Weekend Update

A quick Saturday digest of cybersecurity news articles from other sources.


Royal Ransomware Actors Rebrand as “BlackSuit,” FBI and CISA Release Update to Advisory

08/07/2024 03:00 PM EDT

Today, CISA—in partnership with the Federal Bureau of Investigation (FBI)—released an update to joint Cybersecurity Advisory #StopRansomware: Royal Ransomware, #StopRansomware: BlackSuit (Royal) Ransomware. The updated advisory provides network defenders with recent and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with BlackSuit and legacy Royal activity. FBI investigations identified these TTPs and IOCs as recently as July 2024.

BlackSuit ransomware attacks have spread across numerous critical infrastructure sectors including, but not limited to, commercial facilities, healthcare and public health, government facilities, and critical manufacturing.

CISA encourages network defenders to review the updated advisory and apply the recommended mitigations. See #StopRansomware for additional guidance on ransomware protection, detection, and response. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

CISA encourages software manufacturers to take ownership of improving the security outcomes of their customers by applying secure by design tactics. For more information on secure by design, see CISA’s Secure by Design webpage and joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software.


Fortune 50 Ransomware Victim Pays an Eye-Watering $75 Million

The Dark Angels ransomware group got paid a staggering $75 million ransom from an undisclosed Fortune 50 victim.

This eye-watering sum shatters the previous record of $40 million paid by insurance giant CNA Financial in 2021, setting a new and alarming benchmark in the ransomware landscape.

The revelation comes from the latest ZScaler ThreatLabz ransomware report, which paints a grim picture of the current state of cybersecurity. Chainanalysis, a cryptocurrency tracking firm, also confirmed it spotted the $75 million payment to Dark Angels.

Focuses On One Large Company At A Time

Compared to other ransomware groups, Dark Angels stands out by focusing on a “single large company at a time,” and demanding a high sum, Zscaler says. “This is in stark contrast to most ransomware groups, which target victims indiscriminately and outsource most of the attack to affiliate networks.”

For instance, Zscaler reported that in September 2023, Dark Angels breached an international conglomerate specializing in building automation systems and other services. The group stole 27 TB of corporate data while encrypting the company’s VMware ESXi virtual machines and subsequently demanded a $51 million ransom.

93 Percent Increase in Ransomware Attacks Targeting the U.S

According to the report, global ransomware attacks have surged by 18% YoY, with healthcare, manufacturing and technology sectors bearing the brunt of these malicious activities. Particularly concerning is the manufacturing sector, which has experienced more than double the attacks compared to the other two industries combined.

Geographically, the United States remains the prime target for ransomware attacks, accounting for nearly half of all incidents worldwide. The UK follows closely behind. What is even more alarming is the 93% increase in ransomware attacks targeting the U.S. compared to the previous year, highlighting the urgent need for improved cybersecurity measures across the nation.

The Impact of Major Ransomware Groups

While the Dark Angels group may not be a household name like some of their more notorious counterparts, their recent payday certainly puts them in the spotlight. The cybercrime landscape is constantly shifting, with new groups emerging and others fading away. ZScaler has tracked a total of 391 ransomware gangs over the years, with 19 new ones identified between April 2023 and April 2024 alone.

Despite law enforcement efforts to disrupt their operations, established ransomware groups continue to dominate the scene. LockBit remains at the top of the list, followed by BlackCat (ALPHV), 8Base, Play, and Clop. These groups consistently demonstrate their ability to adapt and evolve, staying one step ahead of security measures.

The record-breaking ransom paid to the Dark Angels group serves as a stark reminder of the critical importance of security awareness and training. As ransomware attacks grow in both frequency and severity, organizations must prioritize educating their employees about potential threats and best practices for prevention.

Looking Ahead: 2025 Predictions

  • As ransomware threats evolve, several key trends are set to shape the cybersecurity industry in 2025, as highlighted in the ransomware report. Among these trends, one section that caught everyone’s attention is the rise of highly targeted attack strategies. Groups like Dark Angels are setting a precedent by focusing on a few high-value targets for substantial ransoms, which may influence other threat actors to adopt similar approaches.
  • Another trend is the use of voice-based social engineering by specialized initial access brokers such as Scattered Spider, who will likely continue to exploit this tactic to infiltrate corporate networks.
  • Generative AI is expected to play a significant role in ransomware attacks, enabling threat actors to create more convincing and personalized attacks, including AI-generated email and voice impersonations.
  • High-volume data exfiltration attacks, which exploit the fear of data leaks rather than relying on encryption are expected to rise. The healthcare sector will remain a prime target due to its valuable data, necessitating enhanced security measures.

International collaboration is crucial in disrupting global ransomware networks and combating cybercrime effectively. KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:
https://blog.knowbe4.com/dark-angels-ransomware-group-scores-record-breaking-75-million-payday


Nearly All Ransomware Attacks Now Include Exfiltration of Data…But Not All Are Notified

Organizations are falling victim to ransomware attacks where data is stolen, but the victim isn’t being told about it. I have a theory as to why this is happening.

Many assume data is being exfiltrated as part of a ransomware attack and it’s going to be used as part of the extortion component of the attack. But according to Arctic Wolf’s The State of Cybersecurity: 2024 Trends Report, that doesn’t seem to be the case.

I recently covered that ransomware is now felt by 91% of organizations — half of them within the last 12 months, according to Arctic Wolf. But, of the victim organizations, only 57% were notified of the data exfiltration by the ransomware perpetrators!

I believe the reason for this is espionage.

I also recently talked about how espionage-intent threat groups are using ransomware as a diversion tactic in cyber attacks. In essence, the goal is to steal secrets, but to cover their tracks, threat actors launch ransomware.

But, regardless of the motivation, the lack of notification can just as easily be motivated by maintaining persistence to sell the access to another threat group. Regardless of the reason, all this makes the case of why it’s critical to ensure your organization has the highest level of controls in place — which should include new-school security awareness training.

Blog post with links:
https://blog.knowbe4.com/nearly-all-ransomware-attacks-now-include-exfiltration-of-data-but-not-all-are-notified


 

0

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.