On the Trail of UNC1878

Ransomware crime group known as UNC1878

On the Trail of UNC1878

Since October 28th, Prevailion has been investigating current and potential future victims of the ransomware crime group known as UNC1878.

While our investigation is still underway, we have so far identified hundreds of organizations worldwide that show compromise activity by this threat actor, and which may be in the early- to mid-stages of a Ryuk ransomware attack. As of November 3rd, there are approximately 1,400 organizations that show beacon activity to the UNC1878 C2 domains, with a total of 340 organizations that are showing a substantial amount of this beaconing, indicating a proliferating infection and likely stage advancement. This threat actor poses a considerable risk to any organization that is impacted, but it is especially worrisome for the healthcare industry.

Ryuk ransomware can be devastating for targeted hospitals and healthcare organizations. The (suspected) Russian cybercriminal group behind these attacks is sophisticated and capable of penetrating deep within an organization’s network, spreading the ransomware across many endpoints, systems and data. Once the encryption attack is launched, they will demand an extremely high ransom, often in the millions – well above the average extortion fee for this criminal industry. For more about Ryuk, read this news article.

Malicious activity observed in a recent UNC1878 victim. (Source: Prevailion’s APEX Platform)

While Ryuk is often associated with Trickbot, as the initial delivery mechanism, this tactic now appears to be changing, due to the recent Trickbot infrastructure takedown carried out by Microsoft. The criminals now appear to be shifting to the malware KEGTAP/BEERBOT and SINGLEMALT/STILLBOT (also known as: BazarLoader and BazarBackdoor) to carry out the initial network compromise and to install Ryuk once a foothold has been gained. In the cybersecurity industry, it often feels a bit like the game of whack-a-mole when trying to shut down these criminal networks, as the criminals often regroup and relaunch with different tools and infrastructure in order to continue carrying out their attacks. This indeed is what appears to be happening with UNC1878.

Based on our most recent threat intelligence collection, Prevailion can say with confidence that the UNC1878 crime group has impacted hundreds of organizations globally, although many of them may not realize it yet. (Read the Bloomberg report on this here.) This number could go up considerably as we continue our investigation.

We encourage all organizations within the healthcare industry to take this threat seriously. We will provide more updates on this threat actor’s activity as our investigation continues.

Share Post
Prevailion Staff
[email protected]