On the Trail of UNC1878

Ransomware crime group known as UNC1878

Since October 28th, Prevailion has been investigating current and potential future victims of the ransomware crime group known as UNC1878.

While our investigation is still underway, we have so far identified hundreds of organizations worldwide that show compromise activity by this threat actor, and which may be in the early- to mid-stages of a Ryuk ransomware attack. As of November 3rd, there are approximately 1,400 organizations that show beacon activity to the UNC1878 C2 domains, with a total of 340 organizations that are showing a substantial amount of this beaconing, indicating a proliferating infection and likely stage advancement. This threat actor poses a considerable risk to any organization that is impacted, but it is especially worrisome for the healthcare industry.

Ryuk ransomware can be devastating for targeted hospitals and healthcare organizations. The (suspected) Russian cybercriminal group behind these attacks is sophisticated and capable of penetrating deep within an organization’s network, spreading the ransomware across many endpoints, systems and data. Once the encryption attack is launched, they will demand an extremely high ransom, often in the millions – well above the average extortion fee for this criminal industry. For more about Ryuk, read this news article.

Malicious activity observed in a recent UNC1878 victim. (Source: Prevailion’s APEX Platform)

While Ryuk is often associated with Trickbot, as the initial delivery mechanism, this tactic now appears to be changing, due to the recent Trickbot infrastructure takedown carried out by Microsoft. The criminals now appear to be shifting to the malware KEGTAP/BEERBOT and SINGLEMALT/STILLBOT (also known as: BazarLoader and BazarBackdoor) to carry out the initial network compromise and to install Ryuk once a foothold has been gained. In the cybersecurity industry, it often feels a bit like the game of whack-a-mole when trying to shut down these criminal networks, as the criminals often regroup and relaunch with different tools and infrastructure in order to continue carrying out their attacks. This indeed is what appears to be happening with UNC1878.

Based on our most recent threat intelligence collection, Prevailion can say with confidence that the UNC1878 crime group has impacted hundreds of organizations globally, although many of them may not realize it yet. (Read the Bloomberg report on this here.) This number could go up considerably as we continue our investigation.

We encourage all organizations within the healthcare industry to take this threat seriously. We will provide more updates on this threat actor’s activity as our investigation continues.

The Latest

Diving Deep into UNC1151’s Infrastructure: Ghostwriter and beyond

Introduction: Prevailion’s Adversarial Counterintelligence Team (PACT) is using advanced infrastructure hunting techniques and Prevailion’s unparalleled visibility into threat actor infrastructure creation to uncover previously unknown domains associated with UNC1151 and the “Ghostwriter” influence campaign.  UNC1151 is likely a state-backed threat actor [1] waging an ongoing and far-reaching influence campaign that has targeted numerous countries across […]

Prevailion CEO, Karim Hijazi- Biden’s Cybersecurity Strategy

Prevailion CEO, Karim Hijazi, comments on lacking White House cybersecurity efforts Karim Hijazi lays out why Biden’s cybersecurity strategy lacks innovation and effectiveness to deal with modern adversaries already inside companies around the globe.    

Prevailion CEO, Karim Hijazi- Tmobile Hack

Prevailion CEO, Karim Hijazi, talks about the T-Mobile hack and cloned SIM cards Karim Hijazi says T-Mobile’s breach is the largest in carrier history and discusses SIM swapping and other forms of identity theft.    

Copyright 2021 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.