Top Five Most Impactful RansomOps Attacks of 2022
Date:
February 7, 2023
According to the Cost of a Data Breach 2022 found that the average ransom payment was more than $800K, while the costs associated with remediating a successful ransomware attack averaged as much as $4.5M and took almost two months longer to detect and recover than other network intrusion events.
Furthermore, the frequency of ransomware attacks continued to escalate over the course of 2022, with 25% of all disclosed breach events involved ransomware payloads, according to the 2022 Verizon Data Breach Investigations Report.
OK, the stats are scary, ransomware sucks, yada yada - but what does all this mean to the business? Plain and simple: ransomware attacks have evolved from small-time spam operations netting hundreds of dollars per incident into complex multi-stage attacks designed to garner tens of millions in ransom demands.
These more sophisticated ransomware operations, or RansomOps, may involve multiple threat actors with multiple objectives ranging from system resource abuse for cryptocurrency mining, the theft of sensitive data and intellectual property, or selling access to the compromised networks via the dark web. This means that by the time the ransomware payload is actually detonated and the organization becomes aware of the attack, the damage to the org is already done.
Five Impactful RansomOps Attacks of 2022
Let’s take a look at some of the most significant ransomware attacks from last year and what lessons organizations should be gleaning in order to better prepare themselves to address this unique threat:
Los Angeles Unified School District
The Los Angeles Unified School District (LAUSD), the second largest public school system in the US, fell victim to a major ransomware attack claimed by the Russian outfit Vice Society over the Labor Day weekend. The district, under the advice of federal authorities assisting in the response, declined to pay the ransom demand and subsequently took another hit when the attackers released sensitive data as part of a double extortion scheme.
Double extortion is an increasingly popular tactic in which the attackers exfiltrate data from the target prior to detonating the ransomware payload and encrypting systems. When the ransom note is delivered, it usually states a ransom payment deadline the victim must meet lest they end up like LAUSD and have their sensitive data leaked.
Several takeaways from this incident, a key item being that data backups (while important and highly recommended) do not assure resilience in regard to ransomware attacks. Data backups will certainly aid in recovery, but they do not protect against data loss and leakage.
Another takeaway here is that attackers know that the SOC is typically not fully staffed on weekends and holidays, so this is an optimal time to perpetrate an attack. As well, the light staffing also means that the attack takes longer to detect and it takes longer to assemble the team and initiate incident response - these delays most certainly drive up the overall cost of recovery for victim orgs.
Rackspace
Cloud computing services Rackspace disclosed in early December that they suffered a ransomware attack that impacted their Hosted Exchange and some customers using the service. The threat actors were able to access the personal data of some customers that included files like archived emails, calendar events and contact lists. The attackers leveraged exploits which were designed to bypass mitigations for the ProxyNotShell vulnerabilities in Microsoft Exchange that had been previously disclosed.
These more complex RansomOps attacks are more than random spam email campaigns that include a malicious link or attachment and typically only impact a few assets. RansomOps attacks are carried out by multiple threat actors including Initial Access Brokers, Ransomware-as-a-Service (RaaS) platforms that provide the attack infrastructure, the RaaS affiliates who actually carry out the attacks, professional ransomware negotiators who broker the ransom payment, and more.
One key takeaway from this attack is that organizations need to understand that – where RansomOps are concerned – there are weeks or even months of detectable attacker activity on the network prior to the delivery of the ransomware payload. If your organization's ransomware response plan begins only after the ransomware payload has been delivered, that’s like the fire department showing up after the house has already burned to the ground.
Medibank
Medibank, a leading private health insurer in Australia, disclosed it had suffered a ransomware attack at the hands of the prolific Russian ransomware gang known as REvil in October. Like in the case of the LAUSD attack, Medibank declined to pay the ransom demand and subsequently had sensitive customer medical data leaked publicly.
The takeaway here is that, in addressing a successful ransomware attack, organizations are faced with a tough decision whether to pay the ransom demand or not. While the FBI and CISA strongly recommend that orgs not pay a ransom – namely to avoid incentivizing more attacks – there is no clear best practice here as of yet.
If an organization chooses to pay there is no guarantee that the attackers will provide the decryption key, that the data won’t be corrupted upon decryption, or that the data or that sensitive data will not be leaked publicly anyway. Furthermore, there is the possibility that the organization could find themselves in legal jeopardy if they were to facilitate payment to a sanctioned entity.
And if the organization decides not to pay, they may end up in the same situation as LAUSD and MediBank where data is leaked and there is a long recovery process that requires remediation on every single impacted endpoint, which can be even more costly to the victims. In the end, each org must make the decision on a case-by-case basis taking a host of factors into consideration. This fact makes a strong case for focusing on prevention as well as preparing for recovery.
Nvidia
Nvidia, the largest microchip producer in the US, fell prey to a ransomware attack in early 2022 that crippled some of the company’s critical operations for several days and compromised 1TB of data that included proprietary source code, sensitive customer data, and employee login credentials. While some of the data was leaked publicly, the company never disclosed whether or not they paid the ransom demand.
In this unusual case, the attackers not only demanded a ransom payment but also insisted that the company disable the limitations the company placed on its GeForce 30 series firmware to improve the performance for gamers as well as to make it possible to use the processors for cryptocurrency mining.
The takeaway here is that organizations who fall victim to ransomware attacks not only have to contend with the attack and remediation and all the associated costs, or the risk of sensitive data being exposed, they also have to consider that an attacker may try to influence how a company chooses to operate. Doubtful there are any orgs out there who would be comfortable with a criminal syndicate dictating critical business decisions.
Costa Rica Gov
In April, the Costa Rican government declared a national state of emergency after they suffered a major ransomware at the hands of the Russian Conti gang attack that lasted several weeks and included the exfiltration of 672GB of data.
The attackers applied some fairly advanced TTPs, leveraging tools ranging from Mimikatz for exfiltrating credentials to the deployment of an encrypted version of Cobalt Strike. The Costa Rican government refused to pay the ransom which resulted in 50% of the encrypted data to be released to the public and dozens of government ministries were crippled.
The takeaway here is that even though Conti is a criminal syndicate motivated by financial gain, the attacks they carry out are more akin to a nation-state operation than that of the typical criminal group. These low-and-slow APT-style attacks are designed to infiltrate as much of a target’s networks as possible in order to extract the largest possible ransom demand. And while that may serve the attackers goals, it also means there are more opportunities to detect and disrupt an attack already on progress.
Up Next
In part two, we’ll look at the attacks that hit organizations including Toyota, the UK National Health System and more…
Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware. Talk to a Halcyon Endpoint Resilience expert today to find out more.