Part 2 of 2
In the previous segment of our blog series, we looked at the operations of Ryuk and Conti ransomware groups, shedding light on their tactics and impact. In this section, we turn our attention to Maze and Lockbit, two formidable players in the cyber threat landscape, exploring their collaborative dynamics, unique characteristics, and the evolving strategies that define their ransomware campaigns.
Maze: Collaborations and Shifting Dynamics
Maze, known for its collaboration with Mailspam and utilization of RDP brute force, strategically avoids old Soviet countries and swiftly exits systems using the Russian language. This group poses a significant threat to the UK, particularly targeting hospitals during the COVID-19 pandemic. Of course, this sounds similar to a previous gang we discussed, known as Conti.
While Conti is a formidable force, Maze surpasses them in strength and collaboration. Distinguishing itself from Conti, Maze employs ransomware with the ChaCha algorithm and offers ransomware as a service – a novel development in the cybercrime era. The ChaCha algorithm operates on the principles of symmetric key cryptography, where the same key is used for both encryption and decryption. Ransomware as a Service (RaaS) is a cybercriminal business model in which individuals or groups develop and distribute ransomware, making it available for others to use in exchange for a share of the ransom payment. This collaboration amplifies the impact of ransomware attacks, presenting a multifaceted challenge for cybersecurity professionals. The emergence of ransomware as a service further commodifies cyber threats, enabling even less sophisticated actors to participate in malicious activities.
Maze introduces a distinctive practice where, if the target refuses to pay the ransom, they publicly release unencrypted data. This approach has been adopted by other ransomware gangs, including Lockbit. Intriguingly, Maze declared collaboration with other groups after shutting down, viewing them as friends rather than competitors. The use of QakBot, shared malware with Egregor, raises speculations about potential connections between the two groups. QakBot, also known as Qbot, is a sophisticated banking trojan and malware strain that primarily targets Windows-based systems. Egregor is a notorious ransomware strain that emerged in September 2020. It gained prominence for its advanced tactics, techniques, and procedures (TTPs), as well as its aggressive and highly effective approach to extortion. Shared malware suggests a level of collaboration of knowledge exchange between the groups, leading cybersecurity experts to investigate whether there is a more significant relationship or affiliation. The ever-evolving nature of these ransomware groups is evident as Egregor takes over Maze’s operations following its shutdown, emphasizing the need for continuous vigilance.
Hospital Targeting and Impact
While Maze purportedly refrained from targeting hospitals in 2020 due to the impact of Covid-19, incidents, like the attack on a German hospital resulting in a tragic death, expose the grim reality. Despite claims by various ransomware groups that they do not target healthcare facilities, subsequent attacks on these institutions persist, underscoring the severity of the issue. The intersection of cyber threats and healthcare vulnerabilities become even more apparent, as these attacks not only jeopardize sensitive patient data but also directly impact medical services and, tragically, even patient outcomes.
Lockbit: Connections and Apologies
Lockbit follows a trajectory similar to Conti, utilizing its own ransomware encryptor. Recent reports suggest Lockbits adoption of the Lockbit green ransomware encryption method, based on Conti Ransomware. Here, the ransomware encrypts the victim’s data and appends a random extension to the filenames of all encrypted files. The encryption process is automatic and targets devices across Windows domains. Connections between Lockbit and Conti emerge as both groups attempt to recruit developers facing challenges. The dynamics of Lockbit’s attacks have shifted, evident in their actions towards German hospitals where apologies are replaced with unapologetic targeting.
While focusing on this article, Lockbit once again launched an attack in the final days of January. Their target this time was Saint Anthony Hospital, a facility dedicated to providing care for children. The ransom demanded by the attackers amounted to $900,000. Shockingly, Lockbit did not provide a decryption key nor express any remorse for their malicious actions. They imposed a two-day negotiation period on the hospital, warning that failure to comply would result in the public release of all the data they had acquired from the institution.
Hospital Attacks and Lessons Learned
The Lockbit attack on SickKids Hospital in Canada was marked by an unusual event in the world of ransomware attacks – Lockbit issued an apology and provided a decryptor. This departure from the typical adversarial behavior of ransomware groups hinted at a potential sense of remorse or a strategic decision to present a more benevolent image. Offering a decryptor alongside an apology was uncommon in an ecosystem where threat actors are often known for their ruthless tactics and indifference to the consequences faced by their victims.
However, this apparent display of empathy in the SickKids Hospital incident sharply contrasts with Lockbit’s subsequent actions in Germany, signaling a significant shift in their approach. In the German attacks, Lockbit abandoned the apologetic stance seen in Canada and embraced a more aggressive and unapologetic strategy. This change in behavior could be attributed to various factors, including shifts in the group’s leadership, modifications to their ransomware-as-a-service model, or a strategic decision to project a different image in response to evolving cybersecurity landscapes and law enforcement activities.
The intersection of cybersecurity and healthcare becomes apparent as hospitals become lucrative targets for ransomware attacks. The evolving landscape prompts reflections on past attacks by various ransomware groups and the indifference displayed even in the fact of condemnation. It underscores the critical need for heightened cybersecurity measures within the healthcare sector and beyond.
How Bright can Help
Minimizing cybersecurity risks is paramount for businesses in today’s threat landscape. Thankfully, Bright’s Dev-centric DAST proves invaluable in this endeavor by effectively identifying vulnerabilities and offering robust mitigation processes. Its advanced capabilities include the detection of critical CVEs using sophisticated payloads and the reduction of false positives through AI.
The constant emergence of new CVEs poses an ongoing threat to digital infrastructures, with hackers actively exploiting unpatched or outdated systems. A notable example is the CI0P group, utilizing CVE-2023-34362, a SQL injection vulnerability to deploy ransomware. Another avenue for attackers involves leveraging XSS to spread ransomware and tarnish an organization’s reputation. In the vast landscape filled with numerous vulnerabilities, Bright plays a crucial role during threat mapping activities.
Upon identifying vulnerabilities related to web infrastructure, the SOC team can seamlessly implement prevention measures. This proactive cycle begins with discovery, followed by manual scanning and investigation processes, significantly reducing the time required for solution. While some CVEs or vulnerabilities may take days to address, Bright’s tool proves instrumental in minimizing this timeframe, ensuring thorough detection without potential false positives, thus optimizing the efficient use of time and resources.
As we unravel the operations of Maze and Lockbit, the intricate dance between ransomware groups and cybersecurity professionals continues. Understanding their tactics, collaborations, and impact is pivotal in fortifying defenses against the evolving threats. As the landscape continues to evolve, proactive measures informed by a deep understanding of the adversaries become crucial for a robust security posture in 2024.