This week in ransomware – Friday the 13th edition, 2022
Bad luck for everyone – ransomware is an ever-evolving adversary
A recent report from Telus noted that “ransomware has evolved in sophistication at a dizzying pace. Ransomware malware is becoming more advanced, distribution is becoming more targeted, and tactics are continuously evolving to extort the greatest ransom from victims.
Sourced from the study which can be downloaded from www.telus.com/RansomwareStudy. (Registration required)
This week we saw how ransomware has evolved technically and in terms of its application and reach. Gangs are making their malicious software more platform independent, and at the same time developing proprietary solutions to replace commonly available programs. Ransomware has expanded into global conflicts, being used as a weapon of war. Yet it’s still a deadly threat to private and public companies. This week it deal a death blow to an institution that had survived for 157 years – through global pandemics, the great depression, world wars and the financial crisis of 2008.
Ransomware – and open and closed case
Ransomware gangs are now developing their code in cross platform languages such as Rust or Golang. With these languages, their malware can spread beyond Windows. Writing malware in a cross-platform language makes it easier to port it to other platforms such as Linux, iOS and Android. In addition, the analysis of cross-platform binaries is a bit harder for defenders than that of malware written in plain C.
In a seeming contradiction, at the same time as ransomware gangs are using open and cross platform tools, they are also moving from publicly available tools for data exfiltration, such as Filezilla, and developing their own custom – and faster – tools. This week we heard that the ransomware gang Lockbit created their own proprietary tool called StealBIT.
Sourced from an article in ITWorldCanada.com
Managed service providers – which side are you on? (Hint: It doesn’t matter)
It has long been assumed that Russia was supporting, or at least turning a blind eye to, ransomware groups. So it was no surprise that the Conti gang, headquartered in Russia, would threaten to retaliate with full capabilities against any “enemy’s” critical infrastructure if Russia became a target of cyberattacks. This is a rare example of a cybercriminal group supporting a nation-state publicly.
While Russia may have its supporters, there are other communities such as Anonymous, IT Army of Ukraine, and Belarusian Cyber Partisans openly supporting Ukraine. One of those groups launched a “steal and reveal” campaign that shared chats and other internal Conti-related information online.
The problem, as some analysts have point out, is that these conflicts will undoubtedly escalate to threaten nations and corporations who are perceived to be on one side or another of the conflict. That will spill over to those who are simply resident in a country which is on an “opposite side.” This week the “Five Eyes,” a group representing the United Kingdom, Canada, Australia, New Zealand and the United States, issued a stark warning to Managed Service Providers (MSPs), noting that they were being targeted by state sponsored groups.
Sourced from a research report on new ransomware trends.
School’s out forever
Can ransomware kill an institution? Lincoln College in rural Illinois announced it will be closing later this month after 157 years, after a ransomware attack. In more than a century and a half of operation, the college survived a major fire in 1912, the Spanish flu, the Great Depression, two World Wars, and even the 2008 global financial crisis.
It is true that COVID-19 had already devastated the school financially. But the recent ransomware attack proved to be the death blow from which the school could not recover.
In the words of Alice Cooper, “school’s out forever.”
Sourced from an article in Bleeping Computer