The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.
- Ransom in, DarkSide out. The fallout from the high-profile ransomware attack targeting Colonial Pipeline continues.
- The human cost of ransomware. Ireland’s public healthcare system continues to suffer from last week’s ransomware attack.
- Double encryption. Threat actors are now encrypting data twice during ransomware attacks.
- Combatting cybercrime. A round-up of public and private sector responses to recent ransomware incidents.
- Banking trojan expands. The Bizarro banking trojan expands to target victims in Europe.
- Phishing. Meal-kit delivery companies impersonated and the Formbook malware campaign evolves.
Update: Fallout from Colonial Pipeline attack continues
- Colonial Pipeline confirmed it paid USD 4.4 million to the DarkSide ransomware group to restore services. The ransom is above average for DarkSide, who usually demand anywhere between USD 200,000 and USD 2 million.
- Some researchers claim that law enforcement may have seized DarkSide’s infrastructure. After the attack, a key DarkSide cryptocurrency wallet was emptied of funds and the ransomware group reportedly lost access to their leak site and servers.
- There are some suggestions, however, that DarkSide may instead be trying to get out while they can. The group is reported to have accrued at least USD 90 million since they began operating nine months ago.
SO WHAT? Despite reports that DarkSide is shutting down, ransomware groups rarely stay dormant for long and we’ll likely see them return in the future or their operation taken over by an affiliated group.
The human cost of ransomware
- Ireland’s Health Service Executive (‘HSE’) shut down IT systems on Friday following a Conti ransomware attack. The attack on the public healthcare system caused the cancellation and delay of hospital treatments across the country.
- The HSE announced that the ransom won’t be paid. However, the healthcare system will likely need to spend tens of millions of euros as part of the recovery and rebuild process, which may take weeks to complete.
SO WHAT? Conti has recently targeted multiple healthcare agencies, including New Zealand’s Waikato District Health Board and an unsuccessful attempt to encrypt the systems of Ireland’s Department of Health. Such attacks can have detrimental impacts beyond IT systems, disrupting the provision of vital medical services.
Encrypt me two times, baby
- A novel approach by some ransomware groups has seen them encrypting a victim’s data twice. These incidents involve the data being encrypted with two different ransomware strains.
- Double encryption is not always clear from the outset. In some cases, threat actors might leave two separate ransom notes, making it obvious. While, in other cases, a victim might pay a ransom to decrypt their data, only to find they must pay another ransom for a second decryption tool.
SO WHAT? Victims of multiple encryption ransomware attacks are likely to face increased difficulty when it comes to successfully decrypting their data.
- DarkSide’s recent attack on Colonial Pipeline has prompted widespread discussion about potential legislation to combat cybercrime. President Biden signed an executive order last Wednesday increasing security and reporting standards for the government’s software suppliers.
- The US Congress will also consider two bills addressing weaknesses in the US national cyber security programme. One focuses on properly securing oil and gas pipelines, while the other envisages a national programme for government and companies to test their IT and security infrastructure. There are also discussions in the US about a national data breach notification law.
- The UK government also made a public call for advice to defend against supply-chain attacks.
SO WHAT? It will be interesting to see what steps government and private sector organisations take in the coming months to combat cybercrime, and ransomware in particular.
Bizarro banking trojan goes intercontinental as the trojan is spotted in Europe
- The Bizarro banking trojan, originating in Brazil, has now expanded to target users in Europe. The trojan has now evolved to target and extort customers of 70 European and South American banks.
- The threat actors utilise various stages and techniques to make malware analysis and detection more difficult. The attack chain includes human elements with money mules withdrawing stolen funds as well as social engineering elements to dupe victims into providing sensitive information.
SO WHAT? As cybercrime pay-outs become more lucrative in Europe, we will continue to see localised threat groups evolving to target more victims in other countries and continents.
Phishing trends: Meal-kit delivery companies impersonated; Formbook campaign evolves
- Attackers are impersonating meal-kit delivery companies by sending text messages to users, asking them to rate their experience. The message contains a malicious link that redirects the victim to a fake website designed to harvest personal and financial information.
- Separately, a new phishing campaign delivering Formbook malware is leveraging an email relating to a false product order. The fake email, sent from Dubai, contains a compressed attachment where the malware executable is hidden.
- Lastly, researchers discover that over 52 million malicious messages have abused cloud-based services in 2021 Q1. Phishing attempts are utilising services such as Azure, SharePoint, One Drive, and Google Workspace to increase the legitimacy of their attacks.
SO WHAT? So what? Phishing campaigns will continue to leverage the latest trends and services to gain legitimacy. Train your employees to scrutinise all links and attachments they may receive through email, text message, or other communication methods.
Indicators of Compromise:
The Indicators of Compromise (IOCs) below offer a snapshot of the forensic artefacts currently known to be associated with the Bizarro banking trojan.