHV group) deployed ransomware against North Carolina A&T State University and Florida International University, and in April Austin Peay State University was hit with a ransomware attack as well.

Some of the attacks disrupted the application process, operations, and classes in one case, the ransomware attack put the school over the edge to closure. All the more reason for those in the education sector to prepare and mitigate against the risk of an attack.

A joint Cybersecurity Advisory issued by U.S. and international partners, entitled “2021 Trends Show Increased Globalized Threat of Ransomware,” warns of “the growing international threat posed by ransomware over the past year” on a global perspective.

The trends outlined by the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, the National Security Agency, the Australian Cyber Security Centre, and the United Kingdom’s National Cyber Security Centre include:

  • Cybercriminals are increasingly gaining access to networks via phishing, stolen Remote Desktop Protocols (RDP) credentials or brute force, and exploiting software vulnerabilities.
  • The market for ransomware became increasingly “professional” and there has been an increase in cybercriminal services-for-hire.
  • More and more, ransomware groups are sharing victim information with each other, including access to victims’ networks.
  • Cybercriminals are diversifying their approaches to extorting money.
  • Ransomware groups are having an increasing impact thanks to approaches targeting the Cloud, managed service providers, industrial processes and the software supply chain.
  • Ransomware groups are increasingly targeting organizations on holidays and weekends.

The advisory stresses the fact that ransomware “is a rising global threat with potentially devastating consequences…[and] remains one of the most disruptive cyber threats to organisations and individuals [that] requires a global solution.”  It is meant to provide education about the global threat of ransomware, and mitigation actions that companies can take to “bolster resilience.”

The “immediate actions that can be taken now include ensuring timely patching of all operating software; implementing a user training program that includes recognizing and reporting suspicious emails; securing and monitoring remote desktop protocol, if used; and maintaining an offline backup of your data.”

The threat of ransomware continues to rise and it is encouraging to see allies working together to assist in a global response.

Coveware issued its 2021 Q4 Ransomware Report on February 1, 2022. The report stated that although average and median ransom payments increased “dramatically” in Q4, “we believe this change was driven by a subtle tactical shift by Ransomware-as-a-Service (RaaS) operations that reflected the increasing costs and risks” of executing an attack.

Because it is riskier and costlier to execute an attack, attackers are shifting from large company targets to smaller ones so they can stay under the law enforcement radar. This shift is seen in the statistic that “the proportion of companies attacked in the 1,000-10,000 employee count size increased from 8% in Q3 to 14% in Q4.” Because of large law enforcement takedowns in 2021, Coveware expects “RaaS operations to try and mitigate the size of the targets on their back to the extent possible.”

Data exfiltration continues to be a “popular tactic” and 84 percent of ransomware attacks in Q4 included data exfiltration. The RaaS model continues to dominate such attacks, which Coveware predicts will continue in 2022. The most common ransomware variants in Q4 included: Conti, LockBit 2.0, Hive, Mespinoza, Zeppelin, BlackMatter, and Suncrypt. Two new variants hit the top 10: Karakurt and AvosLocker.

The top tactics used by the attackers included Persistence (82 percent), Lateral Movement (82 percent), Credential Access (71 percent), Command and Control (63 percent), and Collection (61 percent), while the most common initial ingress vectors continue to be RDP compromise, email phishing and software vulnerability.

In Q4, Coveware found that “ransomware continues to be a crime of opportunism, not specific targets.” The top industries attacked included professional services, consumer services, materials, public sector, and health care.

The average duration of an incident in Q4 2021 was 20 days, which Coveware attributes to the ability of the attacked companies to be able to recover from backups “which is ALWAYS faster than attempting to decrypt data with a threat actor decryptor.”

The Coveware quarterly report is always a good read and spot on with its analysis of the current state of ransomware attacks.

Another day, another governmental entity hit with a ransomware attack. If you are a resident of Bernalillo County, New Mexico, and you need a marriage license, want to conduct a real estate transaction or register to vote, you might be told there is “no access to systems and no legal filings are possible” due to a cybersecurity “issue.” But you CAN still pay your taxes, as no extension is being given, despite the cyber event.

According to the Albuquerque Journal, the County announced on January 5, 2021, that it was a victim of a cyberattack that affected “a wide variety of county government operations. Most county buildings were closed until further notice.”

Not only was the clerk’s office closed for certain business transactions, but the County also filed an emergency notice in federal court that it was unable to comply with terms of a settlement involving conditions at the County jail because the ransomware attack knocked out access to the jail’s security cameras. As a result, all inmates were limited in how much time they could spend outside their cells, and their access to telephones and tablets was reduced. According to the article, the facility has been “on ‘lockdown’ since Wednesday.”

Court systems were disrupted as well, and personnel scrambled to set up alternate plans to “allow criminal proceedings to continue in the face of this unforeseen event.”

Ransomware attacks against local governmental entities are frequent and very disruptive to residents of that state, county, or municipality. And it does not look like the pace of attacks against local governments will ease any time soon.