Busy week in ransomware: gang activities, more hospitals targeted, and legislation proposed

Published 10/13/21, 9:00am

Ransomware has its ebbs and flows, with last week demonstrating a decidedly increased flow of threats, breaches, and news related to the ransomware landscape. 

Confluence targeted by “Atom Silo” ransomware gang

Last week industry researchers announced a newly discovered ransomware group dubbed “Atom Silo,” currently targeting a remote code execution (RCE) vulnerability in Confluence products (tracked as CVE-2021-26084). (More on the Confluence vulnerability can be found in our article: Thousands of Confluence servers vulnerable to attack.) The group appears to be using ransomware almost identical to LockFile, a type of ransomware that itself is extremely similar to the ransomware used by the LockBit gang. The Atom Silo threat actors have made some adaptations that include the side-loading of malicious dynamic-link libraries, which can prevent endpoint protection software from operating properly. At-risk organizations using Confluence are strongly urged to apply the security updates issued by Atlassian immediately. 

FIN12 Ransomware gang targeting healthcare

Industry researchers believe that the Russian ransomware gang FIN12 is responsible for a large number of RYUK ransomware attacks on healthcare organizations. Attacks most often seem to start with phishing campaigns distributed internally from already-compromised user accounts, followed by the deployment of Cobalt Strike and other payloads. 

Ransomware criminals threatening to ‘auction’ victim data

News sources last week began reporting that the Avos Locker ransomware gang had recently updated their website to advise that they had created a system to begin auctioning off data stolen from companies that had refused to pay the ransom. This effort is seen more as a money-making scheme on the part of ransomware gangs and less as a method to extort more money from victims. 

Infant’s death directly related to ransomware attack according to lawsuit

A lawsuit filed in the state of Alabama charges that a nine-month-old infant died due to diminished care received during a ransomware attack. The infant was born during an attack on the hospital in 2019 and suffered brain injuries because of the failure of devices designed to monitor the child’s condition during delivery. The baby died after remaining in intensive care at another hospital for several months. The suit against the hospital charges that they created a “false, misleading, and deceptive narrative” about the cyberattack.

Operations disrupted at two hospitals due to ransomware attacks

Two Indiana hospitals reported that ransomware attacks required them to disable IT systems. Both are located in a region experiencing a Covid surge–which has already put pressure on the facilities’ health care systems–requiring the hospitals to either divert patients or postpone elective procedures. Both hospitals are working with IT security experts and are coordinating with law enforcement to manage the attacks.

Ransomware gang using Python script to encrypt virtual machines

An unknown ransomware gang has added Python scripting as a tool to encrypt virtual machines hosted on VMware ESXi servers. While using Python is not a common ransomware tactic, since these Linux-based servers come with Python installed, industry researchers believe the use of the script can help threat actors facilitate the attack on these types of systems.

DOJ issues ransomware reporting regulations. New pending legislation requires ransomware attack disclosure

The U.S. government continues to pursue all regulatory and legislative avenues to halt or severely hamper ransomware attacks. Last week the Department of Justice (DOJ) confirmed that it will require government contractors to report cybersecurity incidents. Failure to do so will result in DOJ pursuing the contractor under the existing False Claims Act, which holds contractors liable for defrauding government programs. And on the legislative front, a pending bill known as the Ransom Disclosure Act would require victims of ransomware attacks to report any payments made to threat actors within 48 hours of the date of payment, including the amount and type of currency used.

Next Steps

While governments, industry security experts, and organizations wrestle with ways to prevent and mitigate ransomware attacks, ransomware operators continue their destructive march. Organizations are again reminded that ransomware threats can be managed by patching bugs and updating systems and software. Businesses are also urged to change passwords with regularity and use multifactor authentication. If organizations believe they have been victims of a ransomware attack, they are urged to work with a professional ransomware investigation and response team.