At a glance.
- Emsisoft helps ransomware victims whose Deadbolt attackers didn't live up to their end of the bargain.
- Sugar ransomware-as-a-service targets individual devices.
- Conti hits British snack food giant.
Emsisoft creates Deadbolt decryption key…with a catch.
On Friday, security vendor Emsisoft released a decryption key for Deadbolt ransomware, mere days after the strain was deployed in an attack targeting customers of QNAP network-attached storage (NAS) devices. Unfortunately, TechTarget explains, victims must first pay the attackers’ requested ransom in order for the key to work. Victims of the QNAP attack received a ransom note demanding they pay 0.03 bitcoin (approximately $1,150) to have their files decrypted, but a user claims he paid the ransom only to discover that the decryptor provided by the threat actors did not work. Brett Callow, Emsisoft threat analyst, explains that a forced firmware update from QNAP removed the payload required for the key to function. "DeadBolt's encryption seems to be secure, meaning the only way for victims to recover the data is to pay the ransom,” he says. “Our decryptor is designed to help those who do pay.”
Sweet new RaaS provides consumer-grade malware.
A team of malware reverse engineering researchers have detected a new ransomware-as-a-service (RaaS) solution they’re calling Sugar. Medium explains that unlike most RaaS operations, which are designed for entire enterprises, Sugar appears to be designed for individual computers, making it a kind of consumer-grade malware. Sugar reuses objects from other ransomware families, and the ransomware’s crypter is particularly unique because it has code reuse from the ransomware itself.
James McQuiggan, security awareness advocate at KnowBe4, points to this incident as illustrating how ransomware continues to evolve and adapt:
“Ransomware is constantly evolving and changing to adapt to new security measures from other technology companies. New strains are being developed utilizing a variety of technologies. This unique strain targeting individual machines could attack an executive, celebrity or a person of wealth. Cybercriminals' primary goal is to make money, and attacking a wealthy individual and accessing and stealing their data to hold it for ransom could make for a good payout.”
British snack-lovers are in for a disappointment.
Popular British snack-maker KP Snacks has disclosed it suffered a cyberattack, and the Conti ransomware group is taking credit. Bleeping Computer surmises that the company’s $600 million annual revenue likely made KP Snacks an appetizing target for the attackers. The attackers infiltrated the company’s internal network, gaining access to and encrypting sensitive employee data. Samples of credit card statements, birth certificates, confidential agreements, and other documents have already been posted on Conti’s private leak page, and the threat actors have threatened to release more proprietary info in the next five days. It is unclear whether KP Snacks is currently negotiating with Conti or has plans to meet any ransom demands. The incident has precipitated the delay or cancellation of product shipments to stores, and the supply issues are expected to continue until the end of March. In a letter to store owners yesterday, as betterRetailing reports, KP Snacks explained its systems had been “compromised by ransomware” and it “cannot safely process orders or dispatch goods.” No better time to start that diet. (Or, lads, stock up on crisps....)
But look beyond the effect on binge eating while watching television, and think of the data. Amit Shaked, CEO of Laminar, points out the value of data, and that means all kinds of data:
"Data is no longer a commodity, it's a currency — as this incident represents. Information within an organization’s network is valuable to both businesses and attackers. With a majority of the world’s data residing in the cloud, it is imperative that security becomes data-centric and solutions become cloud-native. As cloud architectures become more dynamic and complex, solutions need to be completely integrated with the cloud in order to identify potential risks and have a deeper understanding of where the data resides. Using the dual approach of visibility and protection, data security teams can know for certain which data stores are valuable targets and ensure proper controls are in place.”
Steve Moore, chief security strategist at Exabeam, regrets the way Conti's operators in particular has continued to avoid getting collared:
"It's unfortunate to see another organization become one of the 400 victims and counting to be hit by Conti. Unfortunately, these groups keep getting away with these intrusions because they are experts at compromising credentials. Specifically, they utilize Mimikatz, Kerberoast to attack Kerberos, and even check for saved passwords in domain group policy files. Interestingly, they will specifically search for security policy and cyber insurance documents - showing that context matters even to the adversary!"