Ransomware, alongside COVID-19, has dominated the years’ headlines, positioning it as the most observed threat of 2020. Recorded ransomware attacks have multiplied dramatically since the beginning of 2020, accounting for a third of all recorded attacks in the past 12 months.
Microsoft’s latest Digital Defense Report has taken a deep dive into this and other cybercrime trends, utilizing its knowledge of, and insights into, desktop, server, enterprise, and cloud ecosystems. Of all activity analyzed, the report cites ransomware as the most disruptive threat of 2020, and the most common reason behind its own incident response engagements between October 2019 and July 2020. The report reveals that this year threat actors have typically spent much less time within a system once they’ve gained access to it. Instead, they have capitalized on the chaos caused by the COVID-19 pandemic and launched attacks much sooner than they historically would have.
This blog will observe key threat actors behind such attacks in 2020, studying regional malicious activity in Europe, USA, LATAM, and beyond.
One such actor is DoppelPaymer Group (a.k.a. GOLD HERON), a splinter of the infamous Dridex Group, known for using modified Dridex banking trojan in its operations. Originating in Russia, DopelPaymer is a sophisticated crime-syndicate known to ruthlessly publish stolen information via the doppelleaks website should its victims not pay the demanded ransom.
Using Dridex to infiltrate its victims, this group will then move laterally across the infected systems in order to identify the best attack spot in order to maximise the damage caused and increase the likelihood of receiving a ransom from its victims. Failing that, DoppelPaymer Group has been known to publish stolen data, particularly from large or reputable organizations, so that the victim may face fines from regulatory bodies. This actor’s primary objective is financial gain.
On September 17, 2020, DoppelPaymer attacked the Düsseldorf University Clinic with its Dridex ransomware. This attack critically disrupted the hospital’s operations, resulting in one patient dying because of her urgent treatment being delayed because of the attack. When notified of this by law enforcement, a DoppelPaymer representative claimed the group was not aware that their attack would affect the hospital systems in this manner and swiftly withdrew its extortion, providing a digital key for the clinic to decrypt its data.
Here is a list of countries targeted by DoppelPaymer Group:
Canada, France, Germany, Italy, Japan, Mexico, South Africa, Spain, the United Kingdom, and the United States.
Figure 1. Countries targeted by DoppelPaymerGroup.
A moderately sophisticated actor, Mespinoza (a.k.a. Pysa) is known for targeting local governments. The group has successfully compromised several French and Australian organisations. Mespinoza is another opportunistic actor driven solely by financial gain.
Mespinoza first made itself known in October 2019 following the distribution of ransomware through malspam. Later that year, on December 14, Mespinoza operators launched a new version of the ransomware that appends the encrypted files to a .pysa extension.
Following this activity, France’s cyber-security agency CERT has issued warnings in 2020 stating that Mespinoza has been actively targeting local government networks. CERT FR observed the attackers have tried to gain initial access to victims through Remote Desktop Protocol (RDPs) and brute-forcing, and that the attackers deployed credential dumping software known as Mimikatz, in conjunction with the network reconnaissance tools Advanced Port Scanner and Advanced IP Scanner.
Notably, Mespinoza is one of many modern threat actors that engage in ‘big game hunting’ tactics, a.k.a. human-operated ransomware. This concept involves ransomware groups seeking out high profile targets and breaching their networks before manually installing ransomware on the network, rather than traditional ransomware tactics that rely on randomly distributed exploit kits, and victim ignorance in installing them. Mespinoza is the latest group to engage in this new tactic, which has also been utilised by Ryuk, REvil (Sodinokibi), LockerGoga, RobbinHood, DoppelPaymer, Maze, and many others.
Here is a list of countries targeted by Mespinoza:
Australia, Brazil, Canada, Colombia, France, Germany, Italy, Mexico, Spain, the United Kingdom, and the United States.
Figure 2. Countries targeted by Mespinoza.
The Dharma Group (a.k.a Dharma Actor, a.k.a. dharmasource), is known for its Ransomware-as-a-Service (RaaS), Dharma, which has been active for at least four years.
However, this year Dharma Group started distributing its ransomware via malspam emails as opposed to traditional avenues, such as hacked remote desktop services. In contrast, Dharma Group has traditionally favoured the Ransomware-as-a-Service (RaaS) model, though it has been known to launch spam campaigns using disguised software installation files. This malspam email campaign has recently been observed targeting Windows users throughout Italy.
Here is a list of countries targeted by Dharma Group:
China, India, Italy, Japan, and Russia.
Figure 3. Countries targeted by Dharma Group.
