At a glance.
- Egregor ransomware strain identified.
- University Hospital New Jersey pays ransomware gang that says "we don't play with people's lives."
- Treasury's advisory on paying ransom.
Egregor ransomware attack discovered.
Cybersecurity research group Appgate has discovered a new ransomware strain that, over the past few months, has infiltrated approximately a dozen organizations, reports BankInfo Security. Dubbed "Egregor," the campaign appears to be a relative of malware Sekhmet, says security research team Appgate, and is similar to its precursor Maze in that the operators have published a list of victims on the dark web, complete with updates and a countdown to ransom deadlines. Egregor uses code obfuscation and packed payloads as a way to go unnoticed until the damage is done. The attackers have also stated that, if the ransom is paid, they’ll not only decrypt the stolen data, but also give victims advice on how to better secure their systems in order to avoid future attacks. (Such promises should be taken with a very large grain of salt.) This operation marks a trend in ransomware campaigns that not only lock systems but also threaten to release sensitive data.
New Jersey hospital pays off ransomware attackers.
A US hospital, University Hospital New Jersey (UHNJ), one of the latest healthcare institutions hit by the "SunCrypt" ransomware attack, agreed to meet the attackers' demands for a $670,000 payment in order to avoid a 240 GB data leak of patient data, reports Bleeping Computer. The capitulation concludes what appears to be a very civil negotiation between UHNJ and SunCrypt. Days after receiving payment, the attackers declared that they would no longer be targeting hospitals amidst the pandemic because, as they told journalists at Databreaches.net, “We don’t play with people’s lives.” (Although, of course, the gang just did, and hospitals continue to rise in popularity as targets of ransomware.)
OFAC says paying off sanctioned entities is unlawful.
The US Treasury Department’s Office of Foreign Assets Control (OFAC) released an advisory last Thursday stating that ransomware victims who pay ransom to criminal operators in sanctioned countries are committing a crime, reports Fortune. This puts victims in a tough position, as they feel compelled to meet the attackers' demands in order to recover or protect their data, but if they do so they could find themselves in violation of sanction regulations. Furthermore, it's sometimes unclear exactly where ransomware attackers are based, making it difficult for victims to ascertain if the criminals they're paying off are in fact from sanctioned nations. OFAC’s hard line on the issue might have been triggered by Garmin’s ransomware attack this summer, which the GPS company resolved by paying off a blacklisted Russian cybercriminal outfit. Withholding payment can leave organizations completely crippled, an issue that some experts feel OFAC doesn’t address. However, other cybersecurity professionals see OFAC’s statement as necessary, as refusing payment may be the only way to stop future attacks. Paying ransom tends to encourage future attacks, they say, and effectively fuels a bandit economy.