Ransomware: Double Extortion Attacks Continued - Intrusion via Exploiting VPN Gateway Vulnerability

Release Date: 13 Oct 2020 5669 Views

During the back-to-school season, HKCERT noticed that ransomware attacks have been targeting educational institutions all over the world while the trend of double extortion attacks continued. Related ransomware, such as Maze and Netwalker, were also very active. Users must stay vigilant.

According to research by international cyber threat intelligence company “Recorded Future”, there were 9 ransomware attacks against educational institutions in just over two months from July to early September this year, 4 of them against universities[1][2]. Also, Newcastle University in UK was forced to suspend most of its information technology services due to the attack[3] recently. In fact, targets of the ransomware are not limited to educational institutions. Other organisations including banks, hospitals, governments and power companies, etc., have also fallen victims to such attacks.

The Ransomware “Maze” and “Netwalker” are becoming More Active

In July this year, the HKCERT published an article titled "Ransomware Evolved: Double Extortion and Fake Decryptor", touting double extortion as a new trend in ransomware attacks. Maze is the most active ransomware using this approach. We found that Maze related attacks has risen continuously with many large enterprises, such as Canon, LG, and Xerox, became the victims. According to the analysis by information security experts, both LG and Xerox’s Citrix ADC servers had CVE-2019-19781 vulnerabilities. It was likely that Maze exploited this vulnerability to hack into those systems, and then stole and encrypted their data, finally paralysing the systems [4].

We noticed that another criminal gang which uses Netwalker ransomware for double extortion is becoming more active as well, even providing Ransomware-as-a-service to its members. Recently, many large enterprises such as Equinix and K-Electric, have been successfully hacked by Netwalker operators [5]. The University of California San Francisco also paid US$ 1.14 million of ransom for being extorted[6]. Studies have found that Netwalker usually compromises the networks of large organizations through unpatched VPN applications, weak passwords of remote desktop service or web applications[7].

Ransomware Attacks Can Cause Serious Impact

Besides direct financial losses, ransomware attacks may also cause casualties indirectly. Recently, the University Hospital Dusseldorf in Germany was mistaken by hackers to be the University of Dusseldorf and found itself subject to DoppelPaymer ransomware attack. This attack also exploited the CVE-2019-19781 vulnerability of the Citrix ADC server, causing part of the medical services to be suspended. Patients in critical condition were forced to be sent to other hospitals, consequently claiming the live of one of them due to delayed treatment [8].

As stated above, ransomware attacks can cause severe consequences which demand protective actions to be taken early. According to "The State of Ransomware 2020" published by Sophos, hackers most often spread ransomware by phishing emails with malicious links, followed by remote attacks on servers and emails with malicious attachments [9]. These three kinds of ransomware attack tactics have accounted for around 70% of the total cases. HKCERT advises users not to click any links or open any attachments when receiving suspicious emails. Enterprises should carefully protect their servers via disabling unnecessary ports and deploying firewalls to mitigate the risk of remote attacks.

To learn more about the security advice to deal with ransomware attacks, please refer to the security blog "Ransomware Evolved: Double Extortion and Fake Decryptor".