ransomware

May 10, 2021

Ransom-Wars: The Task Force Awakens

Ransomware is a significant societal problem. If you’re unaware of how it works, read our previous blog on the topic. 2020 was a banner year for ransomware gangs, as analysts estimate they brought in approximately $350 million, with the average payment exceeding $315,000[1]. It’s gotten so concerning that 60+ government agencies and industry leaders formed a task force to tackle the situation.

Key members include the United States Department of Justice, the FBI, the Department of Homeland Security, Europol, Microsoft, Amazon, Cisco, and more. They recently published an 81-page document that discusses the issue and creates a framework for dealing with ransomware[2]. Lucky for you, we read it, so you don’t have to. Here’s the easily digestible summary.

Definition of ransomware

The first quarter or so of the report focuses on defining ransomware and the tactics threat actors use. These are covered in our previous blog if you’re interested. To summarize quickly, ransomware is a type of malware malicious agents install on high-priority computer systems, typically governmental organizations or successful businesses.

Once they infect these networks, the malware moves throughout them and encrypts or exfiltrates the files it finds. A ransom is given that the organizations must pay to decrypt their data or prevent the hackers from leaking it on the internet.

Some rather nasty gangs require double ransoms, one for decryption, the other for not leaking the information. It’s known as double-extortion and is becoming a popular tactic. Now, onto the proposed framework.

The framework for fighting ransomware

We should note that this document’s crux lies in the need for international cooperation for its implementation. Although the United States suffers the majority of ransomware attacks, it is a global problem. The perpetrators come from many different countries such as Russia, Iran, and North Korea, which have zero incentive to stop. This means the rest of the global community needs to agree to the framework for it to work.

Goal 1: Deter

The first goal of the framework is to prevent as many ransomware infections as possible. The document outlines various steps the world must take to do so:

Establish an international ransomware coalition. Governments and corporations around the world have to come together. The document suggests that leaders must communicate regularly about the threats to keep the global community informed about new groups and malware variants. It outlines that nations should create “investigation hub” networks for data sharing and analysis.

The U.S. Government should prioritize ransomware policy. The task force wants the United States, in particular, to get tough on ransomware. It proposes the intelligence community designate it as a formal national security threat and for the DoJ to prosecute ransomware cases more aggressively. Furthermore, it wants the U.S. to levy sanctions against countries that harbor ransomware gangs to increase pressure for cooperation.

Goal 2: Disrupt

The second objective is to disrupt the current business of ransomware gangs and make it a less profitable endeavor. The task force recommends:

Crack down on cryptocurrency markets. Ransomware groups force victims to pay nearly all ransom payments in cryptocurrency. They do this because cryptocurrencies are borderless and can be challenging to track. There are anonymous exchanges, privacy coins, and techniques to exchange the assets from cryptocurrency to cryptocurrency to obfuscate the origins. The report suggests governments provide more of a regulatory framework to this market. It wants exchanges to follow current anti-money laundering laws to which other financial institutions must adhere.

Create an insurance company consortium. Insurance companies do offer protective plans against ransomware. The task force would like to see collaboration and data sharing between these organizations. It claims this could reduce payments to sanctioned or terrorist bodies since they could use the mass amount of information to get a clearer picture of the groups demanding the ransoms.

Target infrastructure used by criminals. Ransomware campaigns require significant computer infrastructure. The report proposes international cooperation that targets these systems and brings them down.

Goal 3: Help

Unfortunately, many organizations aren’t well prepared for ransomware attacks. The fact is that most organizations over a certain size will be targeted sooner than later. The task force recognizes this and wants to provide these organizations with more information and better toolsets to deal with attacks. It advises:

Create and highlight complementary materials for the framework’s adoption. There are a significant amount of readily available materials about ransomware prevention and mitigation. The task force wants to promote these existing materials and create new ones to fill in any information gaps. The new materials should be geared toward organizational leaders and include specific implementation procedures.

Require government agencies to follow guidelines and incentivize private businesses. The task force wants to include ransomware-specific guidelines in existing cyber-hygiene standards and require government agencies to follow them. Furthermore, it supports creating more grants while alleviating fines and taxes for private companies that follow the framework. This would make a strong incentive for everyone to be on board.

