Trip.com WW
The Rise of Advanced Ransomware: Key Attacks and Techniques in 2023-2024

The Rise of Advanced Ransomware: Key Attacks and Techniques in 2023-2024

Nishant May 24, 2024
Nishant

Recent ransomware attacks have been highly sophisticated, leveraging advanced techniques, novel exploits, and strategic targeting of organizations across various sectors.

Below are some examples of recent ransomware attacks, along with technical details and insights into how these attacks work.

1. MOVEit Transfer Ransomware Attack (2023)

  • Date of Attack: May 2023

  • Ransomware: Clop Ransomware

  • Affected Organization: MOVEit, a managed file transfer software provider

  • Overview: In May 2023, Clop ransomware operators exploited a zero-day vulnerability (CVE-2023-34362) in MOVEit Transfer, a popular file-transfer solution used by thousands of organizations worldwide. The vulnerability allowed remote code execution, enabling attackers to access and exfiltrate sensitive data from affected systems.

  • Technical Details:

    • Vulnerability: The vulnerability was found in MOVEit's Progress MOVEit Transfer web application. It allowed attackers to upload and execute arbitrary code on vulnerable servers due to improper input validation in the MOVEit application’s handling of file uploads.
    • Exploitation: The attackers used this flaw to access unencrypted files and metadata stored within MOVEit. The vulnerability could be exploited without authentication, making it particularly dangerous.
    • Encryption and Extortion: After exploiting the vulnerability, the attackers were able to exfiltrate sensitive data from users of MOVEit Transfer and encrypt files, demanding ransom for their decryption. In some cases, they also threatened to publish the stolen data on the dark web.

  • Impact: Many companies, including high-profile organizations in finance, healthcare, and government, were affected. The breach led to significant data exposure.

2. Royal Ransomware Attack (2023)

  • Date of Attack: Ongoing (first noted in early 2023)

  • Ransomware: Royal Ransomware

  • Overview: Royal ransomware emerged as a highly effective and sophisticated variant in early 2023. It is believed to be operated by a new threat actor group, and it uses a number of evasive tactics to avoid detection and maximize damage.

  • Technical Details:

    • Encryption Algorithm: Royal uses AES-256 encryption to encrypt files. Unlike many other ransomware variants, it avoids the use of standard, well-known encryption routines, making it harder for cybersecurity vendors to create decryption tools.
    • Post-exploitation Phase: Royal ransomware uses a combination of tools to achieve persistence, escalate privileges, and lateral movement across networks. It often employs legitimate administrative tools such as PowerShell and Windows Management Instrumentation (WMI) for lateral movement and data exfiltration.
    • Double Extortion: Like many modern ransomware variants, Royal employs the "double extortion" tactic, in which it encrypts the victim's files and also exfiltrates sensitive data. Victims are threatened with both data publication and file encryption unless they pay the ransom.
    • Ransom Payment: Royal has been known to demand large ransoms, typically in Bitcoin or Monero, with a payment window of a few days.

  • Tactics, Techniques, and Procedures (TTPs):

    • Initial Access: The group has been observed using phishing emails with malicious attachments to gain initial access.
    • Privilege Escalation: They often exploit unpatched vulnerabilities in enterprise software to escalate privileges, including older vulnerabilities like CVE-2021-21972 in VMware products and CVE-2020-1472 in Microsoft Active Directory.
    • Data Exfiltration: Data exfiltration is a key component of the attack, typically involving large file transfers to external servers controlled by the attackers.

3. Progress Software's Data Breach (2023) - Cyberattack Using LockBit Ransomware

  • Date of Attack: August 2023

  • Ransomware: LockBit Ransomware

  • Affected Organization: Progress Software (makers of MOVEit Transfer)

  • Overview: Progress Software, after the MOVEit incident, also suffered a ransomware attack in which the LockBit group compromised their networks. LockBit is a major player in the ransomware-as-a-service (RaaS) model, where affiliates carry out the attacks and share a portion of the ransom proceeds with the group behind the malware.

