Week of Monday, March 7, 2022 | Issue 66
Emma Hoskins, Marina Tovar, CICYBER Team
Ransomware Instructions[1]
Date: March 7, 2022
Location: US
Parties involved: US Federal Bureau of Investigation (FBI); US Cybersecurity and Infrastructure Security Agency (CISA); Ragnar Locker Ransomware group; 52 targeted organizations
The event: The US FBI and US CISA issued a flash alert identifying 52 organizations across 10 Critical Infrastructure and Key Resources (CIKR) targeted by the Ragnar Locker Ransomware group.[2] Ragnar Locker is a Russian-based ransomware group that operates under a Ransomware-as-a-Service (RaaS) modality, an illicit parent-affiliate(s) business infrastructure where operators, like malicious software owners, provide tools to affiliates to carry out ransomware attacks.[3] Ransomware attacks use malware to encrypt the files on the networks and demand a ransom for the stolen and encrypted data.[4] Advanced malware strains with advanced infection, communication and control (C2), and data exfiltration capabilities are used in complex ransomware attacks.[5] A decryption key aids ransomware attack victims in restoring files and recovering the encrypted data.[6]
Analysis & Implications:
Malicious software owners will very likely choose the RaaS model to specialize and concentrate their efforts on developing more sophisticated and effective techniques to make more profit. The specialization almost certainly implies the use of advanced and sophisticated tools, like advanced malware, likely improving the effectiveness of the ransomware attack. The specialization very likely enhances ransomware operations because RaaS operators expand their reach to more victims and their affiliates can find targets, and spread the ransomware for them.
Advanced attacks will very likely target the operations systems instead of decrypting the data stored on the networks. Targeting the operations system will very likely cause slower network recovery than when targeting decryption, as the targeted companies likely possess a universal decryption key to rapidly mitigate the encryption effects. If the operations system is damaged, the targeted organization will likely be unable to conduct a risk assessment due to the systems to mitigate the effects of the ransomware attack being offline. Without a risk assessment, the organization will very likely not know the damages’ scope and will likely not correctly implement preventive policies, like disable file sharing.
Date: March 7, 2022
Location: Ukraine
Parties involved: Ukrainian government; Ukraine’s Computer Emergency Response Team (CERT-UA); UAC-0051; Russia; Ukrainian troops
The event: Ukraine’s CERT-UA confirmed UAC-0051, a cyber group linked with Belarusian espionage, conducted malware attacks via phishing targeting the Ukrainian government. Data stamps on the malware show it was created two months before the attacks were carried out and entered through a backdoor created in January 2022. Phishing emails showed attachments labeled “picture.jpg” and “dovidka.zip”, containing malware.[7] Phishing emails appear to be sent by legitimate organizations and the enclosed links download harmful software, such as malware or ransomware, to retrieve sensitive information from the user.[8] Belarus has publicly favored the Russian invasion, and UAC-0051, also known as UNC1151, was believed to have also targeted Ukrainian governmental organizations on January 14, 2022.[9]
Analysis & Implications:
The March 7, 2022 and similar planned attacks are very likely more effective than random attacks as hackers will likely assess different scenarios and outcomes. Attackers will very likely retrieve Ukrainian data through planned attacks, as Ukrainians likely do not have adequate prevention and remediation techniques. Retrieved data likely contains Ukrainian supply routes and internal communications, likely enabling attackers to block Ukrainian supply chains, likely restricting supplies to Ukrainian troops and civilians. Shortage of food and medicines will likely weaken Ukrainian defense.
Date: March 10, 2022
Location: US
Parties involved: REvil Ransomware group; US Department of Justice (DoJ); Yaroslav Vasinskyi; Russia; US; 14 alleged REvil members; Kaseya; US Federal Bureau of Investigation (FBI); US Secret Services; governments
The event: Yaroslav Vasinskyi, an alleged REvil ransomware group member responsible for the ransomware attack on Kaseya in July 2021, was extradited to the US. REvil, a Russian-based ransomware group, conducted a ransomware attack by exploiting vulnerabilities in Kaseya’s software that impacted up to 1500 companies.[10] In January 2022, Russian authorities arrested 14 alleged REvil members and seized hundreds of thousands of dollars in cash and cryptocurrency upon instruction of the US authorities.[11] The US FBI, in collaboration with the US Secret Services and governments, are undertaking efforts on gathering data and disrupting ransomware infrastructure and actors to take down REvil. In October 2021, REvil announced in the Happy Blog, their Darknet forum, that the group would temporarily go offline due to compromised servers.[12]
Analysis & Implications:
Charging Vasinskyi and arresting other REvil members will likely disrupt REvil’s operations by removing skilled members and finances. REvil's assets cutback will likely decrease the group’s attack effectiveness. Russia and the US will very likely understand REvil’s attack techniques, indicators for upcoming attacks, and possible future targets through seized data. Knowledge of the group’s techniques and objectives, and a decrease in REvil's human and financial resources, will likely allow Russia and US law enforcement to take down REvil in the short term.
Extraditing Vasinskyi to the US will likely alert other cyber groups that the US will hold cybercriminals accountable and will likely have a deterrent effect on similar cyber groups. Cyber groups are likely to remain inoperable for several months to improve their tools to remain untraceable by law enforcement. There is a roughly even chance REvil will reappear online and attack in the future.
[1] “Locky Ransomware: Instructions” by Christiaan Colen licensed under CC BY-SA 2.0
[2] FBI: Ransomware gang breached 52 US critical infrastructure orgs, Bleeping Computer, March 2022, https://www.bleepingcomputer.com/news/security/fbi-ransomware-gang-breached-52-us-critical-infrastructure-orgs/
[3] Ransomware-as-a-Service (RaaS) - The Rising Threat to Cybersecurity, Heimald Security, August 2021, https://heimdalsecurity.com/blog/ransomware-as-a-service-raas/
[4] Ransomware Attacks and Types – How Encryption Trojans Differ, Kaspersky, https://www.kaspersky.com/resource-center/threats/ransomware-attacks-and-types
[5] What is Advance Malware?, Digital Guardian, September 2018, https://digitalguardian.com/blog/what-advanced-malware
[6] Cybersecurity Firm Releases Universal Decryption Key For REvil Victims, My Tech Decisions, September 2021, https://mytechdecisions.com/network-security/cybersecurity-firm-releases-universal-decryption-key-for-revil-victims/
[7] Authorities companies in Ukraine focused in cyber-attacks deploying MicroBackdoor malware, Information Security World, March 2022, https://informationsecurityworld.com/2022/03/09/government-agencies-in-ukraine-targeted-in-cyber-attacks-deploying-microbackdoor-malware/
[8] Email Phishing, Vishing & Other Types of Attacks, WeBroot, https://www.webroot.com/gb/en/resources/tips-articles/what-is-phishing
[9] Ukraine suspects group linked to Belarus intelligence over cyberattack, Reuters, January 2022, https://www.reuters.com/world/europe/exclusive-ukraine-suspects-group-linked-belarus-intelligence-over-cyberattack-2022-01-15/
[10] Ukrainian Hacker Linked to REvil Ransomware Attacks Extradited to United States, The Hacker News, March 2022, https://thehackernews.com/2022/03/ukrainian-hacker-linked-to-revil.html
[11] Alleged REvil Operator Extradited to US, Duo, March 2022, https://duo.com/decipher/alleged-revil-operator-extradited-to-u-s
[12] Governments turn tables on ransomware gang REvil by pushing it offline, Reuters, October 2021, https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/