Goal 4: Respond

Organizations need a more effective response after a ransomware infection. This goal aims to aid businesses and agencies after an incident. The task force recommends:

Increased support for victims. Ransomware is destructive and could be incredibly dangerous if it affected critical infrastructure or health-based organizations such as hospitals. The task force wants to set up a relief fund that would help funnel resources quickly if such a situation ever occurs.

Encouragement to report ransomware. Ransomware attacks are embarrassing for companies, and many don’t even report them. This stops the flow of information and hinders future efforts to predict and prevent attacks. The task force feels proper encouragement and education materials are crucial to getting an accurate, holistic picture of the insidious malware.

Educate organizations about payment alternatives. The truth is, if organizations stopped paying the ransoms, the income would dry up for ransomware gangs, and it would no longer be a worthwhile endeavor. This is easier said than done, as some data is very sensitive and perhaps not backed up offline. Still, the task force urges companies to look at the alternatives to paying whenever possible.

Potential roadblocks

These all sound like good suggestions and would actually go a long way in fighting ransomware if implemented adequately. However, there are some weaknesses to consider:

Privacy concerns. If the world at large enacts this framework, governments and businesses will share a lot of data. As with most scenarios regarding Big Data collection, this has a good chance of going awry from a privacy standpoint. Is it worth it? A detailed cost-benefit analysis would have to be done, but AXEL believes the possibility of abuse is too great as-is. The fact is, even if governments gave privacy guarantees, they don’t mean much.

Inefficient bureaucracy. The task force recommends multiple new governmental and private-public partnership organizations created to combat ransomware. It’s admirable to put so much thought into methods to take on the problem, but additional levels of bureaucracy may prove (as they typically do) to be inefficient.

Data security

AXEL believes that basic education about cybersecurity best practices for all members of an organization is the best way to prevent ransomware infections currently. While all systems have technical weaknesses, the biggest weakness tends to be the human factor. Teaching employees to be vigilant about ransomware and understand the risks entirely is effective.

Another part of the equation is data security. Are you storing and sharing data securely? If not, or you aren’t sure, you should try AXEL Go. AXEL Go utilizes multiple layers of security to protect data from malicious agents. You can read more about our use of technology and download the app to try for yourself at AXELGo.app. Sign up today and receive a free 14-day trial of our Premium service.

[1] “Ransomware Skyrocketed in 2020, But There May Be Fewer Culprits Than You Think”, ChainAnalysis.com, Jan. 26, 2021, https://blog.chainalysis.com/reports/ransomware-ecosystem-crypto-crime-2021

[2] Ransomware Task Force, “Combatting Ransomware”, SecurityAndTechnology.org, April 2021, https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force-Report.pdf

December 4, 2020

A Look into North Korea’s Legion of Cyber Criminals

When it comes to infamous hacker gangs, Russian ones seem to garner the most attention. However, North Korea’s state-sponsored group is just as formidable. Here, we attempt to break down the rogue nation’s cyber army and see how it operates.

Bureau 121

The Reconnaissance General Bureau (RGB) of North Korea is the country’s intelligence agency, consisting of six different “bureaus.” Formed in 1998, Bureau 121 is the cyber warfare sector of the RGB. According to an intelligence report from the United States Army, this branch consists of four subgroups[1]. These include:

The Andarial Group: Andarial members assess targeted computer systems and identify vulnerabilities to use in future attacks.

The Bluenoroff Group: This group focuses on financial crime. Cyber theft is one of North Korea’s biggest revenue streams.

Electronic Warfare Jamming Regiment: They are in charge of jamming enemy computer systems during actual, on-the-ground war scenarios.

The Lazarus Group: The most notorious part of Bureau 121, The Lazarus group is an agent of social chaos. They infiltrate networks and deliver malicious payloads.

The Lazarus Group is often synonymous with the other three units, especially the financial crime division. It is unknown how many individuals comprise Bureau 121, but it is estimated to be thousands. Members often reside in other countries like Russia, China, Belarus, India, and Malaysia. This helps obscure the true origin of attacks and provides more robust electronic infrastructure to the malicious agents. Due to worldwide economic sanctions and a generally low industrial capacity, North Korea itself does not have access to the resources necessary to carry out large attacks.

