By Roy Urrico
Finopotamus aims to highlight white papers, surveys and reports that provide a glimpse as to what is taking place and/or impacting credit unions and other organizations in the financial services industry.
NCC Group: Ransomware Threat Remains at High Level
United Kingdom-based security consulting firm NCC Group’s Threat Intelligence Report found the financial sector in the top 10 most targeted sectors for ransomware attacks in April 2023. Industrials (32%) were the most targeted sector with 113 attacks, followed by consumer cyclicals (11%) with 39 attacks, and technology (11%) with 37 attacks.
The report also finds the second highest volume of ransomware attacks ever recorded by NCC, but the number was down 23% over March’s record-breaking figure. North America was the target of half of April’s ransomware activity with 172 attacks (50%). Europe followed with 85 attacks (24%), then Asia with 34 attacks (10%).
At the top of the “most-active threat actors” are Lockbit 3.0, which attempts to encrypt data; BlackCat, a ransomware-as-a-service (RaaS) operation; and BianLian, a ransomware developer, deployer, and data extortion cybercriminal group. These three players are responsible for carrying out 203 out of 352 attacks recorded in the month of April, representing 58% of the overall activity across the threat landscape.
Lockbit 3.0, the most active threat group of 2023, launched 107 out of the 352 attacks monitored, a 10% increase from March. BlackCat (50) and BianLian (46) increased its activity by 67% and 59%, respectively. BlackCat’s attack on digital storage device giant, Western Digital garnered significant attention, with the group claiming to have stolen 10 terabytes of data and demanding an 8-figure ransom.
Akira, a new ransomware player that NCC Group’s Global Threat Intelligence team believes operates independently from other well-known groups, made it into the top 10 most active groups for the first time, targeting enterprises across a diverse range of industries, from construction to real estate.
Meanwhile, ransomware-as-a-service (RaaS) provider Cl0p (aka Clop) reduced its activity by 98%, from 129 victims in March, to 3 in April. likely This is likely the result of patches applied for the GoAnywhere MFT day-zero vulnerability, exploited by the group, and contributing to the high number of March victims.
The report also spotlighted two critical software vulnerabilities, CVE-2023-27350 and CVE-2023-27351, affecting PaperCut’s printer software. PaperCut works with more than 100 million users in over 70 thousand organizations in a variety of industries, including local government, healthcare, and education. Shortly after announcement of the vulnerabilities, Shodan, a search engine for internet-connected devices, indicated roughly 1,700 instances of its software exposed to the internet.
Matt Hull, global head of Threat Intelligence at NCC Group, said: “We faced another record-breaking volume of ransomware attacks in April, demonstrating how the threat landscape is continuing to evolve at an alarming pace. The recent attack by BlackCat on Western Digital’s network is a prime example of the increasingly malicious nature of these activities, and we believe that this kind of malicious effort – leaking data to encourage ransom payments, known as a double-extortion ransomware attack – is on the rise.
“As we see these growing levels of activity, organizations should remain vigilant and adapt their security measures to stay one step ahead, adopting a comprehensive and multi-layered defense strategy that is malleable to a changing threat landscape,” he continued. “Simple measures such as ensuring patches, as seen with the latest PaperCut vulnerabilities, can often mitigate these risks considerably.”
CISA, FBI, NSA, MS-ISAC Publish Updated Ransomware Guide
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) published the #StopRansomware Guide — an updated version of the 2020 guide containing additional recommended actions, resources, and tools.
The guide is a one-stop resource to help organizations reduce the risk of ransomware incidents through best practices to detect, prevent, respond, and recover, including step-by-step approaches to address potential attacks. The update incorporates lessons learned from the past two years, including recommendations for preventing common initial access techniques, such as compromised credentials/passwords and advanced forms of social engineering; recommendations to address cloud security backups; and threat hunting tips for detection and analysis.
The first part of the guide provides comprehensive, relevant, and proven best practices that organizations should continuously implement to help reduce their risk such as maintaining offline, encrypted backups of critical data; creating, maintaining, and regularly exercising a basic cyberincident response plan (IRP) and associated communications plan that includes response and notification procedures.
Part two provides a step-by-step list of actions along with available services and resources for detection and analysis, containment and eradication, and recovery and post-incident activity. This checklist can guide any victim organization through a methodical, measured, and properly managed incident response approach.
“With our partners on the Joint Ransomware Task Force, CISA is focused on taking every action possible to support individuals and businesses, including ‘target-rich, cyber-poor’ entities like hospitals and K-12 schools, by providing actionable resources and information. We must collectively evolve to a model where ransomware actors are unable to use common tactics and techniques to compromise victims and where ransomware incidents are detected and remediated before harm occurs,” said Eric Goldstein, executive assistant director for Cybersecurity, CISA. “In order to address the ransomware epidemic, we must reduce the prevalence of ransomware intrusions and reduce their impacts, which include applying lessons learned from ransomware incidents that have affected far too many organizations.”
"The FBI is committed to sharing information with organizations and the public to assist in shoring up network defenses," said Bryan Vorndran, assistant director of the FBI's Cyber Division. "While the FBI continues to prevent and disrupt cyberattacks, we cannot win the fight against ransomware attacks alone: we urge all organizations to implement these recommendations to ensure stronger resiliency for their networks."
“Ransomware tactics have become more destructive and impactful,” said Rob Joyce, NSA director of cybersecurity. “Malicious cyber actors are not only encrypting files and asking for ransom, they are also exfiltrating data and threatening victims to release it as a form of extortion. Most importantly, the speed of compromise and impact have increased dramatically, requiring even more effort on the part of defenders. These attacks will only continue evolving into more frequent and more sophisticated ransomware attacks. We need to effectively counter this growing threat.”
“Sharing cybersecurity best practices, in particular those that can help reduce the incidence of ransomware, is important to government organizations at all levels. The Multi-State Information Sharing and Analysis Center (MS-ISAC) is pleased to have been able to participate in the development of this important publication,” said John Gilligan, Center for Internet security chief executive officer.