Recent Ransomware Attacks Raise the Stakes for Data Exfiltration

While still early in 2020, we’re already seeing high profile ransomware attacks that are leveraging new tactics  that were introduced in late 2019 that have increased the collateral damage for victims.

Threat actors are no longer content with just encrypting data and then asking for a ransom before they decrypt the information.   Instead, they’re exfiltrating the data during the attack and making a copy off site to extort money and conduct smear campaigns later.

Travelex, the world’s largest retail currency dealer, was the victim of this new type of tactic when they were attacked on New Year’s Eve by UNKN, a threat actor who utilized Sodinokibi to exploit a Pulse Secure VPN server vulnerability which Travelex had not patched.  UNKN was able to extract some of the data from Travelex’s systems.  UNKN wanted $6 million for the release of the information which Travelex declined to pay.  As a result, the adversary posted 5GB of Travelex data online which includes both financial and PII information increasing the risk of potential regulatory fines for privacy violations.

Travelex also had to take portions of their network offline for several weeks forcing the company to deliver its money changing services manually to customers and increasing operating costs.  In addition, shares of Travelex’s parent company, Finablr, dropped 12 percent after the attack and Bloomberg has reported that Finablr investors have sold off $75 million worth of stock.

From Mass Scale to Targeted Attacks

Targeted attacks such as Travelex are now becoming the preferred approach for sophisticated adversaries who realize they’re able to set higher ransom rates given the value of the data and the brand reputations of their victims.

Rather than relying on automation or social engineering, sophisticated criminals are taking their time to carry out reconnaissance to learn every aspect of an organization’s network system and defenses.  They’re able to break in using brute force passwords and escalating administrator privileges to gain access to critical data as well as access to the security tools that are supposed to protect their information.  These criminals are also in a position to delete local backups and prevent backups to the cloud making recovery from ransomware attacks much more difficult.

Government agencies are often prime targets and according to Barracuda Networks, they make up two-thirds of all known ransomware attacks.  Most recently, the City of Las Vegas was attacked during the early morning hours on January 7, 2020.  The timing was particularly challenging, as the City was making preparations for the start of CES, the Consumer Electronics Show, the largest tech show in the world.

Ransomware attacks on cities can be significant and as a result, some local governments have chosen to pay criminals to get access back to their systems rather than spending the money to rebuild lost information.  Fortunately, due to early detection by members monitoring the City of Las Vegas’s systems, the network was taken down and no data was lost.

Hospitals are also prime targets.  Enloe Medical Center in Chico, California, fell victim to a targeted ransomware attack on January 14, 2020.  The majority of the phone systems were affected by the attack.  In addition, the hospital was forced to reschedule elective procedures.  As precautionary measures to prevent any further impact, systems were removed from the network and Enloe Medical Center is running on back-up, offline protocol.  Fortunately, Enloe Medical Center claims that no patient data was leaked.

Defeating ransomware with threat intelligence

With the increasing sophistication of criminals and easy access to ransomware-as-a-service (RaaS) such as Sodinokibi, we can expect to see more attacks 2020.

The best defense against ransomware is a good offense through proactive prevention and mitigation. Behavioral modeling through user and entity behavior analytics is one of the most effective approaches.  The goal is to monitor certain behaviors on a regular basis in order to recognize what is normal behavior for users and devices on the network making it easier to detect unusual behavior that could be the result of a ransomware attack.  Typically a ransomware attack takes several stages, making early detection possible with the right solution.

The six stages in the ransomware kill chain begins with the distribution campaign.  Adversaries use techniques such as social engineering to trick users into downloading a dropper which initiates the virus infection and malicious code execution.  Next, during the staging phase, the ransomware embeds itself deep into the victim’s environment.  The ransomware has ample time to scan systems for files to encrypt.  Having identified target files, the ransomware begins its encryption process which can take anywhere from seconds to hours.  After the files are encrypted, a message is delivered demanding payment for the ransom.

Exabeam Security Management Platform allows you to monitor for the entire ransomware kill chain through each of the six stages. Leveraging your own file activity logs, registry tracking logs and security alerts, the Exabeam platform gives you detailed analysis of the attack, allowing you to quickly detect  the attack and prevent the ransomware from doing any harm.

To be better prepared against ransomware in 2020, I encourage you to read a recent blog post from our technical marketing team.