An elite organization

North Korea’s internal policies and actions are opaque to the international community. However, defector testimony claims that the nation’s top computer science students from the University in Pyong Yang make up Bureau 121. These talented hackers then enjoy special privileges in North Korean society[2]. Instead of rundown tenements or rural farmhouses, they receive relatively posh -by North Korean standards- uptown apartments in the Capitol. With these kinds of unheard-of perks, it’s no wonder that people desire the positions.

Significant revenue generation

North Korea’s illicit digital activities replace a portion of what’s lost due to sanctions and flawed policies. In 2019, a United Nations report concluded that the rogue country gained $2 billion from cyberattacks[3]. Now, that sounds bad, but maybe it’s some sort of Robin Hood situation, where they steal from the rich to provide food and essentials for their ailing citizens? But no, the money actually went to their weapons division, specifically the nuclear weapons program. This makes North Korean hackers a threat to global security.

Notable attacks

2013 South Korea Cyberattack

In March 2013, North Korea unleashed a devastating cyberattack against their neighbors to the South. Utilizing the “DarkSeoul” malware, they infiltrated banking and media institutions throughout the country. Their top two television stations, the Korean Broadcasting System and MBC, suffered widespread computer issues but were able to stay on the air.

Popular banks such as the Shinhan Bank, Jeju, and NongHyup reported outages for their online banking and in-person services alike. Some even had their internal files erased. Luckily, they recovered most of the data from backups and restored operations within a few hours. Although resolved relatively quickly, it was still proof North Korea could cause chaos to their enemies.

The Sony hack

The November 2014 hack of Sony Pictures remains one of the most-publicized cyberattacks in history. It was a massive data breach that exposed a mountain of sensitive info. This ranged from personal information regarding employees and inter-office emails to plans for upcoming films, scripts, and complete cuts of then-unreleased movies.

If anyone doubted whether North Korea was responsible for the attack, it was all but verified when the hackers made their demands. The most adamant requirement was for Sony to nix the release of “The Interview.” For the readers out there unfamiliar with the intricacies of the Seth Rogen/Jame Franco buddy comedy genre, The Interview starred the famous duo attempting to assassinate the Supreme Leader of North Korea, Kim Jong Un. In the face of the hack, and under threats of terrorism by the attackers, Sony pulled the movie from theaters and released it online only.

The Sony hack was a huge deal. It led the United States to bring formal charges against North Korea and increased tensions to the point that it has never really recovered.

WannaCry ransomware

WannaCry is another extremely high-profile cybersecurity incident. In May of 2017, using a Microsoft Windows vulnerability, WannaCry infected hundreds of thousands of computers in less than a day! While only receiving a paltry (by successful ransomware standards) $130,000 in ransoms, the virus made a huge practical impact.

The biggest example of this was the attack on National Health Service hospitals in England and Scotland. Many of them had to turn away non-life-threatening emergencies, and the incident disrupted ambulance service throughout the region.

After the attack, the United States held a Congressional hearing with security professionals to solicit ideas about improving resiliency to such situations.

Recent activity

The hacks above had the most significant impact on global cybersecurity, but that doesn’t mean Bureau 121 slowed down in recent years. On the contrary, they’ve been extremely busy! The increased popularity of cryptocurrency gives entities like the Lazarus Group an easy way to transact with the organizations they attack and launder the ransoms afterward.

They outright target cryptocurrency-related companies too. Research indicates they use the professional social media platform LinkedIn to lure in unsuspecting employees and spear phish to penetrate network vulnerabilities[4]. These underhanded tactics result in lucrative ill-gotten gains. According to the UN report mentioned above, $571 million out of the $2 billion revenue was from cryptocurrency theft.

Phishers target AstraZeneca

Using the LinkedIn phishing method, the Lazarus Group set their sights on pharmaceutical giant AstraZeneca in late November. State agents posing as high-level recruiters flooded their employees with fake job offers. Then, they emailed the targets with malware attachments. Luckily, no one fell for the scheme, but it shows that Bureau 121 isn’t burdened by any moral compass.