  • Technical Details:

    • Exploit: The LockBit group exploited a known vulnerability in Progress's servers, potentially involving misconfigurations or weak access control mechanisms. They often use tools like Cobalt Strike or similar frameworks to further exploit systems after gaining initial access.
    • TTPs: The attack involved traditional techniques, such as:
      • Credential Dumping: LockBit operators often dump credentials and use them to move laterally across the network, escalating privileges and accessing sensitive areas.
      • Data Exfiltration: The group exfiltrated a large volume of sensitive data before encrypting the remaining files.
      • Ransom Demands: The attackers demanded a ransom to decrypt files and prevent the public release of the stolen data.

4. The Maui Ransomware Attack on Healthcare Organizations (2023)

  • Date of Attack: 2023

  • Ransomware: Maui Ransomware

  • Affected Organization: U.S. Healthcare Providers

  • Overview: Maui is a particularly damaging strain of ransomware that has primarily targeted healthcare institutions in the U.S. It was first identified by the FBI in 2022, and its use has expanded in 2023.

  • Technical Details:

    • Ransomware Behavior: Maui ransomware is a manual operation. This means attackers typically spend time in the target network, conducting reconnaissance and deploying tools before activating the ransomware.
    • Infiltration Methods: The ransomware actors use spear-phishing emails, social engineering, and sometimes compromised remote access tools (RATs) like AnyDesk to gain initial access.
    • Encryption: Maui does not use traditional file encryption; instead, it encrypts data via an online encryption server, which is designed to be more difficult to detect. Once the files are encrypted, the ransomware leaves a ransom note demanding payment in exchange for the decryption key.
    • Data Exfiltration: Like many ransomware variants, Maui exfiltrates data before encryption, which heightens the pressure on victims due to the risk of sensitive data being leaked.

  • Notable Impact: Several healthcare organizations reported service disruptions as a result of the attacks, which hindered patient care.

5. Acer and Apple Attack (2024) – Use of BlackCat (ALPHV) Ransomware

  • Date of Attack: Early 2024

  • Ransomware: BlackCat (ALPHV)

  • Overview: The BlackCat ransomware group has been increasingly active and sophisticated, with several large attacks hitting global enterprises. The group’s ransomware uses the Rust programming language, which is known for its efficiency, making BlackCat harder to detect and analyze.

  • Technical Details:

    • Rust Programming: BlackCat is notable for being written in Rust, which allows it to be lightweight, fast, and highly customizable. The use of Rust makes it harder for traditional signature-based antivirus solutions to detect BlackCat ransomware.
    • Ransomware Behavior: Once deployed, BlackCat uses a combination of encryption and fileless techniques to evade detection. It encrypts critical files while simultaneously exfiltrating sensitive data, often including proprietary designs, customer databases, and other intellectual property.
    • Tactics:
      • Exploitation of RDP: BlackCat has been seen exploiting weak RDP (Remote Desktop Protocol) configurations to gain access to corporate networks.
      • Credential Dumping: The group uses tools like Mimikatz to dump credentials and escalate privileges across the network.
      • Double Extortion: BlackCat operators use the double extortion method, encrypting files and threatening to leak sensitive data if the ransom is not paid.

  • Impact: Both Acer and Apple suffered significant service disruptions, with reports of sensitive data being stolen and subsequently held for ransom.

Key Ransomware Trends

  1. Double Extortion: This continues to be the most common method, where attackers not only encrypt files but also exfiltrate sensitive data, threatening to release it if the ransom is not paid.

  2. Sophistication in Malware: Newer ransomware families, such as BlackCat and Royal, have been seen using custom-built ransomware written in low-level programming languages like Rust or Go, making them more difficult to reverse-engineer and detect.

  3. Ransomware-as-a-Service (RaaS): Attackers are increasingly using RaaS platforms to spread ransomware, which allows more threat actors to participate in large-scale attacks without developing their own ransomware strains.

  4. Targeting Critical Infrastructure: Healthcare, financial institutions, and government entities are increasingly targeted due to their critical operations and sensitive data.

These ransomware attacks demonstrate the evolving and ever more sophisticated tactics employed by threat actors. Organizations are urged to adopt a comprehensive cybersecurity strategy, including regular patching, multi-factor authentication, network segmentation, and active monitoring, to mitigate the risks associated with these types of attacks.

About

I am an engineer who admires technology and related stuff. Apart from tech, I play badminton, love swimming, am foodie and a big Harley Davidson fan.

Next
« Prev Post
Previous
Next Post »
Subscribe to: Post Comments (Atom)

Subscribe to our mailing list

* indicates required
Select your Interested Topics.