Rising to new levels of notoriety in 2020 as criminals sought to take advantage of the global chaos brought about by the COVID-19 pandemic, ransomware has continued to grow in maturity throughout the first half of 2021.
Looking to further benefit from ransomware, many groups are now offering it ‘as a service’, allowing them even more financial gain. This in turn benefits those groups that do not have the means to develop their own malware, giving them the means to launch devastating attack campaigns that would have otherwise been unavailable to them.
Following Blueliv’s deep dive into the impact of ransomware throughout 2020, this blog will observe key threat actors behind some of 2021’s biggest attacks, providing insight into the actors behind them and the regions in which they operate.
Kaseya, a Florida-based IT company, was the victim of a ‘colossal’ ransomware attack in July of this year at the hands of the Russia-linked group REvil. Below is an extract from Blueliv’s initial blog on the attack. For the full article, as well as Blueliv’s advice for mitigating such attacks, read here.
From the blog:
According to Kaseya, an application running its corporate servers, computers and other network-connected devices was compromised as a result of this attack. The IT company, which has more than 36,000 customers in over ten countries, has since asked users to shut down their servers urgently.
So far, it is understood that REvil targeted Kaseya’s servers and from there was able to focus on encrypting the associated managed service providers (MSPs) and their customers, including the Swedish Coop supermarket chain, a customer of Visma EssCom.
However, since its initial demands, the REvil gang is already raising its ransom; just days after the attack, the group supposedly demanded between $40,000 and $45,000 per encrypted file extension. For context, each victim MSP has several files encrypted by REvil, with one victim revealing that the criminal gang demanded half a million dollars to decrypt its 12 ransomed files. REvil is also offering a universal decryptor, via its leak site, for a staggering $70 million.
REvil is a private ransomware-as-a-service (RaaS) operation, proving the growing popularity of the service.
Here is a list of countries that have been targeted by REvil:
- Europe: Germany, Spain, France, United Kingdom, Norway, Sweden, Italy, Switzerland
- Middle East & Africa: United Arab Emirates, Nigeria, South Africa
- Latin& South America: Argentina, Brazil, Chile, Mexico
- North America & Caribbean Islands: Canada, United States, Dominican Republic, Trinidad and Tobago
- Asia Pacific: China, Australia, Hong Kong, Indonesia, India, Japan, South Korea, Thailand, Taiwan
In May of this year, Colonial Pipeline was forced to shut down its entire IT infrastructure following a ransomware attack at the hands of the cybercrime gang DarkSide. The group stole over 100Gb of data from the pipeline company after infiltrating its network and demanded around $5 million ransom from the victim organization. Colonial Pipeline eventually admitted to paying a $4.4 million ransom in bitcoin.
DarkSide, an Eastern European group, caused a six-day outage for Colonial Pipeline; while no pipelines were physically affected, its fuel flows were cut off as a result of the company’s customer billing system being taken down following the attack.
This group has been in existence since at least August 2020, at which point it went public with its ransomware-as-a-service (RaaS) operation on several hacking forums. DarkSide considers itself a group with a conscience, announcing that it will only target organizations that it believes can afford ransoms. Healthcare bodies, educational institutes, non-profits and vital service government departments are, according to the group, off-limits.
Upon completion of this attack, however, DarkSide announced that it was ceasing its RaaS endeavor, following a rise in pressure from the US government. While many believe this to be the end of the group, it is likely that they are simply in temporary hiding. The criminal group may continue ‘in all but name’ according to this Forbes article.
Here is a list of countries that have been targeted by the DarkSide gang:
- Europe: Germany, Spain, France, United Kingdom, Greece, Italy, Netherlands, Poland
- North America: Canada, United States,
- Latin and South America: Brazil
- Africa: South Africa
- Asia Pacific: Indonesia
Elsewhere in America, JBS Foods, the world’s largest meat supplier headquartered in Brazil, suffered a ransomware attack that eventually cost them $11 million in what the company’s Chief Executive described as a deal that would prevent future attacks.
The attack, at the hands of REvil, as revealed by the FBI, forced the meat supplier to close all its beef plants throughout the US, as well as one of its Canadian plants. JBS Foods also ceased killing operations in Australia while its plants were offline. JBS Foods described the incident as “an organized cybersecurity attack, affecting some of the servers supporting its .”
It is widely speculated that this attack is part of a larger campaign against Brazil-based companies, as the ransomware told the Russian-OSINT Telegram channel that they were seeking revenge against the country, though exactly why they are doing so remains a mystery. The group has targeted several major Brazilian institutions in recent months, including Grupo Fleury, Justiça do Estado do Rio Grande do Sul, and Light S.A.
Furthermore, RansomExx deployed a massive campaign against Brazilian targets, having attacked Embraer, Brazil’s Superior Court of Justice, and the Pernambuco State Court of Justice.
