On the Trail of UNC1878

Ransomware crime group known as UNC1878

Since October 28th, Prevailion has been investigating current and potential future victims of the ransomware crime group known as UNC1878.

While our investigation is still underway, we have so far identified hundreds of organizations worldwide that show compromise activity by this threat actor, and which may be in the early- to mid-stages of a Ryuk ransomware attack. As of November 3rd, there are approximately 1,400 organizations that show beacon activity to the UNC1878 C2 domains, with a total of 340 organizations that are showing a substantial amount of this beaconing, indicating a proliferating infection and likely stage advancement. This threat actor poses a considerable risk to any organization that is impacted, but it is especially worrisome for the healthcare industry.

Ryuk ransomware can be devastating for targeted hospitals and healthcare organizations. The (suspected) Russian cybercriminal group behind these attacks is sophisticated and capable of penetrating deep within an organization’s network, spreading the ransomware across many endpoints, systems and data. Once the encryption attack is launched, they will demand an extremely high ransom, often in the millions – well above the average extortion fee for this criminal industry. For more about Ryuk, read this news article.

Malicious activity observed in a recent UNC1878 victim. (Source: Prevailion’s APEX Platform)

While Ryuk is often associated with Trickbot, as the initial delivery mechanism, this tactic now appears to be changing, due to the recent Trickbot infrastructure takedown carried out by Microsoft. The criminals now appear to be shifting to the malware KEGTAP/BEERBOT and SINGLEMALT/STILLBOT (also known as: BazarLoader and BazarBackdoor) to carry out the initial network compromise and to install Ryuk once a foothold has been gained. In the cybersecurity industry, it often feels a bit like the game of whack-a-mole when trying to shut down these criminal networks, as the criminals often regroup and relaunch with different tools and infrastructure in order to continue carrying out their attacks. This indeed is what appears to be happening with UNC1878.

Based on our most recent threat intelligence collection, Prevailion can say with confidence that the UNC1878 crime group has impacted hundreds of organizations globally, although many of them may not realize it yet. (Read the Bloomberg report on this here.) This number could go up considerably as we continue our investigation.

We encourage all organizations within the healthcare industry to take this threat seriously. We will provide more updates on this threat actor’s activity as our investigation continues.

The Latest

How Vulnerable Are America’s Utilities?

Undoubtedly, news that a Florida water plant had been hacked raised a lot of alarms outside the cybersecurity industry. The idea that a water source could be contaminated hit home for many Americans, highlighting the vulnerability of the nation’s utilities and critical infrastructure. But this attack came as no surprise to security experts. It was […]

Why Corporate Hacks Go Unreported

Despite the many regulations from GDPR to CCPA, HIPAA, and PCI DSS that mandate a company report a data breach, many corporate hacks go unreported. Certainly, compliance is a driving force for the organizations that do report a data breach. Still, in 2019, CSO Online reported that the FBI’s Internet Crime Complaint Center received reports […]

Keep Ramnit on Your Radar

Over a decade ago, security researchers at Microsoft identified a computer worm and dubbed it Ramnit. The malware family, “infects Windows executable files (.EXE) and HTML files (.HTML). It can also give a malicious hacker access to your PC. It spreads through infected removable drives, such as USB flash drives,” Microsoft warned.  Fast forward to […]

Copyright 2021 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.