The FBI reported a TLP:Amber alarm due to the high incidents of cyberattacks employing the MegaCortex and LockerGaga ransomware variants. The attackers target big companies and businesses and usually use the ransomware several months after gaining access to a network.
The first time an attack used LockerGaga was identified in January 2019. The MegaCortex ransomware first turned up in May 2019. These ransomware variants have similar IoCs and C2 infrastructure. Attackers use the two ransomware in attacks directed at big business networks.
The ransomware attacks on U.S. chemical companies Hexion and Momentive, on engineering consulting company Altran Technologies and on aluminum and energy company Norsk Hydro used LockerGaga. The MegaCortex ransomware was used on attacking Wolters Kluwer accounting software firm and the iNSYNQ cloud hosting provider. The threat actors are careful and organized in their efforts to make maximum damage to compel victims to pay the ransom, which typically equal to thousands and thousands of dollars.
The FBI warning explains that the initial compromise is achieved using diverse strategies like phishing attacks, taking advantage of unpatched vulnerabilities, brute force tactics on RDP, SQL injection, and stealing credentials. Right after the compromise, batch files are run to stop security solution processes and conceal their presence. The threat actors operate sideways to damage a lot of devices by means of a penetration testing device called Cobalt Strike, living-of-the-land Windows binaries, and software apps similar to Mimikatz. The attacker provides a beacon to each compromised unit on the system, which is used to perform PowerShell scripts, grant higher privileges, and spawn another session to listen over the compromised network.
Unlike many threat actors who deploy ransomware immediately after compromising the system, the threat actors accountable for these attacks often hold out several months prior to activating the ransomware encryption program. At this time, it’s unknown what the threat actors are doing, however, possibly the attackers are stealing sensitive data. After the attackers got all the victims’ important data, the ransomware is deployed to do the damage.
The FBI provided basic recommendations to enhance defenses for blocking ransomware attacks. Healthcare organizations must implement these cybersecurity best practices:
- back up records routinely
- keep copies of backup records on devices not connected to the network
- test backups to ensure file recovery
- only use strong passwords
- patch immediately
- activate multi-factor authentication, specifically on admin accounts
- be sure to have RDP servers accessed only via a VPN
- disable SMBv1
- search for open ports and make them inaccessible
The FBI moreover endorses the review of new accounts and checking the Active Directory for changes in approved end-users; enabling PowerShell logging and checking odd commands, which consist of Base64 encoded PowerShell execution; and setting up only the latest version of PowerShell.