Despite promises from some ransomware groups to avoid targeting healthcare organizations (HCOs) during the COVID-19 crisis, multiple campaigns decided to activate in early April after months of planning, according to Microsoft.
The firm’s threat protection intelligence team claimed that the highly targeted “human-operated” attacks it has been monitoring were begun at the start of the year when victim networks were compromised.
The decision to activate the deployments in the first two weeks of April can therefore be seen as a deliberate ploy to maximize financial returns. Groups including Maze, NetWalker, DoppelPaymer and CLOP had promised to hold fire on HCOs during the pandemic.
Several weaknesses in victim organizations have been exploited: RDP or virtual desktop endpoints without multi-factor authentication, end-of-life platforms like Windows Server 2003, misconfigured web servers, Citrix Application Delivery Controller (ADC) systems affected by CVE-2019-19781 and Pulse Secure VPN systems affected by CVE-2019-11510.
Attackers use tactics familiar to classic APT-style multi-stage breaches, including credential theft, lateral movement using tools such as Mimikatz and Cobalt Strike, network reconnaissance, persistence and data exfiltration.
In fact, according to Microsoft, organizations should now assume data will be taken as part of a ransomware attack, if the payloads include RobbinHood, Maze, PonyFinal, Vatet loader, REvil or NetWalker. Other ransomware families used in similar attacks include Paradise, RagnarLocker, MedusaLocker and LockBit.
“While only a few of these groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold data yet,” it said.
Microsoft advised HCOs and organizations in other affected sectors to urgently investigate affected endpoints and credentials and address internet-facing weaknesses. It also warned that the following vulnerabilities may soon be exploited by the same ransomware gangs: CVE-2019-0604, CVE-2020-0688, CVE-2020-10189.
“As ransomware operators continue to compromise new targets, defenders should proactively assess risk using all available tools,” it concluded.
“You should continue to enforce proven preventive solutions — credential hygiene, minimal privileges and host firewalls — to stymie these attacks, which have been consistently observed taking advantage of security hygiene issues and over-privileged credentials.”