Readers! Happy New Year and Well Wishes.
I thought to write about our beloved topic, Ransomware, and this time will focus on Australia. In this blog, I will not be diving into the workings of actual ransomware or doing a technical deep dive on actual samples. However, with some statistics, I will write about victimology and its capabilities and notable TTPs at a higher level.
For detailed TTPs mapped to MITRE will write another blog post if required.
Key highlights and TTPs
- In 2022, 46 organisations operating in Australia were named on ransomware data leak sites.
- Lockbit and ALPHV (aka BlackCat) ransomware groups named 20 Australian victims on their Data Leak Sites.
- Discovery of new ransomware family Bianlian, BlogXX and Royal ransomware group targeting Australian organisations.
- Initial Access Brokers, especially ones operating malware families such as QakBot, IcedID, BazarLoader, and BumbleBee, form a significant part of this cybercrime ecosystem.
- Hi-jacked emailed threads remained on top as the vector leveraged by threat actors to target other entities. Access to these first-hop organisations was usually via commodity malware such as Agent Tesla, Azorult, Formbook etc, spread via cracked software.
- Third-party and contractor compromise also opened significant doors for threat actors resulting in ransomware incidents. This is usually due to a lack of security hygiene or the complete absence of cybersecurity teams.
- Remote access to organisations due to employees and other individuals working remotely opened more pathways for a threat actor to exploit where vulnerable devices were accessible over the internet. Of those most targeted were ProxyShell and Fortinet vulnerabilities.
- Varied extortion strategies implemented by ransomware groups, the most noteworthy being contacting victims’ clients or naming them on social media.
Adversaries vs Victims – Unfriendly Ransomware operators and their deeds
|Victim Name||Industry||Ransomware Family|
|Allen & Unwin||Publishing||Hive|
|Pickering Transport Group||Freight & Logistics||Lockbit|
|Building Futures Montessori Child Care||Education||Not Known|
|Boom Logistics||Logistics||ALPHV (aka BlackCat)|
|United Services Union||Energy & Utilities||BlackByte|
|Campbell and Partners||Consultancy||ALPHV (aka BlackCat)|
|National Tertiary Education Union (NTEU)||Education||Not Known|
|Grosvenor Engineering Group||Engineering||Quantum|
|Stratton Finance||Insurance||Vice Society|
|SSW Consulting||Consultancy||ALPHV (aka BlackCat)|
|ONCALL Language Services||Education||Conti|
|Voyager Distributing Company||Retail & Logistics||ALPHV (aka BlackCat)|
|Relationships Australia Victoria||Non-profit||ALPHV (aka BlackCat)|
|Round Oak Minerals||Mining||Conti|
|FDC Construction and Fitout||Construction||Cuba|
|Hunter Douglas Limited||Manufacturing||ALPHV (aka BlackCat)|
|Clublinks Pty Ltd||Recreational Facilities||Lockbit|
|Metagenics (Aust) Pty. Ltd.||Wellness and Fitness Services||Cuba|
|Medical Staff||Hospital and Health Care||ALPHV (aka BlackCat)|
|Wagstaff Piling||Construction||Black Basta|
|Group 4 Australia||Security Services||Hive|
|Conway Electrics||Consumer Goods||Bianlian|
Entertainment and Leisure
|Edenfield||Health Care||Vice Society|
|Lanefield||Print and mail Services||Lockbit|
|Associated Retailers Limited||Retail & Logistics||ALPHV (aka BlackCat)|
|Omega Services||Construction – plumbing||Lockbit|
|Ramada Hervey Bay||Hospitality||Bianlian|
|Ruffin Lawyers||Law Firm||Lockbit|
|Suto||Engineering||ALPHV (aka BlackCat)|
|Australia Real estate group||Real Estate||Bianlian|
|Emoney Home loans||Finances||Royal|
P.S. Special thanks to Corsin Camichel (brains behind ecrime.ch) for verifying the above information.
Here is the Google Sheet that will be maintained as more victims get named on the Data leak site.
Ransomware operators seek multiple ways to gain initial access (TA0001) to victim organisations. They rely on their capabilities to either fund their own operations and design their own methods or work with Access brokers and accomplish their objectives.
The majority of intrusions in my experience were through following tactics
- Exploit Public-Facing Application (T1190)
- External Remote Services (T1133)
- Phishing (T1566)
- Valid Accounts (T1078)
The following mindmap shows ransomware operators’ path to gain initial access to organisations.
Following points are something I call as improvement opportunities by which incoming attacks or threats can be managed ensuring business continuity.
- Moving from convenience based to security or threat-based approach in everything we do. This can be achieved by having a Threat Management function. This function consists of a team of experts, especially in Threat Intelligence and other cyber-security practices, who understand the current threat landscape and provide options to decision-makers. The function ideally sites by itself and must be consulted before Cyber related decisions. E.g. vendor assessments, incident response, playbook writing, new project etc.
- MFA with session timeouts. Most organisations believe implementing MFA will completely mitigate a threat actor to logging in or using stolen credentials. For some, it may work. However, MFA will only be helpful if they take the credentials and use their own system. In most cases, once a system is compromised, actors tend to use the same system, and in those cases, credentials and MFA will be prompted only if the application session or MFA session timeout is set. Consider your corporate webmail; having an MFA is good; however, if the application timeout or browser timeout is not set and the actor has access to your system, MFA will be of no use.
- Enabling MFA/2FA. Now for actors selling credentials, at times, I have noticed MFA or 2FA is entirely missing. Most of these cases are due to its not convenient to have 2FA, but when an actual incident occurs, they are suddenly budgeted and enabled.
- Not having an incident-based implementation mindset. Many organisations still today have tendencies and mindsets to change or act only when an incident occurs. Like, start digging a well when a fire breaks out. Is this due to a lack of understanding, or is it just too much effort (not convenient)? I still wonder.
- Going beyond Compliance and regulatory requirements. Have noticed still many organisations will only do what compliance or regulatory bodies require. One must understand these are mere guidelines and baseline and only tells what to do rather than how and to what degree. Few E.g.
- Have a host-based endpoint protection system. If its implemented out-of-box, it is better not to have it 🙂
- Having security-awareness training but just as a checkbox. Whether employees are taking the learning in everyday work is either not tracked or not feasible to track.
- In-house knowledge. A major effort is required here however knowing our own organisation inside out can help tremendously and here a Threat Management function can assist as well via Threat Modelling.
- Threat actors will continue to operate as this is their lifeline. In earlier days, we can say the choice of the path threat actors take is out of need, and motivation was pure survival, but motivation has become illusive, and now it’s ideological, getting rich in a short time and, at times, just show-off. As a defender, all we can do is make it harder for them. Non-persistent and non nation-state threat actors tend to steer away from the hard stuff.
- It’s all business on both sides; one will win one will lose. How often we win is on how we operate.