Cyber Threat Intelligence
October 2020
© 2020 EMEA Cybersphere Center
Page 2 of 16
INDEX Page02
Page06
Page11
Page14
1. Overview
2. Attack analysis
3. Threat actors
4. Recommendations
© 2020 EMEA Cybersphere Center
Page 3 of 16
2. Attack analysis
3. Threat actors
4. Recommendations
OVERVIEW
1. Overview
© 2020 EMEA Cybersphere Center
Page 4 of 16
Background
© 2020 EMEA Cybersphere Center 3
Since at least 2018, ransomware operators have moved from
launching attacks against small targets to big game hunting (BGH)
campaigns, targeting large corporations and government
organizations in pursuit of lucrative payouts.
Ransomware is malware that encrypts files on the infected machine
and demands a ransom in exchange for a decryption key to recover
the files.
Since late 2019, ransomware operators started adopting
the double extortion technique, placing substantial
pressure on organizations to increase the chances of
receiving ransom demands.
The ransom demand is set at a level that is low enough to be
payable, but high enough to make it worthwhile to the attacker.
Before deploying the payload, the attackers extract large quantities
of sensitive information and threat the victim to publish it unless the
ransom fee is paid.
Ransomware is one of the most significant threats facing organizations and
individuals today. The attacks conducted by ransomware operators are
becoming increasingly sophisticated, more challenging to prevent, and more
damaging to their victims.
Page 5 of 16
Finally, the attackers deploy the payload to encrypt files on the
infected network and leave a ransom note.
Impact Relevant Attacks
© 2020 EMEA Cybersphere Center 4
STATE, LOCAL GOVERNMENT
ENERGY & UTILITIES
SunCrypt gang conducted an attack against university
hospital and publicly disclosed an archive of 48.000
documents. Afterwards, a representative of the hospital
contacted the attackers and negotiated the ransom to
$670.000 to prevent the exposure of 240 GB of patient
information.
Portuguese multinational electric power generator and
distributor was compromised by RagnarLocker operators.
According to the ransom note the attackers extracted 10 TB
of data and asked the company to pay a ransom of 1580 BTC
(the equivalent of more than $10 million).
RagnarLocker conducted an attack against the fifth largest
travel management firm and allegedly exfiltrated 2 TB of
data.
The initial ransom demanded by the attackers was $10
million dollars, however, the victim negotiated it down to
$4.5 million.
TRANSPORTATION, HOSPITALITY & SERVICES
LEGAL
REvil operators compromised a NYC law firm which offers
legal services to people involved in the entertainment and
media field.
Attackers exfiltrated personal information of celebrity clients
and auctioned it off on their blog, setting the starting bid at
$600.000 with a blitz price of $600.000.
TECHNOLOGY
The operators behind Maze attacked several technology
companies, including an American multinational corporation
that provides IT services. According to the company, the
attackers allegedly stole financial and sensitive personal
information.
HEALTHCARE
Argentinian immigration agency suffered a NetWalker
ransomware attack that temporarily halted border crossing
into and out of the country.
The attackers initially demanded a $2 million ransom,
however, after seven days the ransom fee doubled to $4
million.
Page 6 of 16
Maze ransomware is one of the most notorious ransomware groups. The operators behind Maze began combining ransomware attacks with exfiltrating data from the compromised network to
publish it on their data leak blog if the ransom is not paid.
Their presence on the underground forums is limited.
Maze ransomware is one of the most notorious ransomware groups. The operators behind Maze began combining ransomware attacks with exfiltrating data from the compromised network to
publish it on their data leak blog if the ransom is not paid.
Their presence on the underground forums is limited.
1. Overview
ATTACK ANALYSIS
© 2020 EMEA Cybersphere Center 5
Impact Ransomware operators target all sectors and almost all countries implying
HIGH risk to all entities around the globe.
© 2020 EMEA Cybersphere Center 5
• Most of the affected organizations belong to the United States.
• No evidence of entities belonging to countries from the former Soviet
Union has been detected on data leak blogs.
• Several ransomware groups agreed to NOT attack healthcare sector
during the COVID-19 crisis.
THE MOST AFFECTED SECTORS
16% | Retail, Wholesale &
Distribution
12% | Manufacturing
9% | Industrial Products
8% | Technology
6% | Healthcare
6% | Construction
6% | Financial
6% |Professional Services
Page 7 of 16
© 2020 EMEA Cybersphere Center 2 Attack Diagram
STAGE 1: Victim identification
STAGE 2: Access to the infrastructure
STAGE 3: Remote access
STAGE 4: Network scanning
STAGE 5: Lateral movement
STAGE 7: Data encryption and ransom
note
STAGE 6: Data exfiltration
In the reconnaissance stage the following factors
increase the chances of suffering the attack:
- The company has not suffered similar attacks before.
