Australian Ransomware Threat Landscape 2022

Readers! Happy New Year and Well Wishes.

I thought to write about our beloved topic, Ransomware, and this time will focus on Australia. In this blog, I will not be diving into the workings of actual ransomware or doing a technical deep dive on actual samples. However, with some statistics, I will write about victimology and its capabilities and notable TTPs at a higher level.

For detailed TTPs mapped to MITRE will write another blog post if required.

Key highlights and TTPs

  • In 2022, 46 organisations operating in Australia were named on ransomware data leak sites.
  • Lockbit and ALPHV (aka BlackCat) ransomware groups named 20 Australian victims on their Data Leak Sites.
  • Discovery of new ransomware family Bianlian, BlogXX and Royal ransomware group targeting Australian organisations.
  • Initial Access Brokers, especially ones operating malware families such as QakBot, IcedID, BazarLoader, and BumbleBee, form a significant part of this cybercrime ecosystem.
  • Hi-jacked emailed threads remained on top as the vector leveraged by threat actors to target other entities. Access to these first-hop organisations was usually via commodity malware such as Agent Tesla, Azorult, Formbook etc, spread via cracked software.
  • Third-party and contractor compromise also opened significant doors for threat actors resulting in ransomware incidents. This is usually due to a lack of security hygiene or the complete absence of cybersecurity teams.
  • Remote access to organisations due to employees and other individuals working remotely opened more pathways for a threat actor to exploit where vulnerable devices were accessible over the internet. Of those most targeted were ProxyShell and Fortinet vulnerabilities.
  • Varied extortion strategies implemented by ransomware groups, the most noteworthy being contacting victims’ clients or naming them on social media.

Adversaries vs Victims – Unfriendly Ransomware operators and their deeds

Victim NameIndustryRansomware Family
Allen & UnwinPublishingHive
Medlab PathologyHealthcareQuantum
Pickering Transport GroupFreight & LogisticsLockbit
PointsbetGamingLockbit
Building Futures Montessori Child CareEducationNot Known
GDC TaxFinancialLockbit
Boom LogisticsLogisticsALPHV (aka BlackCat)
United Services UnionEnergy & UtilitiesBlackByte
Campbell and PartnersConsultancyALPHV (aka BlackCat)
National Tertiary Education Union (NTEU)EducationNot Known
Grosvenor Engineering GroupEngineeringQuantum
Stratton FinanceInsuranceVice Society
Lifestyle SolutionsHealthcareLockbit
JetstarAviationQuantum
SSW ConsultingConsultancyALPHV (aka BlackCat)
ONCALL Language ServicesEducationConti
Voyager Distributing CompanyRetail & LogisticsALPHV (aka BlackCat)
Relationships Australia VictoriaNon-profitALPHV (aka BlackCat)
Round Oak MineralsMiningConti
PK SimpsonLegalConti
MST LawyersLegalConti
FDC Construction and FitoutConstructionCuba
Hunter Douglas LimitedManufacturingALPHV (aka BlackCat)
UrbanReal EstateLockbit
Clublinks Pty LtdRecreational FacilitiesLockbit
Metagenics (Aust) Pty. Ltd.Wellness and Fitness ServicesCuba
Medical StaffHospital and Health CareALPHV (aka BlackCat)
Wagstaff PilingConstructionBlack Basta
CarnbreaFinancesLockbit
Group 4 AustraliaSecurity ServicesHive
Conway ElectricsConsumer GoodsBianlian
O’Brien GroupHospitality,
Entertainment and Leisure
Lockbit
EdenfieldHealth CareVice Society
LanefieldPrint and mail ServicesLockbit
Associated Retailers LimitedRetail & LogisticsALPHV (aka BlackCat)
Omega ServicesConstruction – plumbingLockbit
Ramada Hervey BayHospitalityBianlian
4CRiskHealthcareBianlian
Ruffin LawyersLaw FirmLockbit
MedibankHealthcareBlogXX
SutoEngineeringALPHV (aka BlackCat)
Australia Real estate groupReal EstateBianlian
Queenland UniversityEducationRoyal
Emoney Home loansFinancesRoyal

P.S. Special thanks to Corsin Camichel (brains behind ecrime.ch) for verifying the above information.

Here is the Google Sheet that will be maintained as more victims get named on the Data leak site.

Capabilities

Ransomware operators seek multiple ways to gain initial access (TA0001) to victim organisations. They rely on their capabilities to either fund their own operations and design their own methods or work with Access brokers and accomplish their objectives.

Initial access brokers are malicious actors that provide access to secure networks for a fee. They are often hackers but may also gain access to networks using social engineering.

https://www.makeuseof.com/what-are-initial-access-brokers/

The majority of intrusions in my experience were through following tactics

  1. Exploit Public-Facing Application (T1190)
  2. External Remote Services (T1133)
  3. Phishing (T1566)
  4. Valid Accounts (T1078)

The following mindmap shows ransomware operators’ path to gain initial access to organisations.

Improvement opportunities

Following points are something I call as improvement opportunities by which incoming attacks or threats can be managed ensuring business continuity.

  • Moving from convenience based to security or threat-based approach in everything we do. This can be achieved by having a Threat Management function. This function consists of a team of experts, especially in Threat Intelligence and other cyber-security practices, who understand the current threat landscape and provide options to decision-makers. The function ideally sites by itself and must be consulted before Cyber related decisions. E.g. vendor assessments, incident response, playbook writing, new project etc.
  • MFA with session timeouts. Most organisations believe implementing MFA will completely mitigate a threat actor to logging in or using stolen credentials. For some, it may work. However, MFA will only be helpful if they take the credentials and use their own system. In most cases, once a system is compromised, actors tend to use the same system, and in those cases, credentials and MFA will be prompted only if the application session or MFA session timeout is set. Consider your corporate webmail; having an MFA is good; however, if the application timeout or browser timeout is not set and the actor has access to your system, MFA will be of no use.
  • Enabling MFA/2FA. Now for actors selling credentials, at times, I have noticed MFA or 2FA is entirely missing. Most of these cases are due to its not convenient to have 2FA, but when an actual incident occurs, they are suddenly budgeted and enabled.
  • Not having an incident-based implementation mindset. Many organisations still today have tendencies and mindsets to change or act only when an incident occurs. Like, start digging a well when a fire breaks out. Is this due to a lack of understanding, or is it just too much effort (not convenient)? I still wonder.
  • Going beyond Compliance and regulatory requirements. Have noticed still many organisations will only do what compliance or regulatory bodies require. One must understand these are mere guidelines and baseline and only tells what to do rather than how and to what degree. Few E.g.
    • Have a host-based endpoint protection system. If its implemented out-of-box, it is better not to have it 🙂
    • Having security-awareness training but just as a checkbox. Whether employees are taking the learning in everyday work is either not tracked or not feasible to track.
  • In-house knowledge. A major effort is required here however knowing our own organisation inside out can help tremendously and here a Threat Management function can assist as well via Threat Modelling.

Final Words

  • Threat actors will continue to operate as this is their lifeline. In earlier days, we can say the choice of the path threat actors take is out of need, and motivation was pure survival, but motivation has become illusive, and now it’s ideological, getting rich in a short time and, at times, just show-off. As a defender, all we can do is make it harder for them. Non-persistent and non nation-state threat actors tend to steer away from the hard stuff.
  • It’s all business on both sides; one will win one will lose. How often we win is on how we operate.

Related Posts

Leave a Reply

%d bloggers like this: