High-profile organisations falling victim to ransomware attacks during the week of 7 to 11 December 2020 have included electronics giant Foxconn and recruitment specialists Randstad, as the criminal gangs behind ransomware show no signs of letting up.
Foxconn’s Mexican chip fab facility, which was initially attacked over the Thanksgiving weekend at the end of November by the DoppelPaymer gang and was shut down as a result, is now returning to business as usual following the attack on its systems which saw stolen files published on DoppelPaymer’s leak site – mostly innocuous internal documents, according to reports. The cyber criminals behind the attack demanded a ransom of $34m (€27.6m/£25.5m).
The Foxconn attack was the second major breach of an original equipment manufacturer (OEM) fab in as many months. As Saryu Nayyar, CEO of Gurucul, points out, this shows the increasing sophistication of gangs such as DoppelPaymer, acting increasingly brazenly and going after larger and larger targets.
“Organisations need to up their game if they want to avoid becoming the next news-worthy breach. User education, MFA [multi-factor authentication], and a solid perimeter can help keep attackers from getting in,” said Nayyar.
“While inside, a robust security stack with security analytics can help identify a breach and mitigate it before the attackers steal data or encrypt systems. We can only hope the international law enforcement community will rise to the occasion and do their part, because these cyber criminals show no sign of stopping on their own.”
Analysing the attack, Point3 Security strategy vice-president Chloé Messdaghi said it was likely Foxconn’s attackers had got inside the company’s operational systems, and that the case highlighted a lack of zero-trust practice, and poor data backup policies.
“The best way to avoid the havoc that ransomware can cause is to have a working plan in place … revisit and update that playbook at least quarterly – are your tools the same? Are your personnel the same? Are the data flows and regulatory requirements the same? A playbook that’s more than 60 days old is bound to be at least a little mouldy. With the recent spate of attacks, more companies are adopting the air gap approach.
“In Foxconn’s case, they may well have to actually pay the ransom, because hitting and halting production is an attacker’s dream. Out of $172bn in revenues, they’ll peel off $34m – an enormous amount, but if production’s hit, that might be their only option,” said Messdaghi.
Immuniweb’s Ilia Kolochenko said that rumours the DoppelPaymer gang compromised more than 1,000 of Foxconn’s servers and deleted all backups were, if true, an “unambigious indicator of gross negligence” on the victim’s part.
“[It is] unlikely any cyber security insurance will ever pay a cent for the damages under the circumstances, while the victim will likely have a solid claim against IT and security vendors in charge of its network management,” said Kolochenko.
Like the hit on Foxconn, the attack on Randstad also followed the now familiar double extortion playbook. The Netherlands-based firm was compromised by the relatively new Egregor ransomware, but said only a limited number of its servers were affected and operations were not disrupted. Interestingly, it appears the firm did not receive a ransom note.
“To date, our investigation has revealed that the Egregor group obtained unauthorised and unlawful access to our global IT environment and to certain data, in particular related to our operations in the US, Poland, Italy and France,” the firm said in a statement.
“They have now published what is claimed to be a subset of that data. The investigation is ongoing to identify what data has been accessed, including personal data, so that we can take appropriate action with regard to identifying and notifying relevant parties.”
Point3’s Messdaghi said that in contrast to Foxconn, Randstad had shown excellent preparedness, making sure that if it ever was going to be compromised by ransomware, its data was safe.
“We refer to the 3-2-1 approach: three copies of data stored across two mediums and one cloud storage provider, so you can recover from any of those three locations. The only way to avoid ransomware on backup systems is to have a plan in place, revisit it regularly, and back up very often. And there’s a good chance this is the exact kind of plan Randstad had in place,” she said.
Messdaghi also praised Randstad for not using the term ‘hacker’ when referring to the Egregor gang, recognising the difference between malicious cyber criminals and the hacker community.
Other notable ransomware attacks during the past week include strikes on North American retailer Kmart, and Vancouver’s public transport network, TransLink, both understood to be the work of Egregor.
Sophos and others spill on Egregor
On the subject of Egregor, researchers at Sophos this week published extensive research on the new kid on the block, highlighting the tactics, techniques and procedures (TTPs) used by its operators – suspected to be using an affiliate, ransomware-as-a-service (RaaS) model.
As many other researchers have done, Sophos noted similarities with the now-defunct Maze ransomware, such as the use of the ChaCha and RSA encryption algorithms, and highlighted other connections to Sekhmet and Ryuk. One incident probed by the firm’s rapid response team saw the operators use Cobalt Strike, copy files to a particular directory, C:perflogs, and use SystemBC, a malicious Tor network policy, identical behaviour to that observed in Ryuk attacks.
Sean Gallagher, senior security researcher at Sophos, said: “Sophos’ findings reveal how challenging it can be for IT security teams to defend against ransomware-as-a-service attacks, since ransomware operators often rely on multiple commodity malware distribution channels to reach their victims, creating a more diverse attack profile that is harder to predict and deal with. It increases the number of tactics, techniques and procedures used by each ransomware type, making defence-in-depth essential to catching attacks.
“A defence-in-depth approach helps to protect against the theft and encryption of data. Given that the group behind Egregor claims to sell stolen data if ransoms are not paid, it’s not enough to simply have good backups of organizational data as a mitigation for ransomware.
“Blocking common exfiltration routes for data – such as preventing Tor connections – can make stealing data more difficult, but the best defence is to prevent attackers from ever getting a foothold in your network. Employee education is key, as is the use of human-based threat hunting to detect active attacks,” said Gallagher.
Fighting back in 2021
With the festive season getting into full swing, attention in the cyber security community has been turning to what lies ahead in 2021, and among those reaching for their divining rods was Jim McGann, vice-president of marketing and business development at Index Engines.
McGann predicted that facing up to the increased sophistication ransomware gangs have shown in 2020 meant recovering from an attack was going to require far more time and budget next year.
“Cyber attacks are becoming more intelligent. Criminals are spending increased dwell time to determine how to cause the most destruction and also looking for the most sensitive content that when stolen will cause the most harm to an organisation, resulting in higher ransom requests,” he said.
“Ransoms at recent attacks are skyrocketing to the tens of millions of dollars. Organisations will find themselves spending significant budget recovering from these attacks, including man hours dedicated to recovering their business operations.”
Meanwhile, the double extortion trend will put the spotlight back on data governance – with ransomware attacks now evolving into full-blown data breaches, organisations must ramp up their data governance initiatives, said McGann, and this will require them to know what sensitive data they hold, where it is located, and how they can protect it, lest they face fines under regulations such as the General Data Protection Regulation (GDPR).
This will likely have repercussions for those at the intersection of cyber security and storage. McGann forecast that from 2021, backup infrastructure, which has not changed a lot for a long time, will see a noticeable transformation.
“Cyber attacks have generated a renewed focus on backup. It’s often the only solution for recovering from an attack. And there are newer, better backup solutions that have expanded into cyber recovery solutions that provide sophisticated analytics, smarter machine learning, and isolated air-gaps for added security with confidence.
“These are currently being utilised by early adopters and organisations that have already gone through an attack. These better backup/cyber solutions are quickly becoming the industry standard,” said McGann.