- The access to a company’s infrastructure is
announced or offered for sale in underground
forums or markets.
- The company has suffered a data breach.
- The entity has remote access services exposed to the
Internet (RDP, Citrix, etc.).
This stage is carried out depending on the result
of the investigation of the STAGE 1.
The exposure of remote access services is the
most common enter point, although the threat
actors may choose to carry out simpler attacks
such as the distribution of malicious email
campaigns. To ensure remote access to the
infected infrastructure for as long
as possible, the attackers use
tools like CobaltStrike, RMS or
Empire.
The attackers scan the compromised
network in order to gather information
about its infrastructure.
To spread through the network, the
attackers can use either system tools
enabled in any company ("WMI", "PsExec"
or "PowerShell”) or tools developed by
themselves.
Finally, attackers deploy the payload to
encrypt files on the infected network and
leave a ransom note.
Attackers identify valuable and easily
extractable files. As a rule, attackers steal,
usually via FTP, documents, databases,
and credentials.
© 2020 EMEA Cybersphere Center 7
The following diagram illustrates how threat actors perform a ransomware attack with data exfiltration.
Page 8 of 16
Attack Vectors
© 2020 EMEA Cybersphere Center 8
Threat actors use search engines to discover vulnerable machines
connected to the internal network of the company. Once the
machine is selected, the attacker uses brute-force technique to
access.
Threat actors use search engines to locate Citrix-type servers with
bad security configuration that can be used as an entry point to the
internal network of a company.
The attackers use another malware, usually InfoStealer, which
consists on launching malspam campaigns to obtain credentials of
as much users and companies as possible or impersonating the
target company to compromise a specific user.
Ransomware operators exploit exposed vulnerabilities in order to
gain access to the internal infrastructure of a company and
compromise it.
EXTERNAL SERVICES OF REMOTE ACCESS
Remote Desktop Protocol
(RDP)
Citrix
Malware infection
Underground forums and markets
Cybercriminal forums members offer for sale accesses to
organizations belonging to different sectors and countries. As well
as, credentials obtained by other types of malware which can be
also purchased on underground markets.
COMPROMISED ACCESSES
VULNERABILITIES
Page 9 of 16
Data Leakage
Some valuable data exfiltrated from the infected network can be
sold either on Deep/Dark markets or forums or to third
parties/direct competitors.
Some ransomware affiliates disclose the stolen data on
underground forums.
LockBit affiliate
threatening a
company to
release its data in
7 days if the
ransom is not
paid.
Maze group aware
victims that valuable
information will be
sold on dark market.
REvil operators created an auction section on their data
leak blog, “Happy Blog Auction”, to monetize the stolen
data.
These data leak blogs usually
contain a list of victims, with a
dedicated page that includes
additional information related to
each entity listed, like a brief
description of the entity, some
samples of stolen data and, in
some cases, the lock date and
the total amount of exfiltrated
information.
Many ransomware operators have their own data leak
blogs to publish the exfiltrated data.
The auction is available only
for registered users and the
registration is required for
each auction separately.
In the case that no one shows
interest on the auctioned files
until the auction time is over it
will be published on the blog.
© 2020 EMEA Cybersphere Center 9
DEEP/DARK WEB
DATA LEAK BLOGS
SALE
AUCTION
Ransomware operators have developed different methods to disclose the stolen data belonging to victims who refused to pay the extortion fee.
Ransomware operations that run data leak sites: Ako, Avaddon, Egregor, Clop, Conti,
DarkSide, DoppelPaymer, LockBit, Maze, MountLocker, Nemty, Nefilim, NetWalker, Pysa,
RagnarLocker, REvil, Sekhmet, Snatch, and SunCrypt.
Page 10 of 16
Double extortion stakeholder map MITRE ATT&CK FRAMEWORK
The following table shows the most used and relevant techniques used by ransomware operators. These techniques have been used both, by the most active ransomware families and by the attacks carried out.
All these techniques could suppose a high risk, meaning protection measures must be improved to prevent them.
© 2020 EMEA Cybersphere Center 10
Page 11 of 16
1. Overview
2. Attack analysis
4. Recommendations
THREAT ACTORS
3. Threat actors
© 2020 EMEA Cybersphere Center
Page 12 of 16
Maze cartel
May 2019
MAZE
DATA LEAK BLOG
September 2019
December 2019
LockBit RagnarLocker
Implemented the Double-extortion technique by
launching the first data leak site
Created “Maze cartel”
Private operation/Affiliate program
Public operation/Affiliate program
Private operation/Affiliate program
RagnarLocker ransomware, a relatively new operation, at
the beginning of June 2020 joined the Maze cartel and
was detected to have used Maze’s infrastructure to
publish exfiltrated information.
According to the characteristics of this malware, its
development is associated to the Eastern European
cybercriminals.
LockBit ransomware is being distributed on underground
forums by Russian-speaking user “LockBit”.
