Summer of 2020 was coined the "Summer of Ransomware", but are we about to have a second summer of ransomware in 2023? Fortalice Solutions has seen a significant increase in ransomware cases over the last three weeks. But we aren’t alone in this assessment. Our finding mirrors what our partners at various “three-letter agencies” across the the Federal Government are telling us that they are monitoring, as well. Specifically, we are seeing threat actors target health care providers in the United States with attacks ranging from data extortion to complete encryption.
Need more proof? Let’s go to the source: the hackers themselves. Fortalice recently reviewed the Karakurt Hacking Team’s website. The review indicated that healthcare providers are indeed being increasingly targeted. In fact, 70 percent of Karakurt’s named victims hail from the healthcare industry.
More troubling, the hacking team’s website hints that there will be more leaks this summer.
Many of this group’s tactics come straight out of the “Threat Actor 101 Playbook,” including leveraging vulnerable remote access servers and entry points as footholds into an environment. The lessons we can take away from Karakurt can easily be applied to similar established and up and coming criminal syndicates.
For example, Many of the Karakurt attacks can be traced back to a vulnerable technology on client perimeters. Karakurt and other bad actors tend to target an organization’s Human Resource (HR) data (e.g., Social Security Numbers, financial documents). The Karakurt Team is very skilled at data exfiltration. In fact, Karakurt team members have been known to reach out to employees to harass the victim organization.
So, what can you do to keep yourself, your organization, and its precious data safe, secure, and out of the hands of adversaries like the Karakurt hacking team? To start, it’s important to understand that the protections you need to prevent a ransomware attack by Karakurt are, for the most part, the same protections you will need against any other cyber-crime syndicates.
1. Understand your perimeter devices.
It is estimated that more than a third of all ransomware attacks begin by compromising a vulnerable asset (e.g., unpatched devices, legacy technologies, misconfigured servers) on an organization’s externally facing network. Scanning you external perimeter at a regular cadence can identify vulnerable assets.
2. Institute Regular Cybersecurity Awareness Training.
Business email compromise (BEC) accounts for another third of ransomware incidents. Ensuring employees are trained in good cyber hygiene can help insulate your organization.
3. Update your Incident Response Planning Capabilities.
Having an incident response (IR) plan is a critical step in preparing to weather an adversary’s attack. That said, having a plan is just the first step. Remember, it is important to exercise the plan. Consider facilitating a cybersecurity tabletop exercise (TTX) to uncover any gaps in your processes and procedures.
4. Evaluate your backup and restoration program.
It’s been said that “amateurs backup but professionals restore.” Isolating (and air-gapping where possible) your backups and having a well-documented process for restoration is the best way to ensure you can recover from a devastating attack. Having recovery time objectives (RTOs) for each of your business-critical applications will be necessary to develop your plan.
Review your incident response plans (IRPs) and ensure everyone on your IRP team has a paper copy of the playbook. Need help refreshing your IRP? Fortalice’s risk and compliance experts are ready to review your existing policies and procedures. We’ll advise you on necessary improvements to meet industry best practices, as well as steer you toward additional protections. Additionally, we can design and execute a cybersecurity TTX to test your IRP, playbooks, and general readiness.
Identify weaknesses in your security environment. Through the perspective of an attacker, our Offensive Cyber Operations team will mimic sophisticated cyber threats to test systems and produce action steps so your organization can stay ahead of the bad guys.
Monitor the open, deep, and dark web for imminent threats to your organization and executives. When faced with increasingly sophisticated attackers, monitoring solutions that provide alerting on this topic are necessary but not sufficient. The Fortalice approach involves automated alerting and monitoring that is human curated by our team of experts who bring years of law enforcement and intelligence experience to the table as your digital bodyguards. Fortalice can assess your organization and executive’s digital footprints, recommend strategies for addressing vulnerabilities in that footprint, and provide ongoing monitoring to keep your digital footprint strong.
If you need additional assistance, the Fortalice team stands ready to assist you in assessing your current risk and road mapping your organization’s future cybersecurity posture. You can reach the Fortalice team at firstname.lastname@example.org.
Increasingly, cyber actors are employing LOTL attack, which blend (and obscure) their nefarious activities with legitimate tools and infrastructure already found (and regularly used) in your environment to mask their presence while greatly minimizing their chances of detection and attribution. Typically, the introduction of a third-part application generates an alert to the host from an endpoint detection and response (EXR) product. Unfortunately, LOTL enables the actor to skirt detection more easily and effectively.
On June 1, Progress Software (Progress) announced it had identified a vulnerability in its MOVEit File Transfer Tool. The vulnerability allowed cybercriminals to exploit a critical SQL injection that could lead to escalated privileges and potential unauthorized access to the environment.