AstraZeneca is one of the companies working on a viable COVID-19 vaccine. Cybersecurity researchers believe that North Korea is focusing on COVID-related organizations at the moment[5]. As one of only 11 countries without a reported COVID-19 case[6], perhaps they don’t see the harm in attacking a vaccine maker. For the rest of us, we can only hope they fail.

Protect your data

When you think of state-sponsored hacking groups, you may assume they only attack political targets. However, rogue nations like North Korea gain a considerable portion of their revenue from such endeavors, as you’ve seen. Therefore, assume that any organization with network vulnerabilities and substantial cashflow is susceptible.

Protect your sensitive data from threat actors by using AXEL Go to store and share files. AXEL Go is built on secure blockchain technology and utilizes robust encryption to keep your documents safe and private. It is available on Windows, Mac, iOS, and Android. So, no matter where your platform allegiances lie, you can enjoy secure, private file sharing. Our free basic account offers all the great features of AXEL Go with 2GB of free online storage. Download it now.

[1] “North Korean Tactics”, Department of the Army, July 2020, http://www.documentcloud.org/documents/7038686-US-Army-report-on-North-Korean-military.html

[2] Ju-min Park, James Pearson, “In North Korea, hackers are a handpicked, pampered elite”, Reuters, Dec. 4, 2014, https://www.reuters.com/article/us-sony-cybersecurity-northkorea/in-north-korea-hackers-are-a-handpicked-pampered-elite-idUSKCN0JJ08B20141205

[3] Michelle Nichols, “North Korea took $2 billion in cyberattacks to fund weapons program: U.N. report”, Reuters, Aug. 5, 2019, https://www.reuters.com/article/us-northkorea-cyber-un/north-korea-took-2-billion-in-cyberattacks-to-fund-weapons-program-u-n-report-idUSKCN1UV1ZX

[4] Anthony Cuthbertson, “North Korean Hackers Use LinkedIn for Cryptocurrency Heist, Report Reveals”, The Independent, Aug. 25, 2020, https://www.independent.co.uk/life-style/gadgets-and-tech/news/north-korea-hackers-lazarus-linkedin-cryptocurrency-a9687086.html

[5] Jack Stubbs, “Exclusive: Suspected North Korean hackers targeted COVID vaccine maker AstraZeneca – sources”, Reuters, Nov. 27, 2020, https://www.reuters.com/article/us-healthcare-coronavirus-astrazeneca-no/exclusive-suspected-north-korean-hackers-targeted-covid-vaccine-maker-astrazeneca-sources-idUSKBN2871A2

[6] Kaia Hubbard, “Countries Without Reported COVID Cases”, U.S. News, Nov. 13, 2020, https://www.usnews.com/news/best-countries/slideshows/countries-without-reported-covid-19-cases?slide=13

October 7, 2020

Ransomware: Give us back our files!

Ransomware attacks are on the rise. By 2021 they’re expected to cost companies over $20 billion per year[1]. With that kind of money at stake, it becomes evident that prevention is crucial. Let’s look into some background on ransomware and what companies can do to prevent catastrophic hacks.

What is ransomware?

Ransomware is a type of malware that has gained popularity over the past five years. The general progression of a ransomware attack goes like this:

The targeted computer network is delivered a malicious payload. The majority of the time, this means an employee falls for a phishing scam, clicks a bad link, and accidentally opens access to the system.
The computer virus maps out the connected drives (both local and networked) and encrypts data as it goes. Depending on the strain of malware, the infected computers may transmit the encrypted data back to the hackers.
The hackers contact the company to inform them about their misdeeds and demand a ransom to unlock the files. Usually, this is on a strict time limit, and the demand increases if not met promptly. If the bad actors stole the data and not just encrypted it, they also threaten to leak or sell it on the Dark Web when no payment is received.

The encryption used in ransomware attacks is practically impossible to brute force crack. If there are no backups, or the organization doesn’t want the information leaked and sold, favorable response options are limited.