Before its retreat following the Colonial Pipeline attack mentioned earlier, DarkSide targeted the chemical distribution company Brenntag, based in Germany, which eventually paid a $4.4 million bitcoin ransom to the gang. Upon receiving the ransom, DarkSide gave Brenntag a decryptor, allowing it to once again access its encrypted files and prevent threat actors from leaking the stolen data.
The attack took place at the company’s , which saw the threat group encrypt its network devices and steal over 150Gb of additional files in the attack. The group initially demanded a higher ransom of around $7.5 million though it is believed that that number was decreased to the final amount following negotiations between the victim and the attacker.
The aforementioned group REvil also targeted a leading pharmaceutical group in France, Pierre Fabre, in a ransomware attack that resulted in a $50 million ransom demand in March of this year.
To contain the damage, the pharmaceutical company – the second largest in France and the second largest dermo-cosmetics lab globally – was forced to temporarily halt the majority of its production line.
The initial demand from the gang was $25 million, but they quickly doubled that after receiving no contact from their victim in the short window they gave them to respond. Days after the attack, a link surfaced containing images of stolen passports, contacts, government identification cards, immigration documents and more.
REvil has continued to wreak havoc in 2021, demanding what is believed to be the highest ransom ever – $50 million – against Acer, the multinational hardware and electronics manufacturer behind roughly 6% of all global sales. To undertake this attack the group allegedly weaponized Microsoft Exchange ProxyLogon vulnerabilities in order to access the Acer network.
Acer initially offered a $10 million ransom, an offer which REvil rejected, instead offering a counter 20% discount if the company paid the ransom in full by March 17. Failing that, the group said it would raise the ransom to $100 million or else it would release the encrypted data via the Dark Web. It is not known if this has been paid in full or partially at this point, though full payment is unlikely.
A demand of this size isn’t unknown for REvil – the group demanded a $30 million ransom after it encrypted Dairy Farm files earlier this year, suggesting that the data it stole on both occasions was of high value to its victims, or offered the attacker a means of further targeting associated customers.
Thailand, Malaysia, Hong Kong, Philippines
Global insurance company AXA was hit by a ransomware attack against its Asia Assistance division earlier this year, which affected its IT operations across Thailand, Malaysia, Hong Kong and the Philippines.
Three terabytes of data were stolen in the attack, believed to be at the hand of cybercriminal group Avaddon, including sensitive personal data and medical files.
Avaddon, similar to the groups listed throughout this blog, offers RaaS to affiliates in exchange for a cut of the profits made from the eventual ransom. While the motivations for this attack are likely predominantly financial, it took place only a handful of days after AXA announced it would stop covering damage from ransomware attacks in France, suggesting that the group – or another party – took grievance with the insurance giant’s decision.
Since this attack the group has shut down its operations and provided leading cybersecurity news page BleepingComputer with decryption keys for its victims.
Here is a list of countries targeted by Avaddon:
- Europe: Belgium, Cyprus, Czech Republic, Germany, Spain, France, United Kingdom, Greece, Poland, Portugal, Italy, Romania, Sweden, Slovakia, Ireland, Malta, Hungary
- Middle East & Africa: United Arab Emirates, Angola, Western Sahara, Iran, Jordan, Kenya, Morocco, Malaysia, Namibia, South Africa, Saudi Arabia
- Latin and South America: Chile, Colombia, Costa Rica, Brazil, Mexico, Peru
- North America & Caribbean Islands: United States, Canada, Jamaica
In late February 2021, REvil launched an attack against the Union Bank of Nigeria, one of the largest financial institutions in the region and the 14th largest bank in Africa.
While the bank did not publicly address the attack, REvil was quick to post a preview of the stolen information – including sensitive data and the balance and bank statements of one customer – to a leak site, with the comments “links to download files will be added after publication. Information about clients and employees will be put up for sale.
Over the course of this past year the group’s leak site – titled the Happy Blog – has included stolen data from attacks against Acer, major American law firm Grubman Shire Meiselas & Slacks, and other victims.
Advice and mitigation
To protect themselves against such attacks, organizations must look to incorporate security tools that are able to detect lost credentials, data and other information in real-time, such as Blueliv’s Credentials module.
Blueliv’s module proactively scours the open, deep, and dark web for stolen passwords, converting its findings into actionable intelligence that empowers organizations to immediately renew passwords internally and notify compromised customers to follow suit.
Blueliv’s Threat Context is another vital tool for reducing the risk of such attacks, allowing users to run red-teaming exercises, create training materials sourced from real threat scenarios, and radically reduce the effectiveness of incoming social engineering attacks.
Utilizing such tools, organizations can harness invaluable threat intelligence and use it to defend against, mitigate, or entirely avoid such attacks.