Ransomware Gets an Upgrade
Yes, you read that right. Apparently, hackers, specifically the ones conducting ransomware attacks, are now using a third-party call center to contact victims if they suspect that they’re attempting to restore backups and skip out on paying ransom demands to get data released to them. If you’re not familiar with how ransomware works, you can read our blog from earlier this year that goes into more detail.
In what appears to be a fairly new tactic starting over the summer, ransomware attackers have hired a call center in an attempt to harass and strong-arm businesses into complying with the extortion demands. While the exact location of the operation is still unknown, because the scripting being used to intimidate victims of these ransomware attacks are reportedly very similar, with only slight variations in wording, cyber police have reason to believe that the same call center is being used by several ransomware attackers, including known cyberterrorists Conti and Ryuk.
An incoming call made on behalf of the now-defunct criminal group known as Maze was recently recorded, and the callers had a heavy accent, leading experts to surmise that they were not native English speakers. Below is a redacted transcript of the call provided, originally published on zdnet.com:
“We are aware of a third-party IT company working on your network. We continue to Monitor and know that you were installing SentinelOne antivirus on all your computers. But you should know that it will not help. If you want to stop wasting your time and recover your data this week, we recommend that you discuss the situation with us in the chat or the problems with your network will never end.”
As we’ve reported in previous blogs, ransomware attacks are a type of cybercrime that has grown exponentially over the last few years; its evolution is fascinating and disturbing. In the past, ransomware extortion tactics have included doubling the ransom amount if it wasn’t paid in full by the deadline and threats to leak sensitive information online or to journalists. With the pandemic this year, hackers have found new ways to exploit companies, especially those who now have employees working from home. The ways in which they have found to wreak havoc seem endless.
And it’s not just big companies being affected. Every day people are starting to suffer, even if they’re unaware of the cause. On Dec. 1st, cyberterrorists targeted Translink, the public transportation agency used by the city of Vancouver. Translink posted a tweet confirming it was not, as originally reported, a prolonged technical issue, and only after being forced to come clean by local news outlets. When the ransom was not paid, the attack crippled operations and left untold travelers unable to use their Compass metro cards to pay their fare, nor could they purchase new tickets at the nearby kiosks. It was nearly two days before operations returned to normal. It is still an ongoing investigation with the culprit behind the attack unknown to the general public.
Translink wasn’t the only victim of a ransomware attack this month. On December 5th, it was reported that helicopter maker Kopter also suffered an internal breach that allowed hackers to steal encrypted files. When Kopter refused to negotiate with the terrorists, they published those files on the dark web a few days later as a blog on a site owned and operated by the ransomware group who call themselves LockBit. The files included sensitive data such as business documents, internal projects, and aerospace and defense industry standards.
The most stunning attack this month, however, came when cybersecurity giant FireEye was hacked by “a nation-state.” The firm is known for being the go-to for government agencies and companies worldwide who have been the target of a sophisticated cyberattack. An article in the New York Times reported that it was a theft “…akin to bank robbers, who having cleaned out local vaults, then turned around and stole the F.B.I’s investigative tools.”
FireEye reported on Dec. 8th that its systems were breached by what it referred to as a “nation with top-tier offensive capabilities” and that the hackers had gained access to tools that could be used for new attacks around the world. While they have declined to say who precisely was behind the attacks, when the F.B.I turned the case over to Russian specialists, it led many to speculate that hackers were after what the company calls Red Team Tools, which are tools that replicate the most sophisticated hacking tools in the world. At the time this blog is being written, the story is still developing.
The bottom line is that ransomware attacks are not going away anytime soon, and will continue to grow in complexity and sophistication in 2021. The best defense against a ransomware attack is, not surprisingly, a good offense. You don’t want your company to be the only car on the street with unlocked doors and no car alarm. Do everything you can to make hackers look elsewhere for an easier target.
We can help you evaluate your risk level with a free consultation. Contact us today and we will give you an honest evaluation of your company’s cybersecurity, and what can do done to close the gap on any weak spots that are making you a tempting target for cybercriminals. There’s no price on peace of mind!