Common types of ransomware in 2020

There are many different flavors of ransomware, and all of them are disgusting. But, the most popular versions in 2020 include:

Sodinokibi. Also known as REvil, this malware comprised up to 29% of ransomware attacks this year[2]. It is thought to be a ransomware-as-a-service (RaaS) package that different affiliated hacker groups purchase. These groups focus on U.S. businesses and have demanded ransoms of up to $42 million. Analysts estimate this virus has generated approximately $81 million in profit through September.

Maze. Here’s another RaaS. Maze made up 12% of ransomware attacks so far this year. It incorporates similar tactics to Sodinokibi but, starting recently, is known to utilize a program called the Buer Loader. The Buer loader is especially insidious. Once installed on the target network, it can execute additional malicious payloads while establishing persistence in the system. This means that while the infected computers remained attached to the network, that entire system is compromised.

EKANS. Let EKANS slither into your network, and you’re in for an awful time. Discovered in late 2019, it’s involved in 6% of ransomware attacks in 2020. It’s unique in that it can terminate critical processes, including some Industrial Control System (ICS) functions. This makes it very dangerous to industrial organizations that rely on automation.

Ways to prevent attacks

The best way to protect yourself from ransomware is to build a strong defense plan against it. Doing so puts you well ahead of most companies, as a recent survey concludes 77% of IT professionals feel their organizations don’t have consistent response plans[3]. Here are our top six tips:

Maintain current offline backups. It may be a pain to set up redundant backup file storage, but it’s well worth the effort to prevent a successful ransomware attack. You should back up your important files regularly to offline hard disks. This allows you to wipe infected systems and reload your sensitive information back onto the clean drives. This alone offers full protection against many attacks, although if the hackers obtained the data for themselves and threaten to sell it online, you still have problems.

Implement quarterly phishing training. As previously stated, phishing is responsible for the majority of data breaches. It’s doubtful you will prevent all phishing, but providing the proper training will help. Employees should take mandatory quarterly classes that inform them about new phishing techniques and how to spot fraudulent communications.

Test the system to find weaknesses. We recommend frequent penetration tests from internal or third-party experts. Consider penetration testers ethical hackers. They will poke and prod your network to expose vulnerabilities. Once they are known, your company can fix the issues and solidify your defenses against the unethical hackers out there.

Monitor file systems and mail servers to pinpoint suspicious activity. With recent advances in AI solutions, monitoring network traffic is easier than ever. Block unknown or suspicious connections immediately. You can always unblock connections after they are confirmed safe. Email is the primary attack vector for phishing, so ensure that you monitor it sufficiently as well.

Use up-to-date, patched antivirus software. Antivirus programs are critical defenses against ransomware, but you should update them frequently to their current versions. Hackers continuously attempt to find new exploits that can go undetected by older software. They also develop new ransomware to evade antivirus programs. Be as safe as possible by keeping things patched.

Do not pay ransoms. This advice may not seem preventative, but it is in the longer term. If you ever do get attacked, we recommend not paying the ransom unless absolutely necessary. Paying criminals will put a bigger target on you for other cyber thieves in the future. Furthermore, if businesses worldwide stopped paying altogether, the market would dry up, and the malicious actors would have no incentive to keep trying. We understand that not all circumstances are created equal, but as a general rule, you should not negotiate with crooks. Can you even trust them to do what they say they’ll do after you pay the ransom? Think about it.

What to do if successfully attacked

Nobody wants to boot up their computer to find a ransom demand. However, there are steps you should take if you ever find yourself in this unenviable position, such as:

Isolate infected computers. Figure out which machines have encrypted data and decipher their network connections. Then, disconnect the affected computers as soon as possible. Many ransomwares attempt to connect to peripheral networks, so you want to quarantine them quickly.

Identify the type of ransomware. Hopefully, the malware is known and documented. If it’s older, someone may have leaked the decryption keys online. In these lucky cases, you can decrypt your data within paying a dime. Even if that isn’t the situation, you still want to know exactly which ransomware is infecting your system.

Talk to law enforcement. Contact your local authorities, or if it’s a more considerable ransom, federal law enforcement. Federal agencies especially may have access to common decryption keys and can give more information about the perpetrators’ tactics.