- The affiliated cannot attack organizations from
the former Soviet Union.
- English-speaking affiliates need a Russian-
speaking guarantor.
- The terms of rent are negotiated with each
affiliate individually.
Highlights
First group on joining the “Maze cartel”
Recently, launched its own data leak site
Joined the “Maze cartel”
First to run ransomware inside a virtual machine to avoid detection
© 2020 EMEA Cybersphere Center 12
Maze ransomware is one of the most notorious
ransomware groups. The operators behind Maze began
combining ransomware attacks with exfiltrating data
from the compromised network to publish it on their data
leak blog if the ransom is not paid.
Their presence on underground forums is limited.
DATA LEAK BLOG DATA LEAK BLOG
Highlights Highlights
Page 13 of 16
September 2019
NetWalker
DATA LEAK BLOG
AUCTION SITE
April 2019
REvil (aka Sodinokibi)
Public operation/Affiliate program
Public operation/Affiliate program
Relevant Ransomware Operations
DATA LEAK BLOG
Highlights
Implemented a customized page for
victims to chat with the attackers,
decrypt some files for free and
proceed the ransom payment.
Added a section on the customized
victims page with screenshots of
stolen data as a proof.
CUSTOMIZED VICTIM’S PAGE
According to the authors, they:
- Give preference to those who
work with large networks and
have their own material.
- Are interested in hiring Russian-
speaking affiliates.
NetWalker is considered one of the most
successful ransomware groups. The
software is distributed as Ransomware-as-
a-Service on hacker forums by a Russian-
speaking member “Bugatti”.
Affiliates can get 80% of the
payments, or even 84% if previous
week earnings were above
$300,000.
REvil (aka Sodinokibi) is a notorious
ransomware family that operates publicly as
Ransomware as-a-Service and is being
distributed on underground hacker forums by
a Russian – speaking member under the
handle “UNKN” (Unknown).
The terms of the rent are:
- Start: 70 affiliates/30 developers
- After the first 3 payments: 75/25
- If the profit is higher than $1
million per week - 80/20
Highlights
Implemented an auction section on
their data leak blog to monetize the
stolen data.
Recently, the authors started seeking for partners on Russian-language hacking forums. Made a $1 million deposit on XSS.is forum.
Do NOT collaborate with English-
speaking partners.
© 2020 EMEA Cybersphere Center 13
Page 14 of 16
© 2020 EMEA Cybersphere Center
1. Overview
2. Attack analysis
3. Threat actors
RECOMMENDATIONS
4. Recommendations
© 2020 EMEA Cybersphere Center
Page 15 of 16 © 2020 EMEA Cybersphere Center 15
To have a correct policy for the elimination of users who are
no longer part of the organization.
Recommendations
Disable the possibility of directly accessing Citrix systems
from the outside with an administrator user.
Do not allow Internet communication by PowerShell, and
uninstall versions prior to PS.v5.
Block or disable ports and services that are not in use.
Apply measures to prevent dumping actions on “Lsass”.
Kerberos bastioning.
To have identified the existing scheduled tasks in the systems
and to identify the executions of these.
Implementation of DLP and encryption of stored data.
To have blocking rules for the massive change of file types.
Having the backups isolated from the corporate network.
Establish mechanisms for monitoring changes in registry keys.
If not necessary for the operation, disable RDP accesses.
Otherwise, establish service monitoring mechanisms,
strengthen security controls, and avoid exposure to the
Internet as much as possible. Strengthen web content filtering to prevent downloading of
executable or compressed files and visiting unauthorized file-
sharing sites.
Consider restricting some functionalities on the use of
PowerShell in the company, or establishing strong
monitoring measures.
3.
Copyright © 2020 Deloitte CyberSOC EMEA Center, S.L.
1.
2.
3. Reproduction, public communication, or transformation, in whole or in part, free of charge or for a fee, and by any means or procedure, is
prohibited without CyberSOC EMEA Center, S.L.’s prior written consent.
4.
5. This report is strictly confidential and for internal use of the company only. It must not be shared with third parties or be made accessible to them.
Also, no reference to this report should be made in communications without our prior written consent.
6. This report has been prepared in accordance with the terms stated in the contract that includes the Proposal and the Annex of General Terms and
Conditions.
7. Deloitte is not responsible for the updating process of this document’s content, which should be performed as a consequence of facts or
circumstances that occurred after this document was created.
8. Assessing and making any decisions to implement change based on conclusions included in this report is the sole responsibility of the client’s board
of directors.
9. CyberSOC EMEA Center S.L. does not control the functioning, reliability, availability, or security of email severs. We will therefore not be
responsible for any loss, damage, or injury caused by loss, delay, interception by third parties, corruption or modification of the content of this
report.
If there is any conflict or contradictory aspect between the electronic and the physical version of the document, the physical version shall prevail.