At a glance.
- Blackbaud breach continues to claim victims.
- Canadian real estate developer identified as DarkSide victim.
The Blackbaud ransomware attack continues to claim victims.
The latest, Bring Me the News reports, is the YMCA of the North, the regional YMCA for the Minneapolis-St. Paul area in Minnesota. The organization disclosed to its members that their personal information may have been compromised, but that Blackbaud paid the ransom and that it believes the attackers' "assurances [that they've destroyed stolen data] are credible." "Blackbaud has hired outside experts to continue to monitor the Internet, including the 'Dark Web,' and they have found no evidence that any information was ever released by the threat actor," Bring Me the News quotes YMCA Senior VP Bob Elfstrand as saying. He added, "Furthermore, Blackbaud plans to continue such monitoring activities for the foreseeable future."
The Herald-Sun has outlined other Blackbaud-related data exposures in the state of North Carolina. The victims include universities and food banks.
DarkSide ransomware victim identified.
On Monday we discussed the announcement (by communiqué) of a new cyber gang and its product, DarkSide ransomware. BleepingComputer said that the group described itself as composed of former affiliates who'd struck out on their own. The gang has been active only since mid-August, and claimed at least one million dollar score.
BleepingComputer has since reported that one victim is Brookfield Residential, a developer of single family homes and planned communities in North America that has some $5.7 billion in assets. The company is in turn owned by Toronto-based Brookfield Asset Management, a Canadian asset management company that controls more than $500 billion in assets. Since some data stolen from Brookfield has appeared online, it appears that the company hasn't paid the ransom (if, that is, one believes the criminals' promises to destroy stolen data if they're paid to do so).
We've received several comments from industry experts on DarkSide. Erich Kron, security awareness advocate at KnowBe4, wrote:
“This is an example of the impact that the data exfiltration is having on modern ransomware attacks. In this case, like many others, the threat to leak data appears to be the primary story in the news. The impact of the file encryption is barely worth mentioning. This is by design, as ransomware operators have looked for and found a great deal of leverage in this approach.
"DarkSide is showing that it is a very targeted ransomware that demands high ransom amounts, but also involves more work from the attackers than commodity ransomware does. While relatively new, DarkSide will be a ransomware strain to keep an eye on. While no attack vector was mentioned here, the most common methods for ransomware infections to begin are through a phishing email or a remote access portal. In either case, employees should be taught to look for strange things, such as file names or extensions being changed, and have a way to quickly report things that appear unusual to their security team.”
Nozomi Networks co-founder Andrea Carcano warns victims against paying the ransom and pumping a bandit economy:
“This attack echoes a trend we identified in a recent study of common threats in the first half of this year. Ransomware attackers are demanding higher ransoms, aimed at larger and more critical organizations. Additionally, ransomware gangs are often using a two-pronged approach that combines data encryption with data theft, making it difficult for the victim to avoid paying up.
"These threats should be a serious concern for security professionals responsible for keeping not only IT, but OT and IoT networks safe. Threat actors are setting their sights on higher value targets, leaving security organizations scrambling to keep up. It’s a challenging task, but not impossible. The proliferation and complexity of ransomware attacks signifies the growing need for organizations to take the necessary steps to secure their systems.
"It is never advisable to pay the ransom and organizations that give in to the hackers’ demands are only fueling the profitability of the ransomware industry for attackers. As a result, when it comes to ransomware prevention will always be better than a cure. Organizations should deploy artificial intelligence and machine learning tools that can help identify cyber threats in real-time and resolve issues before harm is done. A robust cyber defense strategy is the first line of defense against a ransomware attack.”
Tony Lambert, A Red Canary intelligence analyst, observed that DarkSide, like REvil and Maze, turns overlooked vulnerabilities to its advantage:
“DarkSide is similar to other ransomware families such as REvil and Maze, because it is a human-operated family. Essentially, adversaries gain initial access via externally-facing services such as remote desktop protocol (RDP) or web applications that are poorly secured or unpatched to inhibit system recovery and delete volume shadow copies.
"A few standouts of DarkSide include the obfuscation of the PowerShell command to delete volume shadow copies usually seen by other ransomware families. Additionally, it avoids stopping processes like ‘vmcompute.exe’ and ‘vmms.exe’ in what seems as an attempt to avoid attention by crashing virtual machines on Hyper-V hosts.”