Ransom Demands Hit a New Monetary Milestone

Summary of Findings

• Marking the largest ransom demand to date, REvil asks for $70 million in Bitcoin from Kaseya to provide a decryptor tool following its widespread supply-chain attack.
• Pacific Market Research, a contractor for Washington State’s Department of Labor & Industries, is hit by a ransomware attack, potentially compromising data of more than 16,000 employees.
• The criminal group TA551 is using maldocs to deliver Trickbot as an initial stager for DarkVNC and Cobalt Strike.
• The new ransomware variant Diavol shares similarities with Conti ransomware, suggesting possible links to the criminal group Wizard Spider.
• Microsoft releases a patch for the so-called “PrintNightmare” vulnerability in Windows Print Spooler, but it does not fix local privilege escalation functionality.

REvil Hits Kaseya and its Customers in Major Supply-chain Attack

On July 2, 2021, REvil (Sodinokibi) carried out a supply-chain ransomware attack against Kaseya, a supplier of cloud-based remote monitoring and management (RMM) software to managed service providers (MSPs) [1]. The attack on the highly connected company encrypted data from MSPs that use Kaseya VSA and their end customers. The $70 million USD ransom demanded by REvil is the largest to date [2]. The previous milestone was $40 million paid by CNA Financial. If successful in getting such a large ransom amount, REvil may become even bolder in its future demands – and other criminal actors may follow suit.

Contractor Serving Washington State Suffers Ransomware Attack

On May 22, Pacific Market Research (PMR), a contractor for Washington State’s Department of Labor & Industries (L&I), was the victim of a ransomware attack [3]. An unauthorized third party accessed PMR’s system and encrypted its data, affecting at least one L&I file that listed contact information, claims numbers, and birthdates for 16,466 workers. The document did not contain medical information, Social Security numbers, bank details, or other personal information. PMR does not believe the L&I document was accessed or taken in the incident but cannot confirm this. PMR restored the affected file server through backups and reported the incident to law enforcement [4].

TA551 Shifts Payloads to Trickbot, DarkVNC, and Cobalt Strike

The financially motivated criminal group TA551 is distributing TrickBot through maldocs to install DarkVNC and Cobalt Strike [5]. DarkVNC is a remote access tool that gives a threat actor persistence on the target system [6]. Cobalt Strike is a commercially available post-exploitation tool often used by malicious actors for attacks [7]. TA551 historically pushed IcedID, Ursnif, and Valak through maldocs [8]. The group’s use of TrickBot, DarkVNC, and Cobalt Strike represents an aggressive shift in second- and third-stage payloads, with the likely aim of increasing post-exploitation activity on the system.

New Ransomware Diavol Shares Similarities with Conti

A sample of the new ransomware variant Diavol was discovered during a targeted attack that also deployed Conti (v3). Diavol shares nearly identical command-line parameters with Conti, and they are used for the same functions. They operate similarly with asynchronous input/output operations when queuing file paths for encryption. Diavol’s functionality overlap with Conti could suggest links to the cybercriminal group Wizard Spider [9]. Wizard Spider is an established Russia-based group that operates TrickBot banking malware and has evolved its toolset to include Ryuk, Conti, and BazarLoader [10]. The Diavol ransom note also shows a potential link to Egregor ransomware, but this could be a plant.

PrintNightmare Vulnerability Receives Critical Security Update

A security update for Microsoft’s PrintNightmare vulnerability CVE-2021-34527 was released on July 6, 2021 [11]. CVE-2021-34527 is a remote code execution vulnerability within the Windows Print Spooler service that allows unauthorized actors to perform privileged file operations. All versions of Windows are affected. The security update fixes the remote vector, but researchers found that local privilege escalation still functions, even with the update [12]. Defenders can refer to CERT/CCVulnerability Note VU#383432 [13] for a workaround for the local privilege escalation vulnerability.

References

1. https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021

2. https://www.bloomberg.com/news/articles/2021-05-20/cna-financial-paid-40-million-in-ransom-after-march-cyberattack

3. https://content.govdelivery.com/accounts/WADLI/bulletins/2e66ced

4. https://www.theolympian.com/news/state/washington/article252532918.html

5. https://www.malware-traffic-analysis.net/2021/06/30/index.html

6. https://reaqta.com/2017/11/short-journey-darkvnc/

7. https://redcanary.com/threat-detection-report/threats/cobalt-strike/

8. https://attack.mitre.org/groups/G0127/

9. https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider

10.https://www.crowdstrike.com/blog/wizard-spider-adversary-update/

11.https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

12. https://twitter.com/hackerfantastic/status/1412529895788486657?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1412529895788486657%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fmicrosoft%2Fmicrosofts-incomplete-printnightmare-patch-fails-to-fix-vulnerability%2F

13. https://www.kb.cert.org/vuls/id/383432