While our investigation is still underway, we have so far identified hundreds of organizations worldwide that show compromise activity by this threat actor, and which may be in the early- to mid-stages of a Ryuk ransomware attack. As of November 3rd, there are approximately 1,400 organizations that show beacon activity to the UNC1878 C2 domains, with a total of 340 organizations that are showing a substantial amount of this beaconing, indicating a proliferating infection and likely stage advancement. This threat actor poses a considerable risk to any organization that is impacted, but it is especially worrisome for the healthcare industry.
Ryuk ransomware can be devastating for targeted hospitals and healthcare organizations. The (suspected) Russian cybercriminal group behind these attacks is sophisticated and capable of penetrating deep within an organization’s network, spreading the ransomware across many endpoints, systems and data. Once the encryption attack is launched, they will demand an extremely high ransom, often in the millions – well above the average extortion fee for this criminal industry. For more about Ryuk, read this news article.
While Ryuk is often associated with Trickbot, as the initial delivery mechanism, this tactic now appears to be changing, due to the recent Trickbot infrastructure takedown carried out by Microsoft. The criminals now appear to be shifting to the malware KEGTAP/BEERBOT and SINGLEMALT/STILLBOT (also known as: BazarLoader and BazarBackdoor) to carry out the initial network compromise and to install Ryuk once a foothold has been gained. In the cybersecurity industry, it often feels a bit like the game of whack-a-mole when trying to shut down these criminal networks, as the criminals often regroup and relaunch with different tools and infrastructure in order to continue carrying out their attacks. This indeed is what appears to be happening with UNC1878.
Based on our most recent threat intelligence collection, Prevailion can say with confidence that the UNC1878 crime group has impacted hundreds of organizations globally, although many of them may not realize it yet. (Read the Bloomberg report on this here.) This number could go up considerably as we continue our investigation.
We encourage all organizations within the healthcare industry to take this threat seriously. We will provide more updates on this threat actor’s activity as our investigation continues.
Undoubtedly, news that a Florida water plant had been hacked raised a lot of alarms outside the cybersecurity industry. The idea that a water source could be contaminated hit home for many Americans, highlighting the vulnerability of the nation’s utilities and critical infrastructure. But this attack came as no surprise to security experts. It was […]
Despite the many regulations from GDPR to CCPA, HIPAA, and PCI DSS that mandate a company report a data breach, many corporate hacks go unreported. Certainly, compliance is a driving force for the organizations that do report a data breach. Still, in 2019, CSO Online reported that the FBI’s Internet Crime Complaint Center received reports […]
Over a decade ago, security researchers at Microsoft identified a computer worm and dubbed it Ramnit. The malware family, “infects Windows executable files (.EXE) and HTML files (.HTML). It can also give a malicious hacker access to your PC. It spreads through infected removable drives, such as USB flash drives,” Microsoft warned. Fast forward to […]