Security News

Ransomware-wielding attackers have devised a novel tactic for disabling security protections that might get in their way: they are using a deprecated, vulnerable but signed driver to deliver a malicious, unsigned one that allows them to kill processes and files belonging to Windows endpoint security products. The vulnerable driver they are misusing was created by Taiwan-based motherboard manufacturer Gigabyte, found to be vulnerable in 2018 and later deprecated, but the signing certificate was never revoked.

UM has been open and forthcoming on the details of the attack, providing detailed insight into a classic targeted ransomware attack. "The modus operandi of the group behind this specific attack," said Fox-IT in a forensic report commissioned by UM, "Comes over with a criminal group that already has a long history, and goes back to at least 2014. The group is often referred to publicly as 'TA505', as well as 'GraceRAT', named after one of the tools used by the group."

Crooks such as the gang behind the Cryptolocker ransomware were able to make millions, perhaps even hundreds of millions, of dollars by infecting hundreds of thousands of users and businesses, and then demanding $300 a time to unlock each user's files. System services often keep critical files in permanent use, meaning that they can't easily be deleted or modified, which stops the crooks from scrambling them in a ransomware attack.

EKANS also uses another trick to ratchet up the pain: It's designed to terminate 64 different software processes on victim computers, including many that are specific to industrial control systems. That allows it to then encrypt the data that those control system programs interact with.

Australian transportation and logistics firm Toll Group has confirmed that it sustained a ransomware attack earlier this month that forced to company to shut down several systems and led to delays in deliveries across the country. While Toll Group continues to recover from the ransomware attack that started Jan. 31, the firm has now deliberately shut down several systems, including customer-facing applications, as a precautionary measure to ensure that the malware does not spread, according to a statement released Tuesday.

Ekans, a recently discovered ransomware variant that's designed to target industrial control systems, appears to have some of the same characteristics found in Megacortex, malware that struck several high-profile targets in 2019, according to the security firm Dragos. It's also not clear whether the developers behind Eknas plan to target a region or specific organizations that use industrial controls systems, such as oil and gas firms, electric utilities or manufacturing facilities, according to the Dragos report.

Spray-and-pray tactics that once had malware attack numbers soaring have since been abandoned for more targeted and evasive methods aimed at weaker victims. While total ransomware volume dipped 9% for the year, highly targeted attacks left many state, provincial and local governments paralyzed and took down email communications, websites, telephone lines and even dispatch services.

Australian transportation and logistics giant Toll Group said a ransomware attack is to blame for several key services being debilitated and delivery operations being delayed over the past week. In the aftermath of the company first being hit by the ransomware attack on Friday, customers were reporting an impact on operations across Australia, India and the Philippines.

"If the organization still doesn't pay, the remaining data is published, sometimes on a staggered basis. The group has also published data in Russian hacker forums with a note to 'use this information in any nefarious ways that you want.' In other words, it's highly likely that more of the firms' data will be published unless they pay." Threatening to dump exfiltrated data is merely the latest in a long line of ransomware gang innovations, which took a major leap forward four years ago, with a watershed, targeted attack against Hollywood Presbyterian Medical Center by the SamSam gang, says security researcher Vitali Kremez, who heads SentinelLabs for security firm SentinelOne.

With the ransomware threat is surging unstoppably in the last few years, it was just a matter of time until ICS-specific ransomware became a reality. "While all indications at present show a relatively primitive attack mechanism on control system networks, the specificity of processes listed in a static 'kill list' shows a level of intentionality previously absent from ransomware targeting the industrial space," Dragos researchers pointed out.