cyber threat intelligence october 2020...page 6 of 16 maze ransomware is one of the most notorious...

Cyber Threat Intelligence

October 2020

© 2020 EMEA Cybersphere Center

of 16

INDEX Page02

Page06

Page11

Page14

1. Overview

2. Attack analysis

3. Threat actors

4. Recommendations


of 16

2. Attack analysis

3. Threat actors

4. Recommendations

OVERVIEW

1. Overview


of 16

Background

© 2020 EMEA Cybersphere Center 3

Since at least 2018, ransomware operators have moved from

launching attacks against small targets to big game hunting (BGH)

campaigns, targeting large corporations and government

organizations in pursuit of lucrative payouts.

Ransomware is malware that encrypts files on the infected machine

and demands a ransom in exchange for a decryption key to recover

the files.

Since late 2019, ransomware operators started adopting

the double extortion technique, placing substantial

pressure on organizations to increase the chances of

receiving ransom demands.

The ransom demand is set at a level that is low enough to be

payable, but high enough to make it worthwhile to the attacker.

Before deploying the payload, the attackers extract large quantities

of sensitive information and threat the victim to publish it unless the

ransom fee is paid.

Ransomware is one of the most significant threats facing organizations and

individuals today. The attacks conducted by ransomware operators are

becoming increasingly sophisticated, more challenging to prevent, and more

damaging to their victims.

of 16

Finally, the attackers deploy the payload to encrypt files on the

infected network and leave a ransom note.

Impact Relevant Attacks


STATE, LOCAL GOVERNMENT

ENERGY & UTILITIES

SunCrypt gang conducted an attack against university

hospital and publicly disclosed an archive of 48.000

documents. Afterwards, a representative of the hospital

contacted the attackers and negotiated the ransom to

$670.000 to prevent the exposure of 240 GB of patient

information.

Portuguese multinational electric power generator and

distributor was compromised by RagnarLocker operators.

According to the ransom note the attackers extracted 10 TB

of data and asked the company to pay a ransom of 1580 BTC

(the equivalent of more than $10 million).

RagnarLocker conducted an attack against the fifth largest

travel management firm and allegedly exfiltrated 2 TB of

data.

The initial ransom demanded by the attackers was $10

million dollars, however, the victim negotiated it down to

$4.5 million.

TRANSPORTATION, HOSPITALITY & SERVICES

LEGAL

REvil operators compromised a NYC law firm which offers

legal services to people involved in the entertainment and

media field.

Attackers exfiltrated personal information of celebrity clients

and auctioned it off on their blog, setting the starting bid at

$600.000 with a blitz price of $600.000.

TECHNOLOGY

The operators behind Maze attacked several technology

companies, including an American multinational corporation

that provides IT services. According to the company, the

attackers allegedly stole financial and sensitive personal

information.

HEALTHCARE

Argentinian immigration agency suffered a NetWalker

ransomware attack that temporarily halted border crossing

into and out of the country.

The attackers initially demanded a $2 million ransom,

however, after seven days the ransom fee doubled to $4

million.

of 16

Maze ransomware is one of the most notorious ransomware groups. The operators behind Maze began combining ransomware attacks with exfiltrating data from the compromised network to

publish it on their data leak blog if the ransom is not paid.

Their presence on the underground forums is limited.

Maze ransomware is one of the most notorious ransomware groups. The operators behind Maze began combining ransomware attacks with exfiltrating data from the compromised network to

publish it on their data leak blog if the ransom is not paid.

Their presence on the underground forums is limited.

1. Overview

ATTACK ANALYSIS


Impact Ransomware operators target all sectors and almost all countries implying

HIGH risk to all entities around the globe.


• Most of the affected organizations belong to the United States.

• No evidence of entities belonging to countries from the former Soviet

Union has been detected on data leak blogs.

• Several ransomware groups agreed to NOT attack healthcare sector

during the COVID-19 crisis.

THE MOST AFFECTED SECTORS

16% | Retail, Wholesale &

Distribution

12% | Manufacturing

9% | Industrial Products

8% | Technology

6% | Healthcare

6% | Construction

6% | Financial

6% |Professional Services

of 16

© 2020 EMEA Cybersphere Center 2 Attack Diagram

STAGE 1: Victim identification

STAGE 2: Access to the infrastructure

STAGE 3: Remote access

STAGE 4: Network scanning

STAGE 5: Lateral movement

STAGE 7: Data encryption and ransom

note

STAGE 6: Data exfiltration

In the reconnaissance stage the following factors

increase the chances of suffering the attack:

- The company has not suffered similar attacks before.

