On the Trail of UNC1878

Ransomware crime group known as UNC1878
3 November 2020

Since October 28th, Prevailion has been investigating current and potential future victims of the ransomware crime group known as UNC1878.

While our investigation is still underway, we have so far identified hundreds of organizations worldwide that show compromise activity by this threat actor, and which may be in the early- to mid-stages of a Ryuk ransomware attack. As of November 3rd, there are approximately 1,400 organizations that show beacon activity to the UNC1878 C2 domains, with a total of 340 organizations that are showing a substantial amount of this beaconing, indicating a proliferating infection and likely stage advancement. This threat actor poses a considerable risk to any organization that is impacted, but it is especially worrisome for the healthcare industry.

Ryuk ransomware can be devastating for targeted hospitals and healthcare organizations. The (suspected) Russian cybercriminal group behind these attacks is sophisticated and capable of penetrating deep within an organization’s network, spreading the ransomware across many endpoints, systems and data. Once the encryption attack is launched, they will demand an extremely high ransom, often in the millions – well above the average extortion fee for this criminal industry. For more about Ryuk, read this news article.

Malicious activity observed in a recent UNC1878 victim. (Source: Prevailion’s APEX Platform)

While Ryuk is often associated with Trickbot, as the initial delivery mechanism, this tactic now appears to be changing, due to the recent Trickbot infrastructure takedown carried out by Microsoft. The criminals now appear to be shifting to the malware KEGTAP/BEERBOT and SINGLEMALT/STILLBOT (also known as: BazarLoader and BazarBackdoor) to carry out the initial network compromise and to install Ryuk once a foothold has been gained. In the cybersecurity industry, it often feels a bit like the game of whack-a-mole when trying to shut down these criminal networks, as the criminals often regroup and relaunch with different tools and infrastructure in order to continue carrying out their attacks. This indeed is what appears to be happening with UNC1878.

Based on our most recent threat intelligence collection, Prevailion can say with confidence that the UNC1878 crime group has impacted hundreds of organizations globally, although many of them may not realize it yet. (Read the Bloomberg report on this here.) This number could go up considerably as we continue our investigation.

We encourage all organizations within the healthcare industry to take this threat seriously. We will provide more updates on this threat actor’s activity as our investigation continues.

The Latest

Prevailion CEO, Karim Hijazi – Cheddar News- FCC commissioner calls on Apple and Google to ban TikTok app

A member of the FCC renewed urgency calls on Apple and Google to remove TikTok from their app stores, raising concerns that TikTok’s Chinese-based parent company is collecting user data that is being accessed in China.

IRONSCALES Cyber Security Heroes: The New Cyber Era Post Ukraine Invasion

What Wicked Webs We Un-weave

What Wicked Webs We Un-weave: Wizard Spider once again proving it isn’t you, it isn’t me; we search for things that you can’t see Authored by: Matt Stafford and Sherman Smith Executive summary: In late January 2022, Prevailion’s Adversarial Counterintelligence Team (PACT) identified extensive phishing activity designed to harvest credentials for Naver. Naver is a […]

Copyright 2023 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.