The Ransomware Threat Landscape

Ransomware

October 5, 2023

According to the Department of Homeland Security’s (DHS) 2024 Homeland Threat Assessment, ransomware remains a prominent threat to businesses, schools, and hospitals in the United States. More specifically, the public sector, including critical infrastructure and K-12 school districts, is a prime target due to budgetary restraints, limited resources, and reliance on third-party vendors. In addition, the retail industry continues to be targeted, resulting in attacks, compromised data, and ransom payments. Retailers must be vigilant and strengthen their defenses, especially with the upcoming holiday season. Threat actors also continue to target network infrastructure to gain initial access and persistence, move laterally, and perform cyberattacks since network devices have limited or inconsistent detection and logging capabilities and file integrity monitoring to alert security teams for changes to backup and configuration files. Ransomware groups, such as Akira and LockBit, exploited a zero-day vulnerability on Cisco VPN appliances that lacked multi-factor authentication configuration. As tactics continue to evolve, the Federal Bureau of Investigation warned of threat actors deploying multiple file-encrypting ransomware variants on the same victim in close date proximity and new data destruction tactics.

In the past month, there has been an uptick in reported ransomware incidents as threat actors continue to target New Jersey private organizations and the public sector, including school districts and local municipalities. The threat actors exploited security vulnerabilities and misconfigured devices to infiltrate systems and networks and encrypt them with ransomware variants, such as Cl0P, BlackCat, LockBit, and Akira. As a result of the attacks, files were at risk of exfiltration and contained personally identifiable information (PII) of users and customers of the victim organizations.

Recently, New Jersey organizations experienced major disruptions to their core services and business operations due to ransomware attacks. Technology company ORBCOMM provides electronic logging device systems required by the US Department of Transportation to monitor drivers’ driving time. They became a victim of a ransomware attack that impacted their FleetManager platform and BT product line, forcing drivers to resort to paper logbooks. MGM Resorts, the parent company of Borgata , reported a cybersecurity issue affecting some of its systems and shut them down to protect the systems and data. It was later disclosed that impacted systems included the online reservation system, hotel digital keys, slot machines, and more. Ransomware groups, such as Scattered Spider and BlackCat, are reportedly responsible for the attacks. Johnson Controls International, a government contractor and major manufacturer of alarm and building automation systems, experienced a ransomware attack that impacted internal and partner operations. DHS is investigating if the data breach compromised sensitive physical security information or leaked any PII. If the attack also exposed source code used in Johnson Controls products, the breach could lead to supply chain attacks and exploitable vulnerabilities of customers using their network- connected products. The Dark Angels Team gang primarily targets government, healthcare, finance, and education and employs double extortion tactics to pressure victims to pay the ransom. This gang is responsible for the attack, which compromised network infrastructure, exfiltrated critical data, encrypted files, and deleted backups.

The NJCCIC recommends users refrain from responding to unsolicited communications, clicking links, and opening attachments from unknown senders, and exercise caution with communications from known senders. If you are unsure of the legitimacy, contact the sender via a separate means of communication – such as by telephone – before taking action. Additionally, avoid password reuse, maintain unique passwords for each online account, and enable multi-factor authentication (MFA), choosing biometrics and authentication apps over SMS text-based codes where available.

The NJCCIC also advises organizations to remain vigilant, keep systems up to date and apply patches as they become available, enable strong endpoint security, enforce cyber hygiene, segment networks, apply the Principle of Least Privilege, encrypt sensitive data at rest and in transit, create and test continuity of operations plans (COOPs) and incident response plans, and establish a comprehensive data backup plan that includes performing scheduled backups regularly, keeping an updated copy offline in a separate and secure location, and testing regularly. Organizations are advised to engage in pre-emptive threat hunting, conduct vulnerability scanning and ransomware readiness assessments, and adhere to cybersecurity best practices.

For further recommendations, please review the NJCCIC’s Ransomware: Risk Mitigation Strategies Technical Guide. Additional information can be found in CISA’s StopRansomware Guide. Cyber incidents can be reported to the FBI’s IC3, and the NJCCIC.

For any further questions, contact us here at Cyber Command.