- The access to a company’s infrastructure is

announced or offered for sale in underground

forums or markets.

- The company has suffered a data breach.

- The entity has remote access services exposed to the

Internet (RDP, Citrix, etc.).

This stage is carried out depending on the result

of the investigation of the STAGE 1.

The exposure of remote access services is the

most common enter point, although the threat

actors may choose to carry out simpler attacks

such as the distribution of malicious email

campaigns. To ensure remote access to the

infected infrastructure for as long

as possible, the attackers use

tools like CobaltStrike, RMS or

Empire.

The attackers scan the compromised

network in order to gather information

about its infrastructure.

To spread through the network, the

attackers can use either system tools

enabled in any company ("WMI", "PsExec"

or "PowerShell”) or tools developed by

themselves.

Finally, attackers deploy the payload to

encrypt files on the infected network and

leave a ransom note.

Attackers identify valuable and easily

extractable files. As a rule, attackers steal,

usually via FTP, documents, databases,

and credentials.


The following diagram illustrates how threat actors perform a ransomware attack with data exfiltration.

of 16

Attack Vectors


Threat actors use search engines to discover vulnerable machines

connected to the internal network of the company. Once the

machine is selected, the attacker uses brute-force technique to

access.

Threat actors use search engines to locate Citrix-type servers with

bad security configuration that can be used as an entry point to the

internal network of a company.

The attackers use another malware, usually InfoStealer, which

consists on launching malspam campaigns to obtain credentials of

as much users and companies as possible or impersonating the

target company to compromise a specific user.

Ransomware operators exploit exposed vulnerabilities in order to

gain access to the internal infrastructure of a company and

compromise it.

EXTERNAL SERVICES OF REMOTE ACCESS

Remote Desktop Protocol

(RDP)

Citrix

Malware infection

Underground forums and markets

Cybercriminal forums members offer for sale accesses to

organizations belonging to different sectors and countries. As well

as, credentials obtained by other types of malware which can be

also purchased on underground markets.

COMPROMISED ACCESSES

VULNERABILITIES

of 16

Data Leakage

Some valuable data exfiltrated from the infected network can be

sold either on Deep/Dark markets or forums or to third

parties/direct competitors.

Some ransomware affiliates disclose the stolen data on

underground forums.

LockBit affiliate

threatening a

company to

release its data in

7 days if the

ransom is not

paid.

Maze group aware

victims that valuable

information will be

sold on dark market.

REvil operators created an auction section on their data

leak blog, “Happy Blog Auction”, to monetize the stolen

data.

These data leak blogs usually

contain a list of victims, with a

dedicated page that includes

additional information related to

each entity listed, like a brief

description of the entity, some

samples of stolen data and, in

some cases, the lock date and

the total amount of exfiltrated

information.

Many ransomware operators have their own data leak

blogs to publish the exfiltrated data.

The auction is available only

for registered users and the

registration is required for

each auction separately.

In the case that no one shows

interest on the auctioned files

until the auction time is over it

will be published on the blog.


DEEP/DARK WEB

DATA LEAK BLOGS

SALE

AUCTION

Ransomware operators have developed different methods to disclose the stolen data belonging to victims who refused to pay the extortion fee.

Ransomware operations that run data leak sites: Ako, Avaddon, Egregor, Clop, Conti,

DarkSide, DoppelPaymer, LockBit, Maze, MountLocker, Nemty, Nefilim, NetWalker, Pysa,

RagnarLocker, REvil, Sekhmet, Snatch, and SunCrypt.

of 16

Double extortion stakeholder map MITRE ATT&CK FRAMEWORK

The following table shows the most used and relevant techniques used by ransomware operators. These techniques have been used both, by the most active ransomware families and by the attacks carried out.

All these techniques could suppose a high risk, meaning protection measures must be improved to prevent them.


of 16

1. Overview

2. Attack analysis

4. Recommendations

THREAT ACTORS

3. Threat actors


of 16

Maze cartel

May 2019

MAZE

DATA LEAK BLOG

September 2019

December 2019

LockBit RagnarLocker

Implemented the Double-extortion technique by

launching the first data leak site

Created “Maze cartel”

Private operation/Affiliate program

Public operation/Affiliate program

Private operation/Affiliate program

RagnarLocker ransomware, a relatively new operation, at

the beginning of June 2020 joined the Maze cartel and

was detected to have used Maze’s infrastructure to

publish exfiltrated information.

According to the characteristics of this malware, its

development is associated to the Eastern European

cybercriminals.

LockBit ransomware is being distributed on underground

forums by Russian-speaking user “LockBit”.

- The affiliated cannot attack organizations from

the former Soviet Union.

