Russia-Ukraine Conflict: Ransomware Updates & Cybersecurity Consequences
With cyberwarfare in the headlines due to the Russia-Ukraine conflict, it is another reminder that we must maintain a sense of urgency about our information security. We need to continuously harden our systems, which includes increasing the speed with which we implement software and operating system updates, deploying heuristic-based endpoint detection and response (EDR) tools, regularly conducting vulnerability scans, enhancing our logging and event management processes, and disabling unnecessary services and protocols. We also need to continuously review and strengthen our data protection capabilities, including enhancing backup protection and recovery systems, and enabling encryption where appropriate. Furthermore, we need to continuously review, revise, and enhance our perimeter protection, including the implementation of virtual private network (VPN) and multi-factor authentication (MFA) solutions, implementation of advanced firewall and intrusion detection systems (IDS), and segmentation of networks based on functionality, roles and privileges. Finally, since email platforms are a constant target, we need to ensure MFA is enabled for all users and administrators, enhance security and audit logging for all users accounts, block messages from anonymously hosted domains, block forwarding to external domains, flag messages from external domains, and continuously assess the security of the platform.
The following is an update on recent ransomware developments assembled from our experience managing responses to ransomware events and from open-source intelligence.
Sandworm APT & Cyclops Blink Botnet
Sandworm - a Russian-backed advanced persistent threat (APT) group operating under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST) - developed a form of malware referred to as Cyclops Blink in 2019. This group’s historical activity includes links to the 2015 Ukrainian utilities attack, authoring of NotPetya ransomware, and the attacks against the infrastructure supporting the 2018 Winter Olympics in PyeongChang, South Korea, with primary targets centered around critical infrastructure.
Cyclops Blink is a professionally developed, modular form of malware with multiple functions supported by a custom binary for command-and-control support via the onion router (TOR). Its primary method of deployment is currently concealed in legitimate firmware updates in WatchGuard firewall appliances, primarily resident in small office home office (SOHO) networks. Cyclops Blink is intended to act as the replacement of the very private network (VPN)-filter botnet, which targeted industrial control system (ICS) supervisory control and data acquisition (SCADA) protocols for traffic analysis in order to identify remote code execution capabilities and eventual data exfiltration. Among the aforementioned capabilities, Cyclops Blink is also able to turn affected devices into platforms for further attacks against additional target networks.
Specific detection and mitigation guidance was provided by WatchGuard in coordination with the Cybersecurity and Infrastructure Security Agency (CISA) and other agencies. It is important to know that even though firmware updates occur, it is still highly recommended that some level of threat hunting be conducted to identify any active threat actor in a network at any point in time - especially since Cyclops Blink’s persistence mechanisms are such that it is able to survive a system reboot.
WhisperGate and HermeticWiper Malware
First observed on January 13, 2022, WhisperGate was leveraged in the coordinated attack against multiple Ukrainian government websites. Initially disguised as ransomware, WhisperGate is a highly destructive wiper malware aimed at eliminating any ability to recover systems and files resident on impacted devices due to its two-step process of 1) overwriting the Master Boot Record (MBR) to which powering the system down will brick the device and 2) corrupting files and renaming them with random four-bit extensions. On February 24, 2022 at 5:00 p.m. ET, security researchers at ESET identified what appears to be a new, but similar, form of wiper malware. Currently referred to as HermeticWiper/Trojan.KillDisk (named after the code-signing certificated issued by Cyprus-based Hermetica Digital, Ltd.) the motive once again appears to be purely destructive in nature given that HermeticWiper is disguised as ransomware with capabilities of encrypting the MBR and rendering the operating system inaccessible.
Additional Ransomware Operations
Over the past week, new ransomware variants have emerged and are actively targeting Eastern European and US-based organizations.
- (New) Redeemer Ransomware: Currently targeting Windows 7 devices in Ukraine requesting ransom payments in XMR (Monero).
- (Update) DeadBolt Ransomware: This variant gained popularity after the January attacks through vulnerabilities resident in quality network appliance provider (QNAP) network-attached storage (NAS) devices, but they have now changed course and are currently affecting Asustor NAS devices at this time. A brief Shodan search results in a total of 2,795 devices affected by DeadBolt (as of 2/25/2022). While this number does include those that were previously affected via the QNAP vulnerability, the number of affected devices relative to Asustor is likely already over the 1,000 mark. DeadBolt is claiming that this is a vulnerability that is not presently known to Asustor (a subsidiary of Asus), which is similar to what took place with the QNAP NAS attacks.
- (New) RTM Team Locker: A new ransomware variant that is currently recruiting affiliates on various popular dark web forums. This operation has not yet scaled to the size of other ransomware as a service (RaaS) platforms, but may soon reach such scale depending on how quickly they might be able to recruit affiliates.
- (Update) LockBit Ransomware: In response to the Russia-Ukraine conflict, LockBit has begun publishing data stolen from victims who chose to not pay ransom. In a recent posting to its site pertaining to the Russia-Ukraine conflict, LockBit provided the following: “WARNING Official Statement on the Cyber Threat to Russia ALL AVAILABLE DATA WILL BE PUBLISHED.” This serves as a stark reminder that victims of ransomware attacks in which data has been exfiltrated must always prepare for its disclosure, especially if they chose to not pay ransom.
- (Update) Conti Ransomware: The Conti group recently announced that it is fully supporting the Russian government, and that if “anybody” organizes a cyberattack against Russia, it will use its resources to “strike back at the critical infrastructure of an enemy.” It is important to consider the possibility that a rogue individual within Conti may be responsible for the postings, and since Conti operates a RaaS platform, not all Conti ransomware attacks may be conducted by attackers who share the same philosophy. In subsequent postings that appear to be associated with Conti, however, it is represented that Conti will use their “full capacity to deliver retaliatory measures” if “Western Warmongers” attempt to target critical infrastructure in Russia or in any Russian-speaking region of the world. In these postings they also state that they “do not ally with any government …”
For more information on these cybersecurity threats, contact the authors of this post or visit our Data Privacy & Cybersecurity Practice page to find an attorney in your area. You can also subscribe to this blog to receive email alerts when new posts go up.