The new ransomware family RansomEXX is suspected in the hack of Konica Minolta, its second prominent victim in a month. Evidence suggests that human directed attacks are becoming more stealthy and effective.
Japanese camera maker Konica Minolta is the latest victim of a new ransomware variant dubbed "RansomEXX" (aka "Ransom X") according to a report over at BleepingComputer. The attack is just the latest involving a new breed of stealthy, "human directed" ransomware that is strategically deployed to cripple organizations.
Konica Minolta The Latest Victim
The attack apparently began on July 30 and brought down the company's website, preventing camera owners from being able to reach product supply and support resources and displaying "Service Notification Failed" error messages on Konica Minolta printers. It follows a similar attack on the State of Texas's Department of Transportation (TXDOT) in late June.
Konica Minolta’s services went down for almost a week, during which time Konica Minolta refused to divulge information about the breach. A copy of the RansomEXX’s ransom note to the company was leaked to BleepingComputer, detailing the actions Konica Minolta needed to take if they wanted their data decrypted.
RansomEXX is not notably different from other ransomware families- or other malware families, for that matter. When activated it searches for and deactivates any of a wide range (289) Windows processes linked to security services. It then encrypts files on the infected system while performing a range of actions designed to frustrate recovery such as clearing Windows event logs, disabling the Windows Recovery Environment, System Restore and Windows backups.
Human Directed Ransomware Campaigns Evolve
What is less typical is that RansomEXX is not automated but "human operated," to use a phrase that Microsoft has coined to describe a new trend in highly targeted ransomware campaigns associated with ransomware families like REvil, Samas, Bitpaymer, and Ryuk.
In its report from March, Microsoft noted that human directed ransomware operators were often "unconcerned with stealth," engaging in "smash and grab" operations that begin with commodity malware to gain access to a target environment and take over systems for ransom, crypto-mining or other schemes.
But RansomEXX and other recent ransomware attacks suggest a shift in that tactic, with an extensive post-compromise campaign of reconnaissance, privilege escalation and lateral movement within the environment, including compromises of Active Directory domain controllers and other critical identity infrastructure. The consequence is that by the time RansomEXX is deployed - on assets chosen by the attackers for their likely impact on IT operations - it is almost certainly too late for the victim to recover.
Identity Infrastructure Hacks Lay Foundation
Organizations of all shapes and sizes need to be concerned about RansomEXX and other human-operated ransomware like it. That's especially true of companies that rely on public facing servers to communicate with or serve their customers. Konica Minolta fits that description to a tee: both its camera and printer customers found themselves locked out of critical services following the RansomEXX outbreak and took to public forums to complain. We can also look to recent ransomware attacks on the fitness tracking and navigation firm GARMIN, Xerox, Orange and other firms as proof that ransomware attackers are keen to disrupt wealthy, public facing businesses. (Read our recent post "Not Learning from NotPetya" for more on this.)
Microsoft and others have provided a list of common tactics used in these attacks that's worth studying. Those tactics include:
- Initial compromise or privilege escalation via attacks on unpatched systems using exploits for known and disclosed vulnerabilities elevate privileges.
- Initial compromises via brute force attacks on Remote Desktop Protocol (RDP) on public facing systems.
- Lateral movement inside networks by targeting built-in local administrator accounts or common account names.
- Leveraging of already compromised Active Directory (AD) accounts including using leaked or re-used credentials or default passwords attached to service accounts of known vendors.
Scrutiny of Remote Access Technologies
The RansomEXX attacks also highlight another meta trend: the prevalence of attacks on remote access technologies to facilitate a wide range of attacks, from ransomware to intellectual property theft to crypto-mining.
As an example of this, the firm CrowdStrike wrote recently about a widespread attack on a customer that began with what appeared to be a simple malware infection, but which a larger investigation revealed to be an extensive breach that began with attacks on remote desktop protocol (RDP) services. Those attackers leveraged stolen credentials including Windows domain administrator account credentials to spread throughout the organization.
Similarly, the security firm Darktrace wrote about how a cyber criminal group was abusing the Microsoft TeamViewer as well as RDP to deploy ransomware within a client environment.
Lessons for Security Conscious Firms
The lessons for security conscious firms are easy enough to grasp. Security teams cannot rely on the idea that ransomware will be noisy and declare itself at "Patient Zero." Incidents such as Konica Minolta, Garmin and others suggest that ransomware groups are being thoughtful about who they target and then dwelling within networks for days, weeks or more as they plan their attack. By the time the trap is sprung, even sophisticated and wealthy firms are finding themselves reduced to sending BitCoin to cyber criminals to get access back.
Stopping attacks relies on identifying them in their earliest stages: phishing attacks; brute force attacks on RDP and other public facing services. It also requires organizations to prevent credential theft and lateral movement. Spotting attackers in the process of doing reconnaissance, before they have laid their trap, can mean the difference between a fire drill and a multi- million dollar payout.