- English-speaking affiliates need a Russian-

speaking guarantor.

- The terms of rent are negotiated with each

affiliate individually.

Highlights

First group on joining the “Maze cartel”

Recently, launched its own data leak site

Joined the “Maze cartel”

First to run ransomware inside a virtual machine to avoid detection


Maze ransomware is one of the most notorious

ransomware groups. The operators behind Maze began

combining ransomware attacks with exfiltrating data

from the compromised network to publish it on their data

leak blog if the ransom is not paid.

Their presence on underground forums is limited.

DATA LEAK BLOG DATA LEAK BLOG

Highlights Highlights

of 16

September 2019

NetWalker

DATA LEAK BLOG

AUCTION SITE

April 2019

REvil (aka Sodinokibi)



Relevant Ransomware Operations

DATA LEAK BLOG

Highlights

Implemented a customized page for

victims to chat with the attackers,

decrypt some files for free and

proceed the ransom payment.

Added a section on the customized

victims page with screenshots of

stolen data as a proof.

CUSTOMIZED VICTIM’S PAGE

According to the authors, they:

- Give preference to those who

work with large networks and

have their own material.

- Are interested in hiring Russian-

speaking affiliates.

NetWalker is considered one of the most

successful ransomware groups. The

software is distributed as Ransomware-as-

a-Service on hacker forums by a Russian-

speaking member “Bugatti”.

Affiliates can get 80% of the

payments, or even 84% if previous

week earnings were above

$300,000.

REvil (aka Sodinokibi) is a notorious

ransomware family that operates publicly as

Ransomware as-a-Service and is being

distributed on underground hacker forums by

a Russian – speaking member under the

handle “UNKN” (Unknown).

The terms of the rent are:

- Start: 70 affiliates/30 developers

- After the first 3 payments: 75/25

- If the profit is higher than $1

million per week - 80/20

Highlights

Implemented an auction section on

their data leak blog to monetize the

stolen data.

Recently, the authors started seeking for partners on Russian-language hacking forums. Made a $1 million deposit on XSS.is forum.

Do NOT collaborate with English-

speaking partners.


of 16


1. Overview

2. Attack analysis

3. Threat actors

RECOMMENDATIONS

4. Recommendations


of 16 © 2020 EMEA Cybersphere Center 15

To have a correct policy for the elimination of users who are

no longer part of the organization.

Recommendations

Disable the possibility of directly accessing Citrix systems

from the outside with an administrator user.

Do not allow Internet communication by PowerShell, and

uninstall versions prior to PS.v5.

Block or disable ports and services that are not in use.

Apply measures to prevent dumping actions on “Lsass”.

Kerberos bastioning.

To have identified the existing scheduled tasks in the systems

and to identify the executions of these.

Implementation of DLP and encryption of stored data.

To have blocking rules for the massive change of file types.

Having the backups isolated from the corporate network.

Establish mechanisms for monitoring changes in registry keys.

If not necessary for the operation, disable RDP accesses.

Otherwise, establish service monitoring mechanisms,

strengthen security controls, and avoid exposure to the

Internet as much as possible. Strengthen web content filtering to prevent downloading of

executable or compressed files and visiting unauthorized file-

sharing sites.

Consider restricting some functionalities on the use of

PowerShell in the company, or establishing strong

monitoring measures.

3.

Copyright © 2020 Deloitte CyberSOC EMEA Center, S.L.

1.

2.

3. Reproduction, public communication, or transformation, in whole or in part, free of charge or for a fee, and by any means or procedure, is

prohibited without CyberSOC EMEA Center, S.L.’s prior written consent.

4.

5. This report is strictly confidential and for internal use of the company only. It must not be shared with third parties or be made accessible to them.

Also, no reference to this report should be made in communications without our prior written consent.

6. This report has been prepared in accordance with the terms stated in the contract that includes the Proposal and the Annex of General Terms and

Conditions.

7. Deloitte is not responsible for the updating process of this document’s content, which should be performed as a consequence of facts or

circumstances that occurred after this document was created.

8. Assessing and making any decisions to implement change based on conclusions included in this report is the sole responsibility of the client’s board

of directors.

9. CyberSOC EMEA Center S.L. does not control the functioning, reliability, availability, or security of email severs. We will therefore not be

responsible for any loss, damage, or injury caused by loss, delay, interception by third parties, corruption or modification of the content of this

report.

If there is any conflict or contradictory aspect between the electronic and the physical version of the document, the physical version shall prevail.

cyber threat intelligence october 2020...page 6 of 16 maze ransomware is one of the most notorious...

Documents