US Companies Hit With A New Ransomware Campaign

Uploaded on 2020-07-13 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

Large US businesses and other organisations are under sustained attack and are faced with the risk of enormous ransom demands for unlocking encryped and stolen data. The hacking group known as Evil Corp. has hit at least 31 organisations in cyber attack to date (over twenty of these are US organisations, several of them Fortune 500 companies) were attacked  a dangerous new strain of ransomware called WastedLocker.

Ransomware attacks continue to rise, and organisations that pay the hackers in hopes of unlocking their files often find themselves both out of luck and victims of future attacks, according to a Report from security firm SentinelOne.

Ransomware is designed to completely encrypt a victim’s file system, potentially causing an irreversible loss of data. Second, an increasing number of cyber-criminals are utilising ransomware to extract money out of victims. Evil Corp were previously associated to the Dridex malware and BitPaymer ransomware, the latter came to prominence in the first half of 2017. Recently Evil Corp has changed a number of TTPs related to their operations.

Had the attacks succeeded, they could have resulted in millions of dollars in damages to the organisations and potentially had a major impact on supply chains in the US,according to the experts at Symantec. Among those affected were five organisations in the manufacturing sector, four IT companies, and three media and telecommunications firms.

Organisations in multiple other sectors, including energy, transportation, financial services, and healthcare, were also affected. In each instance, the attackers managed to breach the networks of the targeted organisations and were preparing to deploy the ransomware when they were detected and stopped.

Symantec described the attacks as being carried out by Evil Corp., a Russian cybercrime group that has been previously associated with the Dridex banking Trojan and the BitPayment ransomware family. Last December, US authorities indicted two members associated with the group, Maksim Yakubets and Igor Turashev, in connection with their operation of Dridex and the Zeus banking Trojans.

The two, along with other conspirators, are alleged to have attempted theft of a staggering $220 million and caused $70 million in actual damages. The US Department of State's Transnational Organised Crime (TOC) Rewards Program has established an unprecedented $5 million bounty for information on Yakubets. Both men remain at large.

Dangerous Campaign

The NCC Group, which published a report on the WastedLocker campaign, said its investigations showed the ransomware has been in use at least since May and was likely in development several months before that. Evil Corp. has typically targeted file servers, database services, virtual machines, and cloud environments in its ransomware campaigns. They have also shown a tendency to disrupt or disable backup systems and related infrastructure where possible to make recovery even harder for victims.

Symantec said its investigation shows the attackers are using a JavaScript-based malware  to gain an initial foothold on victim networks. The malware is being distributed in the form of a zipped file via at least 150 legitimate, but previously compromised, websites and malware masquerades as a browser update and lays the groundwork for the computer to be profiled. The attackers then use PowerShell to download and execute a loader for Cobalt Strike Beacon, a penetration-testing tool that attackers often use in malicious campaigns.

The tool is being used to execute commands, inject malicious code into processes or to impersonate them, download files, and carry out other various tasks that allow the attackers to escalate privileges and gain control of the infected system.

As with many current malicious campaigns, the attackers behind WastedLocker have been leveraging legitimate processes and functions, including PowerShell scripts and the Windows Management Instrumentation Command Line Utility (wmic dot exe) in their campaign, Symantec said.

To deploy the ransomware itself, the attackers have been using the Windows Sysinternals tool PsExec to launch a legitimate command line tool for managing Windows Defender (mpcmdrun.exe). This disables scanning of all downloaded files and attachments and disables real-time monitoring, Symantec said. "It is possible that the attackers use more than one technique to perform this task, since NCC reported suspected use of a tool called SecTool checker for this purpose," Symantec said.

The ransomware deploys after Windows Defender and all associated services have been stopped across the organisation, the vendor noted. "A successful attack could cripple the victim's network, leading to significant disruption to their operations and a costly clean-up operation," Symantec warned.

Given the whole purpose of ransomware is to extract money from victims, total loss values are causing the  insurance industry  to become increasingly alarmed. 

According to some sources ransomware grew 56 percent in the past four quarters. Unfortunately, ransomware isn’t going anywhere fast. Cyber-criminals have learned just how lucrative encrypting data can be. Other forms of security threats still exist, data breaches in particular, but criminals who want to extract an easy buck are regularly turning to readily-available ransomware packages.

Symnatec:      Bloomberg:      Dark Reading:     NCC Group:        Heatth IT Security:      TechRepublic:     SentinelOne:   

You Might Also Read:

Hackers Extort $1.14m From University of California:

 

« Cyber Security Technology To Protect Autonomous Vehicles
Attacks On Financial Services Are Increasingly Sophisticated »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Techmeme

Techmeme

Techmeme is an online news curation service focused on leading edge technology, including cyber security.

Niksun

Niksun

Niksun's forensics-based cyber security and network performance monitoring products provide customers with actionable insight into security threats, performance issues, and compliance risks.

Gilbert + Tobin

Gilbert + Tobin

Gilbert + Tobin is an Australian corporate law firm serving clients throughout Australia, and around the world, on a broad range of legal issues including cyber security.

Joint Accreditation System of Australia and New Zealand (JASANZ)

Joint Accreditation System of Australia and New Zealand (JASANZ)

JASANZ is the joint national accreditation body for Australia and New Zealand. The directory of members provides details of organisations offering certification services for ISO 27001.

ISTC Foundation

ISTC Foundation

ISTC Foundation is one of the leading innovation centers in Armenia, founded by joint initiative of IBM, USAID, Armenian Government and Enterprise Incubator Foundation.

Searchlight Cyber

Searchlight Cyber

Searchlight Cyber is a leading darknet intelligence company. Working with law enforcement, industry, and end users to help protect society against the threats of the darknet.

Route1

Route1

Route1 is an advanced provider of secure data intelligence solutions to drive your business forward.

CyberQP

CyberQP

CyberQP (formerly Quickpass Cybersecurity) provide Privileged Access Management built for MSPs. Our system is designed to reduce ransomware and social engineering attack risks.

Intelligent CloudCare

Intelligent CloudCare

Intelligent CloudCare, a division of IPS, is a full IT Services provider serving the needs of SMBs in the metropolitan New York City region.

Protelion

Protelion

The Protelion Security Platform is uniquely architected to deliver security solutions that combine greater protection, flexibility, and performance.

Filigran

Filigran

Filigran provides threat intelligence, adversary simulation and crisis response open solutions to thousands of cybersecurity and crisis management teams across the world.

Hetz Ventures

Hetz Ventures

Hetz Ventures is a global-facing VC investing in highly talented and ambitious Israeli founders who operate at the cutting edge of deep technology.

Positka FSI Pte Ltd

Positka FSI Pte Ltd

Positka, being a Splunk Singapore partner, provides Splunk & Phantom Services, Cybersecurity & Risk Management, Analytics & Big Data, Lean Process Optimization, and Managed Security Services.

nandin Innovation Centre

nandin Innovation Centre

nandin is ANSTO’s Innovation Centre (Australian Nuclear Science and Technology Organisation) where science and technology entrepreneurs, startups and graduates come together.

Klarytee

Klarytee

Protect your data wherever it goes. Klarytee is a SaaS platform that builds security into sensitive content to enable granular control in AI, public cloud and SaaS.

Razilio

Razilio

Razilio is a boutique cybersecurity consultancy located in Sydney, Australia and serving the world.