On March 27, Dharma Group, via the user dharmasource, announced the selling of the source code of its ransomware for $2,000 USD per download on the Russian-language forum XSS (formerly DamageLab). Following this widespread availability of the source code, Group-IB reported that amateur Iranian threat actors had targeted companies in Russia, Japan, China, and India with Dharma ransomware in June 2020, demanding a ransom of between 1 and 5 BTC from the victims.
Here is a list of CVE’s with their associated score related to Dharma Group’s attack tracked by Blueliv Threat Context solution.
Figure 4. Blueliv’s Threat Context solution tracks different CVEs and maps them to cybercriminal activities.
Moreover, the multinational energy company Enel Group has been hit by a ransomware attack for the second time this year. This time by Netwalker, who is asking a $14 million ransom for the decryption key and to not release several terabytes of stolen data. Enel is one of the largest players in the European energy sector, with more than 61 million customers in 40 countries. As of August 10, it ranks 87 in Fortune Global 500, with a revenue of almost $90 billion in 2019.
In September, The Hospital Moisès Broggi de Sant Joan Despí, based in Barcelona, fell victim to a ransomware attack from a threat group that saw its systems hijacked and held ransom until the hospital agreed to pay a release ransom.
Access to radiology imagery, corporate mail, and phone services was also frozen due to the encrypted system. This resulted in medical staff having to resort to archaic pen and paper tactics when trying to treat patients.
The Insurance sector is a recurrent target for attackers. After Mapfre, SegurCaixa Adeslas have been fighting against a ransomware attack for weeks. According to the Spanish media El País, ‘Adeslas has been attacked with Revil, belonging to a new family of ransomware used by Russian cybercrime’.
Another threat actor gaining attention in 2020 is Ragnar Locker (a.k.a. Viking Spider). This threat group typically used unorthodox methods to evade detection, such as terminating Managed Service Providers (MSP) tools services or deploying Windows XP Virtual Machines (VM) into the victims’ devices. Ragnar Locker targets organizations operating in the insurance, travel, energy, financial services, construction sectors, and law firms for financial gain.
In July, the CWT travel agency agreed to pay a staggering $4.5million USD ransom to the actor after falling victim to ransomware. Following the successful attack, the group boasted it had stolen highly sensitive files and had forced 30,000 computers offline, from various countries. The attackers originally asked for a $10million USD ransom but lowered the ransom after ongoing negotiations with its victim.
The operators behind the infamous ransomware Ragnar Locker are highly skilled hackers that use a wide variety of techniques to compromise companies, from exploiting vulnerabilities in public-facing infrastructure to using spear-phishing techniques in an attempt to have an employee execute a malicious payload. These operators became active in December 2019, and have continued attacking and infecting companies in the year since.
CVE 2017-0213 is one vulnerability exploited by Ragnar Locker accessible through Blueliv’s Threat Context solution (See below).
Figure 5. Blueliv’s Threat Context solution tracks different CVEs and maps them to cybercriminal activities.
Ragnar Locker operators have been known to share a chat onion URL with affected organizations as a platform for negotiating a ransom. If the affected company denies paying the ransom, the attackers share the stolen data on the dark web.
Here is the list of countries targeted by Ragnar Locker:
Germany, Portugal, Spain, and the United States.
Figure 6. Countries targeted by Ragnar Locker.
On August 27, 2020, the Netwalker Group (a.k.a. Mailto Group, Kazkavkovkiz, Kokoklock, Netwalker Group, Bugatti) ransomware encrypted Argentinian immigration agency systems (Dirección Nacional de Migraciones de la Argentina) resulting in border crossing being halted for four hours. This is because the Comprehensive Migration Capture System (SICaM), which handles international crossings, was particularly affected by the attack and resulted in delays in entry and exit to Argentina. The victim later stated that the attack didn’t affect critical infrastructure, nor did it affect confidential, sensitive, or corporate data.
According to Argentina’s cybercrime agency, a virus had affected the system’s MS Windows-based files (primarily ADAD SYSVOL and SYSTEM CENTER DPM) and Microsoft Office files (Word, Excel, etc.) existing in users’ jobs and shared folders.
Typically, the Netwalker Group targets enterprises with a view to encrypting the Windows devices active on their network. The criminal group compromises systems with their custom ransomware Netwalker, with historic initial attack vectors including compromising vulnerable RDPs, phishing emails, and impersonating legitimate software.
Find below a list of CVE’s leveraged by the Netwalker Group to compromised systems.
Figure 7. List of CVE’s leveraged by the Netwalker Group to compromised systems.
