Threat Watch

Microsoft Warns of Uptick in Ransomware Campaigns for Month of April

Microsoft stated that there was an uptick of ransomware attacks that occurred in the first two weeks of April that affected aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers. They also stated these attacks likely were carried out by ransomware groups that had infiltrated the network months before. “Attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks by deploying ransomware when they would see the most financial gain,” said Microsoft’s Threat Protection Intelligence Team. Actions like these show that the groups behind these attacks really don’t care that they could be affecting important services during these critical times. Attackers typically steal copies of sensitive files before encrypting them, because the files can be sold to other criminals or used to extort the victim company for a larger ransom payment later. The list of top ransomware payloads in April provided by Microsoft included RobbinHood, Maze, PonyFinal, Valet loader, and REvil. Others include Paradise, RagnarLocker, MedusaLocker, and LockBit. 

ANALYST NOTES

Microsoft has advised defenders to check for these vulnerabilities and systems:
• RDP or Virtual Desktop endpoints without Multi-Factor Authentication (MFA)
• Citrix ADC systems affected by CVE-2019-19781
• Pulse Secure VPN systems affected by CVE-2019-11510
• Microsoft SharePoint servers affected by CVE-2019-0604
• Microsoft Exchange servers affected by CVE-2020-0688
• Zoho ManageEngine systems affected by CVE-2020-10189

Additionally, it is important to keep antivirus solutions up to date in order to protect against ransomware. Companies should also consider adopting an EDR (Endpoint Detection and Response) plan in part with their defense in depth strategy. SOC (Security Operations Center) analysts at Binary Defense work around the clock to monitor client workstations and detect threats to stop them before they become a bigger issue. Keeping secure backups of files offline should also be considered so that files can be recovered if they happen to be compromised.

Sources: https://www.zdnet.com/article/microsoft-ransomware-gangs-that-dont-threaten-to-leak-your-data-steal-it-anyway/

https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/