Ransomware is Pressuring Public Services

 

The FBI and CISA has indicated that ransomware attacks are becoming a safety risk to public services as they are attractive targets to cybercriminals due to their critical nature. Public services such as utility companies, emergency services, safety operations, healthcare and the education sector are being increasingly targeted and sensitive personal data is being stolen which is putting local residents at risk of fraud.

Local governments will see no decline in these attacks as the deployment of malware continues to evolve. The FBI explained a ransomware attack in January of this year forced a US county to take down their computer systems and enact an emergency response through their backup procedures. The county jail was targeted which meant surveillance cameras were deactivated along with the jail’s data collection capabilities, automated doors, and internet access. This obviously caused alarm amongst employees and resulted in significant safety concerns for the facility.

There are plenty of other examples too, including an attack in September 2021 that closed a county courthouse and the attackers subsequently leaked personal details of employees and residents online after the ransom wasn’t paid. And in May 2021, several local governments were infected with a ‘PayOrGrief’ ransomware attack that led to servers and online services becoming inaccessible.

According to the report, only academia and higher education facilities were attacked more frequently than local government services in 2021. The FBI has restated several times that victims should not pay any ransom demands because it may encourage further attacks. However, some targets decide to pay so they are able to quickly restore their services.

After paying the ransom though, restoring a network can be a complicated and long task to complete, and there is no certainty that the decryption key provided by the hackers will work or that they won’t return later. The FBI encourages all victims to report any ransomware incident to help prevent future attacks.

They have also recommended numerous cybersecurity measures [PDF] that businesses can enact to help prevent becoming a victim, including keeping software and operating systems up to date with the latest security patches, and requiring strong passwords for online accounts. This makes it harder for criminals to exploit network and system vulnerabilities and guess user passwords.

In addition, organisations should keep offline backups of their data that are regularly tested and updated so networks can be restored without decryption keys. Employees should require the use of multi-factor authentication for their webmail, accounts, and VPNs to add an additional layer of protection against such attacks.

US Communications Provider Targeted by Russia

 

Viasat, a US satellite communications provider, recently experienced a cyberattack in February that led to service outages across central and Eastern Europe, along with disconnecting remote access to around 5,800 German wind turbines. It has now come to light that this attack was likely the result of wiper malware named “AcidRain” according to researchers at SentinelLabs. This malware was designed to erase exploitable routers and modems remotely. It wipes the filesystem and storage devices and then tries to destroy that data. After this is complete, the device is rebooted and rendered useless.

AcidRain’s functionality is relatively simple and generic and appears to use a bruteforce attempt that signals the attackers seemed inexperienced or unfamiliar with their target or simply wanted to keep their tool reusable. The attacker’s identity is still unknown, but there are many similarities between this malware and the “VPNFilter” malware which, in 2018, the FBI attributed to a Russian-backed hacking group known as APT28. More recently, this malware was also linked to another group known as Sandworm which is notorious for its “NotPetya” malware. Both groups have been tied to Russia’s military intelligence agency, the GRU.

Viasat was able to confirm the researcher’s findings and said they were consistent with the facts provided in their own report. This report goes into more detail about the attack and explains the attackers exploited a misconfigured VPN appliance to gain remote access to the trusted management segment of their network. This allowed the attackers to execute their destructive commands remotely.

The outage has still not been fully resolved and Viasat has since shipped 30,000 modems to their affected customers. CISA have warned that US satellites may be the next target. AcidRain is potentially the seventh wiper malware to target Ukraine since the start of Russia’s invasion.

Email Compromise More Prevalent Than Ransomware

 

While ransomware remains one of the most talked about cyber issues targeting enterprises, business email compromise (BEC) has remained the largest source of financial losses according to the FBI’s Internet Crime Center (IC3) – with losses totalling $2.4 billion in 2021. When grouped with ransomware and cryptocurrency theft, BEC and these other crimes led to Americans losing $6.9 billion last year compared to $4.2 billion in 2020. Complaints about cybercrime losses are up 7%.

Initially, BEC scams spoofed or hacked a business email account of someone with senior ranking in the organisation and then instructed someone more junior to transfer funds to the scammer’s bank account. Many of these scams seemed to target real estate companies. Today, scammers are using virtual meeting platforms to spoof credentials and hack emails and then initiate fraudulent money transfers which are immediately transferred to cryptocurrency wallets and then rapidly dispersed. This makes the investigation and recovery efforts much more difficult.

During these virtual meetings, fraudsters are using pictures of the company’s CEO with no audio, or deep faking the audio, and sometimes even the video, using AI while the scammers claim there is some issue with their connection. Despite ransomware attacks grabbing the most headlines, these attacks amounted to losses of around $50 million in comparison to BEC losses of $2.4 billion. However, there has been an increase in “high-impact” ransomware attacks on critical infrastructure operators in 2021 based on data provided by the FBI, NSA, and agencies in the UK and Australia. ‘Ransomware-as-a-service’ is also trending as hackers provide negotiation services and brokers to gangs.

The healthcare, financial services, and IT sectors were the most frequently targeted for ransomware attacks last year according to IC3 and it expects a larger number of complaints this year, but doesn’t recommend paying ransoms. New US legislation requires critical infrastructure operators to report hacks and ransomware attacks to CISA instead of the FBI.

It has been estimated that cyber criminals have washed over $8 billion of cryptocurrency last year, typically using mixers or tumbler software to split the large sums and blend it with other transactions before forwarding the amounts to new addresses.