With the Coronavirus pandemic, healthcare organisations, their suppliers, government agencies, and educational software providers have been targeted by cyber-criminal gangs. Microsoft cyber-crime researchers observed that the gangs were in the final stage of their attacks on these organisations in the first half of April. Here are the tactics they observed:
The cyber criminals’ main attack tactic is the “Smash-and-grab” approach. They trick victims into opening a malicious spreadsheet attached to an email. When the spreadsheet is opened, ransomware is releases, and every file on their system begins encrypting! Then the victim may receive a ransom note that looks like the below:
While advanced attackers typically take their time and used advanced network-penetration tactics, each cyber-criminal gang uses different tools and network-penetration tactics. Microsoft cyber-crime researchers have organised these tactics at they found the gangs used:
The “Payload” column lists 10 sophisticated ransomware.
RobbinHood: Privileged credentials such as local administrator accounts with shared common passwords, and service accounts with domain admin privileges are typically compromised with an RDP brute-force attack.
Vatet loader: This typically targets hospitals, aid organisations, insulin providers, and medical device manufacturers that exploits a Citrix and Gateway vulnerability.
NetWalker: This typically hits hospitals and healthcare providers with COVID-19 themed emails.
PonyFinal: Privileged credentials are obtained by establishing persistence and using Microsoft PowerShell to create a reverse shell for remote access.
Mase: This notorious ransomware gets regularly spread via email.
Sodinokibi, AKA REvil: This is a credential theft tool, where one in the network, lateral movement and reconnaissance is performed.
In the first half of April, the following four ransomware were identified.
Paradise: This is a crypto-locking malware that was formerly distributed by email. It is now being used in more advanced attacks.
RagnarLocker: With stealing credentials, this is installed onto victims’ networks
MedusaLocker: This gets deployed by TrickBot infections.
LockBit: This is used by attackers who rely on CrackMapExec, which is a public penetration testing tool that allows lateral movement across compromised networks.
Disturbingly, Microsoft warns that these ransomware outbreaks that have been observed this month were cybercrime projects that have begun several months ago. The gangs have been waiting for a prime moment to maximise their financial gain. This behavior is called “modus operandi.” It refers to groups taking action weeks or months after data breach compromise, and this behavior is now a norm for cyber gangs.
So, what can we do to shield ourselves against these advanced sneak attacks? We must continuously keep refreshed eyes out for signs that hackers have penetrated the network as well as create awareness among organisation employees on the new tactics learned.