Ransomware - January 2024: Review

  Category:  RANSOMWARE | 20th January 2024 | Author:  CSI'S TEAM

In The Month Of December, There Were 334 Ransomware Attacks, And The Ongoing ALPHV Shutdown Saga Remained A Focal Point. In Our Previous Month's Recap, We Discussed The Offline Status Of ALPHV's Infrastructure, Sparking Widespread Speculation About Potential Law Enforcement Involvement. However, As We Delve Into The Latest Developments, A Clearer Picture Is Emerging.

The Earlier Speculations Regarding Hardware Failures Within ALPHV Are Now Eclipsed By The Verified Involvement Of Law Enforcement. Recent Updates Disclose That The FBI Played A Crucial Role In Disrupting ALPHV's Operations. This Intervention Resulted In The Seizure Of Their URLs And Facilitated The Retrieval Of Decryption Keys For Numerous Victims.

The Recent FBI Operation Against ALPHV Marks A Significant Turning Point, Not Only Disrupting The Group's Operations But Also Tarnishing Their Reputation Within The Cybercriminal Community. The Repercussions Are Evident—ALPHV Affiliates Are Displaying Signs Of Distrust, With Some Opting For Direct Victim Contact Through Email, While Others Are Realigning Themselves With Rival Groups Such As LockBit.

Adding To The Intrigue, Discussions On Dark Web Forums Suggest The Possibility Of An Emerging "cartel" Between LockBit And ALPHV. If This Potential Alliance Materializes, It Could Signify A New Era In Ransomware Operations, As Adversaries Consider Pooling Their Resources And Expertise In Response To Mounting Law Enforcement Pressure.

In Alternative News, LockBit's Assault On Capital Health Last Month Bore A Striking Resemblance To Events From A Year Earlier. In December 2022, LockBit Audaciously Targeted SickKids, A Hospital For Sick Children, Affecting The Hospital's Internal And Corporate Systems, Phone Lines, And Website. During That Incident, LockBit's Unexpected Apology For The Hospital Attack—attributed To A Rogue Affiliate And Self-forgiven With A Free Decryptor—stood Out As A Rare Moment Of Contrition In The Otherwise Ruthless World Of Cybercrime.

Fast Forward To December 2023, And The Reverberations Of LockBit's Past Actions Were Evident. Despite Their Previous Commitments And Operational Guidelines Against Targeting Healthcare Institutions, LockBit Has Taken Responsibility For The Recent Attack On Capital Health. Even Though The Gang Asserts That They Did Not Encrypt The Hospital's Files, This Did Not Leave The Hospital Unscathed.

As We Wrote Recently:

"Hospitals And Physicians' Offices Faced IT Outages, Compelling Them To Implement Emergency Protocols Designed For System Failures. As A Result, Several Surgeries Had To Be Rescheduled, And Outpatient Radiology Appointments Were Canceled."

This Scenario Is Likely What Ransomware Groups Cynically Refer To As A Classic Case Of "no Encryption, No Problem," Causing Widespread Disruption. The Contrast Between LockBit's Apology In 2022 And Their Continued Aggressive Actions In 2023 Underscored The Inherent Duplicity In The Ransomware Landscape.

LockBit's Activities Served As A Stark Reminder That, Despite Occasional Gestures That May Suggest Restraint Or Remorse, The Fundamental Nature Of Ransomware Operations Remains Unchanged—motivated By Disruption, Data Theft, And Financial Gain, Often At The Expense Of Vulnerable Targets, Including Critical Healthcare Services.

In A Broader Context, December Witnessed The Continuation Of An Alarming Trend In Healthcare Sector Attacks Mentioned In Last Month's Review. Disruptive Attacks On Massachusetts-based Anna Jaques Hospital And Liberty Hospital In Missouri Further Emphasized The Serious Consequences In A Sector Where Timing And Information Can Be A Matter Of Life And Death. Such Disruptions Are More Than Inconveniences; They Have The Potential To Be Life-threatening.

New Ransomware Gangs

DragonForce

DragonForce, A Recently Emerged Ransomware Group, Disclosed 21 Victims On Their Leak Site Last Month, With A Notable Attack On The Ohio Lottery Occurring On Christmas Eve. According To The Group, They Successfully Encrypted Devices And Exfiltrated Sensitive Data Totaling Over 600GB, Including Personal Information Of Ohio Lottery Customers And Employees.

Although Information About DragonForce Is Scant, Their Attack On The Ohio Lottery And Their Adept Negotiation Tactics Raise The Possibility That DragonForce Could Be A Rebranded Version Of A Previous Ransomware Gang.

WereWolves

A Recently Emerged Ransomware Group, WereWolves, Revealed 15 Victims On Their Leak Site Last Month, Spanning Multiple Countries Such As Russia, The USA, And Parts Of Europe. What Sets WereWolves Apart Is Its Atypical Focus On Targeting Russian Entities, Utilizing A Variant Of The LockBit3 Ransomware In Its Operations. The Group Is Notable For Its Diverse Targeting Across Various Sectors, With A Specific Emphasis On Large-scale Businesses.

Preventing Ransomware

Effectively Thwarting Ransomware Gangs Necessitates A Comprehensive Security Strategy. While Technology That Proactively Prevents Unauthorized Access To Your Systems Is Valuable, It Alone Is Insufficient.

Ransomware Attackers Typically Exploit The Easiest Entry Points. For Instance, They May Start With Phishing Emails, Then Target Open RDP Ports, And If Those Are Secured, They'll Exploit Unpatched Vulnerabilities. A Multi-layered Security Approach Involves Increasing The Difficulty Of Infiltration At Each Step And Promptly Detecting Those Who Manage To Break Through.

Essential First-line Defenses Include Technologies Like Endpoint Protection (EP) And Vulnerability And Patch Management (VPM), Which Significantly Reduce The Likelihood Of A Breach.

However, It Is Crucial To Operate On The Assumption That Determined Ransomware Gangs May Eventually Breach These Defenses. Endpoint Detection And Response (EDR) Becomes Paramount For Identifying And Eliminating Threats Before They Cause Harm. In The Event Of A Breach, Opting For An EDR Solution With Ransomware Rollback Capabilities Is Crucial To Reverting Changes And Restoring Files.

How ThreatDown Addresses Ransomware

ThreatDown Bundles Offer A Comprehensive Approach To Ransomware Defense By Integrating Multiple Technologies Tailored To The Specific Needs Of Your Organization. Our Bundled Solutions Include:

• Advanced Web Protection: Proactively Blocking Phishing Websites Utilized By Ransomware Gangs For Initial Access.
• RDP Shield: Securing Remote Access Points With Brute Force Protection, Enhancing The Resilience Of Your System.
• Continuous Vulnerability Scanning And Patch Management: Identifying And Promptly Patching Vulnerabilities To Thwart Ransomware Gangs Before They Can Exploit Them.
• Sophisticated EDR (Endpoint Detection And Response): Detecting And Neutralizing Advanced Threats, Including Sophisticated Ransomware Like LockBit, Within The Network.
• Ransomware Rollback: Providing The Ability To Reverse The Impact Of Any Successful Attacks, Ensuring A Swift Recovery.

With ThreatDown Bundles, Your Organization Benefits From An Integrated And Proactive Defense Strategy Against Ransomware, Addressing Vulnerabilities At Multiple Levels And Enabling A Rapid Response To Potential Threats.