The Netwalker Group is represented by the threat actor “Bugatti” on the cybercriminal underground. Bugatti is sporadically active on Exploit and XSS, where its activity is limited to updating the Netwalker thread. Posts typically seek to recruit new affiliates, outlining that the group is interested in those with experience on networks and who already have access to compromised environments. The posts have also indicated that the group’s toolkit includes a PowerShell script that is capable of bypassing many AV products. On May 13, Bugatti posted a Tor site created to leak data from victim companies that refused to pay the Netwalker ransom.
Here is the list of countries targeted by Netwalker Group:
Argentina, Australia, Austria, Canada, Chile, France, Greece, Italy, India, Japan, Pakistan, Romania, Saudi Arabia, South Africa, Spain, Sweden, Thailand, the United Arab Emirates, the United Kingdom, and the United States.
Figure 8. Countries targeted by Netwalker Group.
In September, a major Chilean bank was forced to close its branches after falling victim to a ransomware attack. Since then, a nationwide alert has been issued to help Chilean organizations protect themselves from future ransomware campaigns. The group behind this was revealed to be REvil, a.ka. Sodin, Gold Southfield, or, most famously, as Sodinokibi. The Sodinokibi threat group is built up of developers behind the eponymous Sodinokibi Ransomware-as-a-Service offering and some previous affiliates of GandCrab ransomware, who moved to Sodinokibi to continue their attacks after the developers of GandCrab publicly announced their “retirement” in May 2019. The first activity attributed to this threat group dates back to April 2019, when threat actors exploited the vulnerability CVE-2019-2725 to install Sodinokibi ransomware.
Here is a list of CVE’s exploited by Sodinokibi that can be found in Blueliv’s Threat Context module. When evaluating a CVE and its impact on an organization it is important to consider other factors such as whether the vulnerability has been observed being exploited by threat actors in the wild. For this reason, Blueliv generates its own dynamic risk score for CVEs.
Figure 9. List of CVE’s exploited by Sodinokibi that can be found in Blueliv’s Threat Context module.
In October this year, Japan’s Shionogi & Co. was hit by a cyberattack leading to a data breach, although no information regarding the novel coronavirus vaccine currently in development was leaked. The attack was recently reported by the REvil (Sodinokibi) ransomware group.
In January, the Sodinokibi group published data stolen from Artech Information Systems after the victim refused to pay the demanded ransom. The threat group has shown a willingness to continue to name victims and release stolen information in the event that a ransom is not paid. Sodinokibi is disclosing the stolen data on the following dark web site, which remains active at the time of publishing. Later, in June, Sodinokibi was spotted scanning point-of-sale (PoS) systems it intended to compromise.
Blueliv research indicates that besides Chile, Dominican Republic and Argentina have also been hit by this international actor.
Here is the list of countries targeted by Sodinokibi:
Argentina, Australia, Brazil, Canada, Chile, China, Germany, France, Italy, India, Indonesia, Japan, Mexico, Norway, Spain, South Korea, Sweden, Thailand, the United Arab Emirates, and the United States.
Figure 10. Countries targeted by Sodinokibi.
Advice and mitigation
It is abundantly clear that, globally, lockdown measures have had no impact on threat groups’ productivity, and are even abandoning more traditional routes.
To reduce the risk of falling victim to the various attacks favoured by criminal groups, organizations should deploy tools that are equipped to detect the loss of employee, customer, or supplier credentials in real-time, whether it’s as a result of malware, botnets, or data leaks.
Blueliv’s Credentials module offers this and more, proactively scouring the open, deep, and dark web for stolen passwords and converting those findings into actionable intelligence. In turn, this allows organizations to enable administrators to renew passwords internally and notify compromised customers to do the same before attackers can monetize said credentials.
Similarly, Blueliv’s Threat Context provides vital insights that better support organizations in conducting red-teaming exercises and developing training materials sourced from real threat scenarios, ultimately reducing the likelihood of a successful social engineering attack and bolstering incident response readiness at the same time.
Facing a potential ransomware attack, Blueliv’s Threat Context module is capable of pivoting and correlating the initial threat before it leads to a full breach. This is the result of a 180million plus database of items that allow users to use the indicator of compromise (IOC) as a starting point from which they are able to identify associated malware, campaigns, exploited common vulnerabilities and exposures (CVE), and the actor’s tools and tactics that correlate to the IOC. From here, users can prioritize their CVE and benefit from a score-based analysis of the ransomware and correlating them with existing campaigns. Threat Context also allows users to hunt down malware, via Blueliv’s sandbox analysis, and receive in-depth analysis of the threat from the Blueliv Labs team.
Only by deploying sophisticated threat intelligence can organizations and government bodies the world over hope to defend against, actively avoid, or significantly mitigate, ransomware attacks.