Wipe infected drives and install recent backup data or recover data from damaged drives. Organizations with reliable backups should wipe the compromised drives and reinstall their most current data. Those without backups may have to use specialized IT firms to recover information from damaged and cleaned drives.

Conclusion

To protect your company from ransomware, you need to have robust security and threat response strategies. New file storage solutions like AXEL Go should play a part as well. AXEL Go uses the decentralized AXEL Network to store and transfer files. Instead of holding data on a central server farm, the information gets spread around a vast collection of network participants (Masternodes). This results in data storage without a single point of failure. Even if a particular server gets compromised, your data has redundant backups throughout the world. It makes for a much more secure way to store sensitive information. Visit axelgo.app to learn more about this exciting technology.

[1] Steve Morgan, “Global Cybersecurity Spending Prediected To Exceed $1 Trillion From 2017-2021”, Cybercrime Magazine, June 10, 2019, https://cybersecurityventures.com/cybersecurity-market-report/

[2] Camille Singleton, Christopher Kieer, Ole Villadsen, “Ransomware 2020: Attack Trends Affecting Organizations Worldwide”, Security Intelligence, Sept. 28, 2020, https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/

[3] “IBM Study: More Than Half of Organizations with Cybersecurity Incident Response Plans Fail to Test Them”, IBM News Room, April 11, 2019, https://newsroom.ibm.com/2019-04-11-IBM-Study-More-Than-Half-of-Organizations-with-Cybersecurity-Incident-Response-Plans-Fail-to-Test-Them

August 12, 2020

Recent Hacks Against Twitter, CWT, and Garmin

Anyone paying attention to the news lately likely knows about the large-scale hack of Twitter. It was the largest attack in the platform’s history and compromised over 130 prominent accounts[1].

It wasn’t the only recent high-profile hack, however. Two other large companies suffered major incidents as well. While they may not have been as headline-grabbing, the bandits in these cases made off with millions of dollars.

The day Bill Gates tried to scam you

No, that’s not a reference to Windows Phone. On July 15^th, many public figures had their Twitter accounts hacked, including Gates, Joe Biden, Barack Obama, Warren Buffet, Kanye West, and others. These accounts were all made to tweet out a Bitcoin donation scam. By the time the attack was dealt with, the scammers got away with nearly $120,000 in BTC.

Since then, the alleged perpetrators have been identified. According to authorities, the “mastermind” behind the scheme was a 17-year old from Florida, Graham Ivan Clark. Whereas most 17-year old boys are concerned about who they’ll take to prom, Graham allegedly spent his time concocting an increasingly-complex list of digital scams. What started as trolling Minecraft players for small-time sums ended with Clark amassing over $3 million in Bitcoin[2], including the $118,000 Twitter heist.

While it has not been verified, the leading theory as to how the hackers carried out their plan is as follows:

They targeted employees with administrative privileges at Twitter with phone-based spear phishing attacks. Spear phishing is a social engineering method where the malicious agent attempts to convince an employee of the company to reveal sensitive information. In this case, Clark allegedly posed as a co-worker in the Twitter IT department.
This gave them access to powerful internal tools capable of managing high-profile accounts.
The agents then used these tools to change associated emails and reset passwords of the targeted accounts.
With full access, they were able to tweet out the Bitcoin scam.

You can imagine why this story has received much traction. It has potentially far-reaching implications beyond a moderate heist. If bad actors were able to gain access to such prominent accounts and use them for even more devious purposes, chaos could ensue. This is one reason why the FBI took a leading role in the investigation of the crime[3].

The CWT hack

The travel management firm CWT has also been in the news lately due to a cybercrime incident. Although the potential consequences of this attack are less sweeping than the Twitter incident, it is still an amazing case.

On July 27^th, it was found the company paid $4.5 in Bitcoin to hackers who had infected up to 30,000 of their computers with the ransomware known as Ragnar Locker.

Ransomware is a common type of malware. The variety used in this attack encrypted data on the compromised computers. This encrypted data could not be accessed until ransom demands were met. Upon this, the hackers provided decryption keys.

Ragnar Locker is specific ransomware discovered in December 2019. Attackers employing this program have been known to use especially tricky methods to escape detection. They hide it within a virtual machine image. This image is installed in secret and then maps out all connected drives on the target’s network. Since the malware is running in a VM, it is concealed from security software. This makes it very difficult to prevent or quarantine.

