Hello, world!
Welcome back to the Ransomware Roundup! Here is what happened in ransomware since we last checked in. This week, we see two defense contractors handle ransomware very differently. Microsoft provides an inside look at some of the ransomware actors that they have been following.
Ransomware in the News
Defense (and space) contractor Visser Precision and DoppelPaymer
DoppelPaymer is one of the ransomware types that threatens to ex-filtrate and publish or sell the data of the victim. This represents an increase over the typically threat to delete data or simply not decrypt it. BleepingComputer has a nice write-up and screenshots of DoppelPaymer artifacts.
Per Forbes and TechCrunch, Visser Precision likely fell victim to a ransomware DoppelPaymer attack. An Emsisoft analyst found authentic-looking files from the company published by DoppelPaymer. In October 2019, FireEye published a report on the approach many attackers took to deploy DoppelPaymer.
Defense contractor CPI knocked offline by ransomware attack
As seen in TechCrunch, Communications & Power Industries (CPI), a military components manufacturer was impacted by a ransomware attacker. One of the interesting and unsurprising details in the article is that CPI had about 150 machines running Windows XP. As the sixth anniversary of the EOL of Windows XP approaches, Shodan detects ~85,000 Windows XP hosts.
About
Was the ransom paid?: Yes
Ransom Amount: ~$500,000
Entry Vector: Domain admin clicking malicious link
Epiq Global
This week, TechCrunch carried Legal services giant Epiq Global offline after ransomware attack. From the AP, the statement issued by Epiq:
On February 29, we detected unauthorized activity on our systems, which has been confirmed as a ransomware attack. As part of our comprehensive response plan, we immediately took our systems offline globally to contain the threat and began working with a third-party forensic firm to conduct an independent investigation. Our technical team is working closely with world class third-party experts to address this matter, and bring our systems back online in a secure manner, as quickly as possible. Federal law enforcement authorities have also been informed and are involved in the investigation. As always, protecting client and employee information is a critical priority for the company. At this time there is no evidence of any unauthorized transfer or misuse or ex-filtration of any data in our possession.
Artificial Lawyer has a short post providing some analysis and critique of Epiq’s official communications. Read The Epiq Ransomware Attack – A Threat Analyst’s View.
The Ransomware Roundup
- U.S. RailWorks Corp. Reports Data Breach Post Ransomware Attack
- UK’s Travelex expects 25 mln stg hit due to ransomware attack
- Visser, a parts manufacturer for Tesla and SpaceX, confirms data breach
- IBM Survey: Only 38% of State and Local Government Employees Trained on Ransomware Prevention
- Ransomware attack hundreds of LaSalle County government computers
- Personal information of students, faculty, alumni leaked in SFU ransomware attack
- One of Roman Abramovich’s companies got hit by ransomware
/etc
A Preventable Disaster
Microsoft’s Threat Protection Intelligence Team posted an excellent long-read on Human-operated ransomware attacks: A preventable disaster. The article provides a closer look at the techniques that a few particular ransomware crews use through the attack chains that the article examines. In fitting with this week’s title, this article follows a Ryuk deployment.
The diagrams in the article are also on the Twitter account for @msftsecintel and worth exploring.
Opinion
Doug Olenick has a feature in SC Magazine on The hottest topic: Ransomware.