an unprecedented September 2020

In September we recorded almost 270 ransomware attacks worldwide, an explosion compared to the previous months, while June and August were already marked by intense activity by cybercriminals. But beware of trompe-l’oeil.

Continuation of the article below

In France, we have counted 10 proven cases, to which is currently added a suspected but unconfirmed case, up from 8 in August and roughly the same in July. Confirmed attacks are listed in the timeline, which we update regularly. At Intrinsec, Cyrille Barthelemy reported 13 cases “in crisis mode” in September, compared to 10 in August. And to specify that his intervention capacities in the summer were obviously not the same as at the beginning of the school year. With I-Tracing, Laurent Besset noted 9 interventions in the past month, compared to 4 in the previous month. At Advens, Benjamin Leroux suggests 3 main interventions and less than 5 side interventions. Even so, 150 detonations of threats likely to detonate ransomware, most notably Emotet.

In early September, the National Agency for Information System Security (Anssi) said it had carried out 104 ransomware attacks since the beginning of the year, up from 54 in 2019. Of course, cases outside of their area of ​​intervention are not taken into account.

With regard to the platform, the managing director of GIP Acyma, Jérôme Notin, reported 1,082 reports of ransomware since the platform was launched on February 4, with 44% companies or associations and 10% administrations or municipalities. In September, Jérôme Notin identified 131 requests for assistance, up from 104 in August and 122 in July.

In France it seems difficult to talk about an explosion at the moment. However, if the uptrend seems less pronounced than it does for the rest of the world, the threat undoubtedly seems to remain high.

There are at least two possible explanations for the situation that suggest the threat is unlikely to decrease in the near future. We’ll develop them according to the timeline below.

A very cheap floor

The first element of the declaration is the dissemination of discoveries of vulnerabilities that open the doors of information systems of public and private organizations. We are thinking in particular of RAS systems or VPN servers with the vulnerability CVE-2019-19871 for Citrix Netscaler Gateway systems, CVE-2020-3452 for Cisco ASAs, CVE-2019-11510 for VPN Pulse Secure, CVE-2020- 5902 for F5 systems or CVE-2020-2021 for Palo Alto Networks systems and CVE-2018-13379 for Fortinet VPN servers.

And that’s not all. In addition, there are certain vulnerabilities that affect applications and are popular with attackers, e. B. CVE-2020-6287 for SAP Netweaver or CVE-2019-11580 for Atlassian Crowd-Server … or even those many RDP services that can be accessed in line without Network Layer Authentication (NLA).

In fact, any first-time access to an information system is likely to be exploited before that access is resold to cybercriminals. Ransomware operators are particularly interested in such access, which is sometimes offered for sale for an amount that appears as a pittance for the amount of ransom demanded thereafter.

Finally, there are vulnerabilities like zerologon that can speed up the takeover of the victim’s Active Directory domain once the attackers are in, if the patches have not been applied.

Particularly active cyber mafia

In addition to this fertile environment, the attackers are more aggressive. Emotet recently made a bang comeback affecting businesses, judges or even local authorities like Besançon. The German counterpart of Anssi, the BSI, has been open since the beginning of September after an initial information campaign in early August.

For its part, Proofpoint mentioned it at the end of August and mentioned news in French … but without listing France among the targets. The Anssi recently played the toscin. And this is important because, as Nicolas Caproni, head of the Secret Service for Sekoia’s Threats, recently recalled: “The detection of Emotet, TrickBot or Qakbot is certainly the forerunner of a major attack”.

Added to this is the emergence of new ransomware that practices double extortion: paying a ransom is not only required to decrypt the data, but also to prevent its disclosure. The new Conti is particularly aggressive, but you also have to expect MountLocker, SunCrypt, LockBit or Egregor (ex-Sekhmet). The best known like Maze and Revil / Sodinokibi don’t have to hang up their gloves. And then there are the more “discreet” ones like RansomExx, Ekans or even Ryuk.

It is precisely this phenomenon that requires a certain degree of caution: the considerable increase in the number of ransomware playing double extortion is likely to have an enlargement effect. In fact, the number of known attacks is higher not only because the attacks are more numerous, but also because more of them are made public. An analysis by Jérôme Notin.

A mafia that feeds on its victims

Moreover, the multiplication of the victims itself requires a new multiplication of the victims. As Fabien Lorc’h from Airbus CyberSecurity points out, “when an adult likes [CMA-CMG] is affected, the entire sector and [de ses] Contacts are even more at risk

Rotate from one target to another. In the end, to use a metaphor, a ransomware campaign, it is like a pandemic: only one patient is affected and there are many cases of contact. “

In fact, the data that cyber criminals stole prior to launching their ransomware can be real gold mines for future highly targeted phishing campaigns … and made easier by using very real information gathered during the previous attack. A single list of thousands of email addresses with a few extra personal items can be a great place to start. In mid-July, Emsisoft’s Brett Callow drew attention to such a suspected case. And that without taking into account the use of technical connections. Or the illusion of security that arises from inadequate hygiene in the compromised information system.

And then every ransom paid enables cyber thugs to recruit new accomplices. Recently, the Revil group, operator of the Sodinokibi ransomware, was able to afford the luxury of depositing almost $ 1 million in Bitcoin as a guarantee for future recruits in a forum frequented by cyber delinquents. . While detailing the methods of dividing prey …

Because when the ransomware mafia first buys access to the information systems of potential targets, it hires hackers who can use this to compromise the Active Directory domain controller and provide its user data. Before dividing the income.

How you can protect yourself

Financial cybercrime, largely from the APT, was highlighted in our Ivan Kwiatkowski columns from the Kaspersky research and analytics teams in early February. In concrete terms, this means that the attack in the information system is far-reaching until it receives administrator rights and grants very broad access to the data of the company at risk.

So if the ransomware detonates, it really is too late. And the Active Directory infrastructure must be solidly protected and robustly designed in separate third-party vendors according to the criticality of the roles without ever considering replication as a backup.

The security of potential entry points on the Internet is undoubtedly of vital importance as patches for known security vulnerabilities are available. And that without taking into account protection against threats via email, starting with Emotet, as we described in detail recently.

In addition, it is advisable to limit the attacker’s lateral displacement capacities as much as possible, as described by Benjamin Delpy, the inventor of Mimikatz, in our columns and to secure the administrative tools to prevent their distraction by cyber criminals.