Getty Images
3 Key Entry Points for Leading Ransomware Hacking Groups
Ransomware attacks rapidly increased in sophistication and impact this year, with healthcare as a prime target. Providers need to understand the entry points used by these hacking groups.
The number of successful ransomware attacks declined amid the COVID-19 pandemic, but security leaders warned hacking groups have not ceased the barrage of attacks on healthcare. Understanding the key entry points of these sophisticated attacks will be crucial to reducing their success.
As Germany reported this week that a patient died as a direct result of a ransomware attack, the threat to patient safety is no longer a hypothetical situation.
In just the last few weeks, the data from at least five healthcare providers have been posted on the dark web for sale. The NetWalker, SunCrypt, and Pysa, or Mespinoza, and REvil hacking groups claim to have exfiltrated data from these entities before launching ransomware payloads.
These double extortion attempts have been made popular by the Maze ransomware hacking group. Hackers first gain access onto a victims’ network through a foothold, whether a known vulnerability, a successful phishing email, brute-force attack, or other means, then proliferate to all connected devices.
Often these hackers will remain on the network undetected, sometimes for months, conducting espionage and stealing sensitive data, while waiting for the ideal time to launch the ransomware payload.
When the entity refuses to pay, the more sophisticated hacking groups will then attempt to extort the organizations by posting “proofs” of data allegedly stolen by the attackers and give the provider a certain timeframe to pay the ransom demand or else the rest of the data will be publicly leaked.
In fact, research shows that more than one in 10 ransomware attacks result in data theft. Given the severity of these attacks and the prevalence in the healthcare sector, shoring up the commonly exploited entry points will prove critical to preventing a successful attack.
Phishing Emails and Insiders
In June, Proofpoint reported a drastic increase in ransomware attacks delivered through email-based phishing campaigns. Researchers noted it was a stark contrast to 2019, where hackers primarily leveraged downloaders as the initial payload.
“This recent emergence of ransomware as an initial payload is unexpected after such a long, relatively quiet period,” researchers explained, at the time. “The change in tactics could be an indicator that threat actors are returning to ransomware and using it with new lures.”
“Various actors trying ransomware payloads as the first stage in email has not been seen in significant volumes since 2018,” they continued. “While these volumes are still comparatively small, this change is noteworthy. The full significance of this shift isn’t yet clear, what is clear is that the threat landscape is changing rapidly, and defenders should continue to expect the unexpected.”
For example, one of the latest ransomware variants known as Zeppelin, is delivered through Microsoft Word documents that contain a malicious macro, using typical the typical ransomware method of leveraging documents that attempt to lure victims into enabling VBA macros to launch the virus.
The malicious documents appear to be invoices, which are actually just images that mask Visual Basic scripts obscured from the user. If the victim opens the document, the text is extracted and written to the computer by the embedded macro. What’s worse, is that Zeppelin leverages obfuscation techniques to hide its presence on the network.
Recently, the R1 RCM medical debt collections firm reported falling victim to a ransomware attack. While they did not name the variant, Deray ransomware is suspected – which is delivered via malicious Microsoft Word documents in emails sent in small phishing campaigns with lures tailored to potential victims.
Defray commonly targets the healthcare and education sectors, according to Proofpoint.
Fortunately, phishing education and training has been shown to drastically reduce healthcare’s cyber risk. Other industry stakeholders have suggested taking decisions away from users to reduce the risk email poses to healthcare entities.
Most importantly, Microsoft has found multi-factor authentication blocks 99.9 percent of automated cyberattacks.
Brute-Force Attacks on Remote Desktop Protocol
Corvus reported in June that open ports, particularly the remote desktop protocol (RDP), were a key vector for healthcare ransomware attacks during the first half of the year. Though healthcare entities appear to have a smaller attack surface in this regard, open ports provide a key hacking method.
In fact, researchers found vulnerable RDP ports increase the likelihood of a successful ransomware attack by 37 percent, while Coveware research showed RDP credentials can be purchased on the dark web for just $20. And in total, about 15 billion compromised credentials are available for sale on the dark web.
“Combined with cheap ransomware kits, the costs to carry out attacks on machines with open RDP were too economically lucrative for criminals to resist,” Coveware explained, at the time. “Until the economics of carrying out ransomware balance (by either bringing the monetization success rates down or by making attacks prohibitively expensive) ransomware and cyber extortion will continue to gain prevalence.”
As a result, hackers are actively performing brute-force attacks on RDP. Microsoft insights on human-operated ransomware attacks show this method is used by Maze, REvil, Netwalker, and RobbinHood hacking groups. The attacks use the similar techniques: credential theft and lateral movement activities before launching the ransomware payload.
“RDP credentials can be brute-forced, obtained from password leaks, or simply bought in underground markets,” McAfee explained in 2019. “Where past ransomware criminals would set up a command and control environment for the ransomware and decryption keys, most criminals now approach victims with ransom notes that include an anonymous email service address, allowing bad actors to remain better hidden.”
And these brute-force RDP attacks have skyrocketed amidst the COVID-19 pandemic. Kaspersky researchers have seen hackers systematically trying all possible credential combinations until finding the right one on these oft-vulnerable ports. If successful, a hacker would gain a foothold onto the network.
As these attacks will only continue to be prevalent into the foreseeable future, it’s imperative organizations at the very least employ two-factor authentication on RDP, as well as reliable security tools. Employees must routinely be trained on digital security basics and software should be verified as updated on all employee devices.
If RDP is not leveraged by an organization, the port should be disabled and port 3389 should also be closed. Further, organizations must employ strong password management policies to stop hackers from taking advantage of common credential mistakes.
Virtual Private Networks (VPNs)
The threat actors behind Sodinokibi ransomware, a leading threat to the healthcare sector, actively scan for VPN connections, as noted by the FBI and Coveware. As VPN use has rapidly increased amid COVID-19, organizations have been repeatedly warned to ensure all known vulnerabilities have been patched.
The risk is severe, especially as a Russian-speaking hacker recently leaked the usernames, passwords, and IP addresses from more than 900 Pulse Secure VPN enterprise network servers in plain text on the dark web.
The list contained the firmware version, SSH server keys, all local users and password hashes, administrator account details, previous VPN logins and cleartext credentials, and session cookies. Adding to the risk: the list was posted on hacking forums frequented by REvil and NetWalker hacking groups.
The Department of Homeland Security Cybersecurity and Infrastructure Security Agency warned that hackers were leveraging stolen credentials like these to gain access through VPNs – even if the vulnerabilities were patched.
CISA also observed hackers executing ransomware through these ports, even successfully installing ransomware on hospital networks.
Meanwhile, Microsoft has seen REvil ransomware actors actively scanning the internet for vulnerable systems, and attackers using the updater features of VPN clients to deploy ransomware payloads. COVID-19 has seen a resurgence in ransomware campaigns using expanded VPN and gateway use to gain access to enterprise organizations.
All of these reports highlight the continued trend of hackers using old techniques and procedures in new cyberattacks.
“After a successful exploit, attackers steal credentials, elevate their privileges, and move laterally across compromised networks to ensure persistence before installing ransomware or other malware payloads,” Microsoft researchers warned, in April.
“When managing VPN or virtual private server (VPS) infrastructure, it’s critical for organizations to know the current status of related security patches,” they added. “Microsoft strongly recommends that all enterprises review VPN infrastructure for updates, as attackers are actively tailoring exploits to take advantage of remote workers.”