informa
4 MIN READ
News

VMware, Airline Targeted as Ransomware Chaos Reigns

Global ransomware incidents target everything from enterprise servers to grounding an airline, with one India-based group even taking a Robin Hood approach to extortion with the "GoodWill" strain.

Ransomware incidents are on the rise and this week proved no exception, with the discovery of a Linux-based ransomware family called Cheerscrypt targeting VMware ESXi servers and an attack on SpiceJet, India’s second largest airline.

Meanwhile, an oddball "GoodWill" variant purports to help the needy.

The Cheerscrypt ransomware variant was uncovered by Trend Micro and relies on the double-extortion scheme to coerce victims to pay the ransom – i.e., stealing data as well and threatening to leak it if victims don’t pay up.

Because of the popularity of ESXi servers for creating and running multiple virtual machines (VMs) in enterprise settings, the Cheerscrypt ransomware could be appealing to malicious actors looking to rapidly distribute ransomware across many devices.

Meanwhile, low-cost carrier SpiceJet faced a ransomware attack this week, causing flight delays of between two and five hours as well as rendering unavailable online booking systems and customer service portals.

While the company’s IT team announced on Twitter that it had successfully prevented the attempted attack before it was able to fully breach all internal systems and take them over, customers and employees are still experiencing the ramifications.

GoodWill: The Altruistic Ransomware
Then there's this: Researchers with CloudSEK announced this week they had discovered a Robin Hood-esque ransomware group called GoodWill, which demands that its victims perform three acts of charity in exchange for a decryption key.

GoodWill was discovered in March and uses a ransomware worm that encrypts documents and databases — among other important files — and renders them inaccessible without the decryption key.

The charitable actions that are accepted include taking poor children to fast-food restaurants, donating clothes to the homeless, and providing financial assistance to those in need of medical care. These actions must be backed up by photos posted to social media, the gang demands.

Businesses Struggle to Keep Pace With Evolving Attacks
This week’s spate of ransomware attacks indicated no clear pattern but are rather more akin to the efforts of a marketing and sales department, says Stan Black, CISO at Delinea, a provider of privileged access-management solutions.

“Think about it: They harvest your information, alter their method delivery, they keep coming back until you bite, and when they get you on the hook, they demand a ransom,” he tells Dark Reading. “They are unregulated, don’t answer to legal, a board, or auditors, and don’t care whose business or lives they ruin.”

Black points out that there needs to be a recognition that malicious actors know more about IT operations than organizations think they do.

“For 24 hours a day, they are crawling every facet of our digital footprint and exhaust trail,” he says. “Through automation, they distill our telemetry and create the perfect go-to-market strategy: a cyberattack. These days, ransomware is targeting our identity and access-control security technology — the very tech we thought would protect us.”

Matthew Warner, CTO and co-founder at Blumira, a provider of automated threat detection and response technology, says it’s extremely important that organizations focus on detecting the first three steps of a ransomware attack: discovery, gaining a foothold, and escalating privileges.

"Detection, in addition to being aware as to what data you hold, will allow you to quickly respond to attacks and worst case be sure of post-exploitation handling of a ransomware event," he tells Dark Reading.

He adds that going forward, it also becomes clearer that time to respond and patch has been reduced, down to hours at the most.

“Evaluating your exposed attack surface should be the first item on your list, to ensure that your infrastructure is protected,” Warner says.

DBIR Report Finds Ransomware Attacks Ballooning
Verizon also published its 15th annual "Data Breach Investigations Report" (DBIR), this week, which highlighted the emergence of ransomware-as-a-service (RaaS) as one of the factors behind the ballooning number of ransomware incidents.

The report, which analyzed 23,896 security incidents — of which 5,212 were confirmed breaches — found email phishing and desktop-sharing software were the most common ransomware attack points.

Overall, ransomware accounts for 25% of the total breaches, and was present in 70% of the malware breaches this year.

From Warner’s perspective, ransomware techniques have not necessarily evolved but, rather, have expanded over the last five years. For instance, previously, only certain groups would have the capability to perform advanced attacks that leverage zero-days within days of release. Now, it's no longer required to find your own.

“Now we see ransomware operators either buying or identifying their zero-days and leveraging zero-days as soon as possible within their campaigns,” he notes.

Warner also points out that ransomware operators are leveraging tooling improvements such as Cobalt Strike, enabling their evolution into a virtuous cycle: More funds allow for better tooling, processes, and execution across the environment, which leads to more funds.

That also paves the way for the gangs to expand their teams, as well.

“The ability to perform passive phishing attacks while also actively attacking vulnerable infrastructure with a team of paid hackers creates a unique and powerful environment for ransomware operators,” he explains.