The latest findings from FortiGuard Labs, represent the collective intelligence drawn from a vast array of network sensors collecting billions of threat events each day observed in live production environments around the world. According to independent research, 1 Fortinet has the largest security device footprint in the industry. This unique vantage offers excellent views of the cyber threat landscape from multiple perspectives.
The Runaway Ransomware Threat
Ransomeware attacks has grown 7 folds in 2020 the report found. Data showed a substantial increase in overall ransomware activity compared to 1H 2020. In fact, FortiGuard Labs analyzed the activity for all signatures that we have at one time or another classified as ransomware, which showed a sevenfold increase in ransomware activity in December compared to July 2020.
Daily number of devices detecting ransomware variants in 2H 2020. Among the most active of the ransomware strains that we tracked in 2H 2020 were Egregor, Ryuk, Conti, Thanos, Ragnar, WastedLocker, Phobos/EKING, and BazarLoader. The common trend among them was an increase in activity over the period.
Threat actors have discovered that cryptolocking critical systems and demanding a ransom for the decryption key is a relatively easy way to extort money from organizations regardless of size or the industry to which they belong. This more targeted and sinister form of ransomware scheme has come to be known as “big game hunting.” It’s been all the rage with the ransomware gangs throughout 2020 and the larger paydays netted by such schemes virtually ensure the trend won’t go away anytime soon.
Many adversaries took advantage of the disruptions caused by the COVID-19 pandemic to ramp up ransomware attacks against organizations in the healthcare sector in particular. In October, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services, and the FBI issued a joint advisory warning U.S. hospitals and healthcare services of increased ransomware activity involving TrickBot and BazarLoader malware—both of which we tracked in 2H 2020.
Other sectors that were also heavily targeted in ransomware attacks in 2H 2020 included professional services firms, consumer services companies, public sector organizations, and financial services firms.
Daily detections of select ransomware strains of interest in 2H 2020. Multiple trends characterized the ransomware activity that FortiGuard Labs and others observed in 2H 2020.
One of the most troubling was the steady increase in ransomware attacks that involved data exfiltration and the subsequent threat to release the data if a ransom was not paid. The use of data theft as additional leverage in ransomware campaigns really only emerged as an adversary tactic in early 2020 but became part of a majority of attacks by the end of the year.
The operators of most major ransomware strains, including Sodinokibi, Ryuk, Egregor, and Conti, all deployed data exfiltration as part of their standard operations last year.
Some reported incidents were attacker (sometimes false) claims of data theft to try and scare victims into paying a ransom. In many cases, when victims paid to get attackers to delete stolen data, the attackers reneged and instead leaked or sold the data to others anyway. For organizations, the trend means that robust data backups alone are no longer enough protection against ransomware demands.
A steady growth in Ransomware-as-a-Service (RaaS) options in underground markets also fueled a lot of the ransomware activity in the last six months of 2020. Such services made it easier for bad actors with little skills or resources to launch attacks. One threat actor we tracked offering RaaS was SMAUG, a service that offered threat actors ransomware strains that could be deployed across Windows, MacOS, and Linux platforms.
Unlike many RaaS offerings that are restricted to vetted members, SMAUG surfaced in spring last year, and by the end of the year, it emerged as a fully public offering to bad actors willing to pay for the service.
Other major players in the RaaS space included the operators of Phobos, Sodinokibi, Conti, and Egregor. BazarLoader TrickBot SMAUG TrickBot 13 2H.
APT groups continue to exploit the covid-19 crisis in a variety of ways in the second half of 2020.
The most common APT among them included attacks focused on gathering personal information in bulk, stealing intellectual property, and nabbing intelligence aligned with the APT group’s national priorities.
This was noted by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in an advisory back in May. The second half also witnessed an increase in APT activity targeting organizations involved in COVID-19-related work including vaccine research and development of domestic and international healthcare policies around the pandemic. APT groups targeted organizations included government agencies, pharmaceutical firms, universities, and medical research firms.
Some of the groups tracked in the latter half of 2020 include.
BeagleBoyz, a relatively new North Korean APT actor that was observed robbing banks via an ATM cash-out scheme that U.S. law enforcement dubbed FASTCash 2.0. The group, whose typical modus operandi is social engineering, spear phishing, and watering hole attacks, is believed to be linked to activity associated with North Korea’s notorious Lazarus/HIDDEN COBRA APT. U.S. authorities estimate the BeagleBoyz have attempted to steal $2 billion from financial institutions around the world.
The Lazarus Group itself meanwhile was observed last August targeting organizations in the cryptocurrency vertical. The campaign involved the attackers sending a phishing document to LinkedIn accounts of certain people at targeted organizations.
FortiGuard Labs observed a steady thrum of activity related to MUMMY SPIDER and the new Emotet version through 2H 2020.
In August, Russia’s well-known Fancy Bear (aka Sofacy/APT28 group) was observed distributing a particularly nasty piece of Linux-based malware dubbed Drovorub on target systems.
The multi-component malware is believed to have been developed for use by the Russian military intelligence apparatus. It allowed attackers a way to take full remote control of compromised systems and/or direct them via attacker-controlled infrastructure or hosts. Outside those highlighted above, many other APTs closed out 2020 with their usual (and sometimes unusual) antics. Figure 7 shows an activity trendline and country-level breakdown of connections to IOCs linked to the APT groups.
The list includes the six most active APTs (Turla, Fancy Bear, Lazarus, MuddyWater, TA505, OilRig) plus two additional groups that showed elevated activity during the latter half of 2020 (Kimsuky, Promethium).
MuddyWater historically targets telecommunications, government services, and oil sectors in the Middle East, but is known to venture outside those circles as well. They’ve expanded operations and capabilities over the last year or so. TA505 is a group originating from Russia traditionally associated with spam campaigns, banking Trojans (Dridex), and other financially motivated attacks. After two supposed members were indicted in late 2019, they resumed activities and malware distribution in 2020. Promethium (aka StrongPity) has been active since ~2002 and is believed to operate out of Turkey.
Kimsuky is associated with the North Korean government that’s been active over the last 10 years or more. Steady, low-level activity from July through October bumped up several notches beginning in November. It primarily focuses on South Korean targets, so the activity in India and Namibia is noteworthy.
OilRig purportedly hails from Iran and is known for attacking smaller/weaker members of large supply chains in order to get to their primary target.
The group has been linked to attacks against organizations in the Middle East and abroad. In the second half of 2020, they entered the malware innovation game with a backdoor tool called RDAT.
What steps organizations can take to protect them & minimize risk.
2020 Global Threat Landscape Report Don’t want your organization to fund the latest ransomware money-making schemes?
Deprive them of positive cash flow by keeping systems locked down and backed up. The major tactics used by ransomware are the same for many other threats: phishing emails, exploiting software vulnerabilities, and leveraging exposed services like Remote Desktop Protocol (RDP).
Beyond shoring up technical controls, create or revisit corporate policies and procedures for handling ransom demands to avoid making tough decisions in the heat of the moment. Still looking for additional strategies for mitigating the ransomware threat?
Organizations should we fix this now or can we safely push this to work on other, more pressing, issues more likely to be exploited in the short term? This is difficult to measure because so few organizations have data at the scale necessary to properly study it.
Visibility into and focusing on the latest TTPs relevant to your organization’s threat profile is a must. Ignorance is their ally, not ours.