Data Exfil Spotlight: Money Message Ransomware Gang Leaks 500GB of MSI Data

Date:

April 13, 2023

World map

New arrival on the ransomware scene Money Manager leaked 528GB of data exfiltrated from Taiwanese computer manufacturer Micro-Star International (MSI) and is also threatening to expose some of the company's source code.

“Earlier this month, MSI confirmed the company suffered a cyberattack, with attackers supposedly demanding several million dollars in ransom for the stolen MSI source code,” the CyberNews reported.  

“Source code leaks pose severe security issues to companies, as threat actors can get a glimpse of the company’s intellectual property and system data. Revealing source code can allow attackers to subsequently craft targeted security exploits.”

Takeaway: The predicament MSA is in today is increasingly common. More often victims are dealing both with the aftermath of a disruptive ransomware attack and trying to restore all operations to normal while also facing the prospect that their intellectual property will be compromised and their competitive advantage in the market negatively impacted.

As an industry, we continue to view these events as ransomware attacks with some data exfiltration. Given most ransomware attacks include the theft of sensitive data these days - with some threat actors even like BianLian and Karakurt skipping the encryption stage and moving to straight-up data extortion - it's time we flip the convo and start looking at these as data exfiltration attacks with some ransomware in the mix.

Today's more complex ransomware operations are multi-staged attacks, where the threat actors are looking to infiltrate as much of the targeted network as possible while exfiltrating sensitive data along the way. They threaten to expose the stolen data to put more pressure on the victim to pay the ransom demand and receive the decryption key to restore their systems. In some cases, the attackers will demand an additional payment for the stolen data in addition to the initial ransom.  

There is a lot of focus on the delivery of the ransomware payload, but we have to remember that this occurs at the end of the attack sequence when the damage to the victim organizations has already likely occurred. Targets usually only discover they have been hit after the attackers deploy the ransomware payload and reveal themselves with a ransom demand.  

But given how much effort goes into laying the groundwork for these attacks, we are not putting enough emphasis on these early stages of the attacks where the threat actors are preparing the environment for delivery of the ransomware payload. There are days, weeks or potentially even months of detectable activity on the network prior to the final payload, and a lot of data is leaving the organization over the course of the attack.

The defense mindset here needs to shift to the left significantly where we are addressing ransomware attacks first as an effort to prevent the attackers from exfiltrating data. We should really look at these attacks as data exfiltration events with the additional threat that ransomware could be deployed, as opposed to focusing too much on the tail end of the attack when the ransomware is delivered, and the attack is already successful.  

With an eye on resilience in developing a security posture, organizations can limit the impact of a ransomware payload on operations, but once their data is compromised the attack becomes much more difficult to mitigate, as there is no guarantee the attacker will not exploit the data even if they receive payment.

A solid resilience strategy that includes the necessary mechanisms and preparations to swiftly respond to and recover from a ransomware attack without the need to pay the ransom demand or cooperate with the attackers at all will reduce the risk of serious disruptions to operations and the health organization as a whole.  

But if the attackers already exfiltrated the organization's most valuable data, then all those preparation efforts largely go out the window, and the victim will find themselves in the same predicament as MSI and thousands of other companies who are the victim of these extortion campaigns.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.