Ransomware Gangs and COVID-19 Cyberattacks Dominate the Threat Landscape

Governments around the world are moving to reopen their economies as the COVID-19 pandemic wanes in many areas, but business is still operating predominantly in remote settings. The remote workforce has provided an easy target for cybercriminals as organizations struggle to ramp up their cybersecurity efforts beyond their physical premises. IntSights researchers have found evidence that coronavirus-specific attacks are still on the rise, beyond what we reported in our research report earlier this spring.

Here’s what we found in our recent research:

COVID-19 Attacks Increase

Even though the COVID-19 pandemic has started to stabilize in many parts of the world, we continue to see a rise in social engineering attacks that use the coronavirus as a lure. Security researchers recently found a 30 percent increase in COVID-19 related cyberattacks over the first two weeks of May, many of which involved email scams. Google announced that Gmail had blocked over 240 million spam messages related to the coronavirus back in April.

As we demonstrated in our aforementioned research report, cybercriminals have offered a variety of hoax coronavirus items for sale, including vaccines, tests, and even blood alleged to contain antibodies for the virus. Threats related to COVID-19 will continue to surge until things settle down, which will likely depend on the identification and production of an effective vaccine. But there are potential cybersecurity roadblocks to the return to normalcy – Asia Times recently reported that the looming threat of cyberattacks could threaten the race to develop a global vaccine.

Ransomware Gangs Join Forces

Another trend particularly eye-opening to our researchers involves well-known ransomware groups working together to coordinate more elaborate, sophisticated attacks. The Sodinokibi group began auctioning its stolen data, while the Maze group teamed up with other ransomware gangs, and new groups joined the game. To learn more about ransomware trends, join us for a a webinar on 7/17 as IntSights CSO Etay Maor joins forces with FBI Special Agent Doug Domin to discuss the landscape.

Here’s what we know about the collaborative efforts of ransomware gangs:

Sodinokibi: In early June 2020, the threat actors behind the Sodinokibi ransomware (also known as REvil) began auctioning off sensitive data that was stolen from companies it hits with malicious software. This move marked an escalation in tactics.

Maze and LockBit: At the same time, the threat actors behind the Maze ransomware started a new trend by adding information and files from other ransomware operations to their data leak site. LockBit was the first gang to join the Maze team, followed by the Ragnar Locker team. This was the first time that the LockBit operators used the hybrid attack technique (i.e., steal data from the victim and then encrypt it). Maze threat actors are also in discussions with other ransomware groups to join this collaborative effort to generate ransom payments. This allows them to focus on creating more sophisticated attacks and successful extortion attempts.

In a press release issued by the Maze team on June 22, they claimed it was impossible for affected organizations to decrypt the Maze Locker:

“Maze Locker can’t be decrypted without the help of Maze Team. A few companies we are not going to name were trying to decrypt the files with the help of side organizations. Those organizations are well-known security companies. That happened at the end of 2019, and they are still waiting for a solution. As we know, compared to the first offer of Maze Team, those companies already paid two and a half times more money. One of those companies already spent four times more trying to decrypt the files themselves. And we guarantee that it would take them years to wait until decryption.”

While it remains to be seen if security teams can find a way around working with Maze to decrypt their stolen files, the group wants it to be explicitly known that its victims will have to pay up to reclaim their data.

Implications of New Ransomware Alliances

The development of allied ransomware groups poses a new challenge to organizations worldwide. Smaller ransomware groups joining hands to create bigger groups will have more capacity and knowledge to launch more damaging attacks in the future. It is likely that we will continue to see a rise in the scale and sophistication of ransomware attacks as more groups look to get in on the game. Threat groups that use the hybrid attack technique could form some sort of unified syndicate with groups that so far have "only" encrypted their victims’ data. This platform could open the door for many groups that previously did not have the technical capabilities to leak their victims’ data.

Defending against these kinds of attacks requires moving on from legacy software and operating systems, patching systems as fast as possible, using the latest VPN software, and minimizing outside access points to your network. Security teams must constantly monitor the organization’s external network exposure as open ports and services will help with identifying any possible intrusion points to the network.

External threat intelligence helps security teams extend control beyond their perimeters, alerting users to validated threats as they emerge in cyberspace and enabling them to prevent devastating cyberattacks. For more threat intelligence related to the coronavirus pandemic, make sure to download our report, The Cyber Threat Impact of COVID-19 to Global Business.

Download Your Copy

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.