The CWT case is interesting because the chat room logs of conversations between the hackers and CWT management leaked. Typically, companies faced with a hack discuss terms in private and the public is unaware of the specifics of the deal. Here, it is known that the attackers initially asked for over double the amount they ended up receiving in ransom. Still, it is amazing to think that a 49kB malware file hidden in a 282MB virtual image could net these attackers $4.5 million.

Garmin pays out

Garmin, most known for its GPS-related products and smartwatches, fell victim to ransomware on July 23^rd. The attack has been tied to a notorious, Russian/Ukrainian-based hacker group known as Evil Corp.

What is there to know about this group? For one, they’re likely fans of the television show Mr. Robot. More than that, though, they are an extremely proficient group of cyber thieves. It is estimated their attacks have netted them well over $100 million in ill-gotten gains[4]. This gang is so prolific, it has received official sanctions from the United States government.

The ransomware used in the Garmin attack is called WastedLocker. Like Ragnar Locker, it also has a novel method of concealment.

Anti-ransomware programs monitor a computer’s file systems to see if a large number of files are being opened and modified sequentially. When security software detects this, it kills the process, limiting the damage done to a small number of files. WastedLocker bypasses this by opening a file into the Windows Cache Manager which is stored in the system’s RAM. It then closes the original file and encrypts it in the cache manager. Due to how Windows Cache Manager operates, the newly-encrypted file is then written back over the top of the original file in the file system.

Although it isn’t known exactly how much Garmin paid out to decrypt their files, we do know the company has retrieved their data. With an alleged demand of $10 million, it’s nearly guaranteed that Evil Corp received millions of dollars.

Leveraging the security of blockchain

At first glance, it may seem counterintuitive to use blockchain technology to stop cybercriminals. After all, the thieves typically receive their ransom payments in blockchain-powered cryptocurrency to remain as anonymous as possible. There are useful applications of the technology for cybersecurity, however.

Consider the underlying strengths of blockchain technology:

Data stored within the blockchain can’t be altered without being noticed immediately.
Data is not stored on a small number of centralized servers. The blockchain is distributed among all nodes within it, which often number in the thousands or more.

These strengths show why the tech is suited so well for data security. If a hacker were to infiltrate a node on the blockchain and alter information, it would conflict with the data on the other nodes in the blockchain, and subsequent blocks are rendered invalid. The infected nodes could be removed from the system and their data restored to a valid state before reintegration.

Databases built from blockchain technology are the future for cybersecurity. Malicious attacks of ransomware can be stopped in their tracks without significant downtime or data loss.

Securing data at rest and in motion

Axel is committed to this vision. That’s why blockchain encryption is the backbone of our Axel Go filesharing platform. Axel Go ensures your files are secure, private, and accessible from anywhere. In the age of multimillion-dollar hacker organizations, you can trust that your sensitive data is safe with us. Download it today and try it out for yourself. We’re securing data at rest and in motion.

[1] Michael Liedtke, “Biden, Gates, other Twitter accounts hacked in Bitcoin scam”, AP News, Jul. 15 2020, https://apnews.com/95f55c9846e880f23791845f5d0c3f38

[2] Josh Solomon, “Bail in Twitter hack: $725,000. Tampa tee’s assets: $3 million in Bitcoin”, Tampa Bay Times, Aug. 2 2020, https://www.tampabay.com/news/crime/2020/08/01/twitter-teen-makes-first-court-appearance-in-tampa/

[3] Robert McMillan, Dustin Volz, “FBI investigates Twitter Hack Amid Broader Concerns About Platform’s Security”, The Wall Street Journal, Jul. 17 2020, https://www.wsj.com/articles/fbi-investigates-twitter-hack-amid-broader-concerns-about-platforms-security-11594922537

[4] Andrew Roth, “US Charges Russian ‘Evil Corp’ hackers with $100m banking scheme”, The Guardian, Dec. 5 2019, https://www.theguardian.com/technology/2019/dec/05/evil-corp-hack-us-feds-charge-russian-hackers