Re: ul
Olegario Benford
Honda, the Japanese car manufacturer reported hackers are breaking into their networks. The cyber-attacks in its base have interrupted some of its operations as well as outside Japan. Honda production plants in Ohio and Turkey went offline Tuesday, June 9 after a cyber-attack compromised several facilities of the Japanese automaker. While experts on cybersecurity claim a ransomware-attack is most likely to blame, it's uncertain whether the attack targeted information technology systems or the industrial control systems themselves.
Some cybersecurity experts have said that the Ekans ransomware (shown in figure 1) has compromised the servers. Ekans Ransomware is designed to infect networks of industrial control systems. The organization even sent its employees home early, which means the workflow was arrested for sure.
In a comparison of malware samples targeting Honda and Enel posted online, Malwarebytes Labs found that the incidents may be tied to the EKANS/SNAKE ransomware family. EKANS includes not only traditional file encryption and ransomware note features, but also additional functionality that forcibly stops ICS-related (industrial control system) operational processes, according to a Dragos analysis. That could explain why this particular type of ransomware targeted both manufacturing and energy plants (Honda and Edesur).
By integrating automated threat detection, correlation, analysis, hunting, response and remediation all in one platform, you can ease the burden on your limited IT or security staff, while detecting any indications of ransomware early enough to contain its impact on your company.
The emergence of new strains has slowed down, but ransomware is getting much more sophisticated. In the early days, hackers mostly targeted consumers, and it would encrypt immediately upon executing. Later on, ransomware gangs realized they would make a lot more money targeting businesses. At first they would spread like a worm through organizations, collecting credentials and encrypting files along the way. Threat actors are now a lot more intelligent in their approach. Once they've gotten in, the malware 'dials home' so that the hacker can do a full analysis on which data is most valuable to their victim, how much they can realistically ask for, and what can they encrypt that will get them a payday sooner.
July 2017 - F-Secure labs uncovered chat sessions in which a ransomware support agent claimed they were hired by a corporation for targeted operations. Later analysis/metadata research confirmed that this tactic was used with another variant, and the follow-up attack targeted IP lawyers that was seemingly aimed at disrupting their business operations.
A new ransomware-as-a-service dubbed GandCrab showed up mid-month. This is the most prominent ransomware of 2018, infecting approximately 50,000 computers, most of them in Europe, in less than a month asking each victim for ransoms between $400 and $700,000 in DASH cryptocurrency. Yaniv Balmas, a security researcher at Check Point compares GandCrab to the notorious Cerber family, and the expert also added that GandCrab authors are adopting a full fledged agile software development approach, the first time in ransomware history. More technical details at the Security Affairs blog.
Analysis by threat intelligence group Analyst1 recently uncovered that the bad guys are responsible for forming a ransomware cartel. One of the key findings that is worth mentioning based on the analysis is the use of Ransomware-as-a-Service, which hires cybercriminals to execute the attack for you at a discounted price. Cartels are also continuing to increase their ransom demands, automating their attacks, and reinvesting profits made from successful attacks to enhance their tactics. Unfortunately, it is only getting more and more easier for these ransomware gangs to infiltrate your organization.
September 2021 - New analysis from global cyber and software resilience vendor NCC Group sdwc showed that ransomware was most definitely globally on the rise, the top strains being Conti and Avaddon. Attacks increased 288% when comparing January-March 2021 with April-June 2021 with the U.S. representing the largest share of victims at 49%.
An analysis of the publicly-accessible data on ransomware attacks shows that local governments, higher education, and healthcare industries that were a primary target of ransomware in 2021 continued to be targets in 2022. Security vendor Emisoft's The State of Ransomware in the US: Report and Statistics 2022, analyzes all of this data. They expect this focus to continue, if nothing is done to shore up the security in these sectors.
February 2023 - A new report from insurance provider Hiscox revealed that over the last five years, the percentage of companies that have been attacked has bounced around from 43% to a high of 61%, making ransomware the most common threat for UK businesses. An interesting part of the report is what organisations invested in after a cyber attack. Around two out of five experts said they had put additional cybersecurity and audit requirements in place (41%), stepped-up employee training (39%) and improved preparations for cyber attacks (39%).
Specifically concerning execution and impact of ransomware binaries themselves, from the simplified tests we performed here, it appears that there is likely a great deal of data available for potential analysis and detection/alerting within East-West network exchanges, and also within the endpoint computing devices themselves...
After studying the EKANS Ransomware, cybersecurity experts have found that this Trojan is rather similar to a ransomware threat deployed in 2019 dubbed Megacortex. The Megacortex threat is believed to originate from the United Kingdom as its creators had referenced various stores located in the city of Sunderland. Going even further into the rabbit hole, the Megacortex malware is likely linked to another threat called Reitspoof that was being propagated via spam messages on Skype in 2019. However, some malware researchers suspect that this may be a complex operation carried out by a state-sponsored hacking group, and the links to the previously mentioned threats might have been placed on purpose to mislead analysts.
As the ongoing COVID-19 pandemic continues to place unprecedented strain on global healthcare infrastructure, attackers are finding what was already an attractive target even more enticing. This unfortunate scenario has greatly expanded the attack surface for these malicious parties with the introduction of greater demand for remote services like telehealth, COVID-19 contact tracing app data, demand from medical manufacturing companies, and a race for medical research facilities to find a cure. An analysis of publicly disclosed breach data by the Tenable Security Response Team (SRT) reveals 237 breaches in the healthcare sector in the calendar year 2020. And the activity looks set to continue unabated in 2021, with 56 breaches already disclosed as of February 28. One finding is clear: ransomware attacks are not going away anytime soon.
A root cause was reported in 93.17% of the healthcare breaches disclosed in the 14-month period we've analyzed. Among these, ransomware was by far the most prominent root cause of healthcare breaches, accounting for a whopping 54.95%. Other leading causes included email compromise/phishing (21.16%), insider threat (7.17%) and unsecured databases (3.75%).In some instances, breaches don't occur as a result of direct action against the victim or of their own actions, but rather occur as a result of a third-party breach. This occurs when a third-party vendor that you use is breached and, as a result, attackers gain access to your data which is stored in their system. In some circumstances, attackers exploit vendors to gain direct access to your system. In cases where the numbers were made public, our analysis shows that third-party breaches accounted for over a quarter of the breaches tracked and accounted for nearly 12 million records exposed. The breach of a single company accounted for over 10 million of these records. This breach has been linked back to 61 of their healthcare customers, with the number of exposed records expected to increase as more of these impacted customers disclose their numbers.
David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy, and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.
In 2021 the most prolific ransomware groups to attack OT systems were Conti and Lockbit 2.0, which caused 51 percent of total ransomware attacks, with 70 percent of their malicious activity targeting manufacturing. A lot of the success that groups like these have achieved in cyber extortion can be attributed to malicious business models like ransomware-as-a-service (RaaS) and sophisticated underground marketplaces where ransomware developers outsource operations to affiliates who execute the attacks. Affiliates do not require high-level technical expertise because the ransomware software has been developed and they can purchase access to systems and hackers for hire, which significantly lowers barriers to entry.
Unfortunately, many manufacturers are still ill prepared to buffet these ransomware attacks before the adversaries have already stopped production. Dragos YiR analysis based on professional services engagements last year shows that 90% of manufacturers have limited visibility into their OT systems and the same percentage have set up poor network perimeters. Meantime, 80% of manufacturers have external connectivity exposed in OT systems and 60% utilize shared credentials that can easily be leveraged by ransomware groups to compromise systems.
aa06259810