Not every ransomware attack is an unmitigated disaster. But even the most prepared organizations, it seems, can have small-scale disasters in the era of mass scans, spear phishes, and targeted ransomware.
Just a few months after staging a ransomware exercise for its member credit unions, the Credit Union National Association (CUNA) experienced what a spokesperson described as a “business disruption issue”—caused by ransomware, according to a source that spoke with TechCrunch’s Zack Whittaker. By late on February 4, the site had been fully restored. Jim Nussle, CUNA’s president and CEO, sent a message to members on February 5:
We are pleased to share that as of last night, we have restored access to our site and other online resources. We want to thank you for your patience as we worked around the clock to restore these systems. We apologize for the inconvenience and frustration this may have caused as you had trouble accessing our services.
CUNA spokesperson Vicky Christner told Whittaker that “CUNA does not store Social Security numbers or credit card numbers of our members” and that “there no evidence to suggest that any data in our system—such as names, businesses addresses and email addresses—have been accessed.”
CUNA’s recovery demonstrated that the organization had taken the threat of ransomware seriously internally as well as in the exercise it staged with member credit unions. But it also shows that even organizations that believe they’re prepared for ransomware attacks can take painful business hits from ransomware, even when its effects are contained.
A quick Internet search for instances of the Ryuk ransomware’s HTML “readme” file by Ars produced a list of recent Ryuk victims who have had widely varying experiences. One was Dallas-based emergency medicine transcription system provider T-System, which was hit by Ryuk in December. The company’s Advanced Coding System service was taken offline for several days, affecting the work flows in emergency rooms and clinics served by the company.
“We had a full recovery and were completely back online within a week,” Eric Feid, T-System’s director of sales operations and marketing, told Ars. “Because of our early detection of the incident and our architecture, we did not experience an impact on unsecured [patient health information] or other personal information.”
Others have not been so lucky. Also in the search results was the defense contractor Electronic Warfare Associates, which as ZDNet’s Catalin Cimpanu reported on January 29, was hit with Ryuk sometime in late January. Several of the company’s websites were taken down by the attack and still remain offline. And Lincoln County School District in Mississippi, which was taken offline by Ryuk ransomware in November 2019, has still not brought its Internet-facing services back online over three months later.
Having good backups and responding quickly to the execution of ransomware malware can help limit the damage done by an attack, but ransomware operators are beginning to adapt as well—in ways that fundamentally change the model of ransomware attacks.
The end of “no breach” ransomware
CUNA’s belief that no personally identifying information was breached in the ransomware attack is common among victims of ransomware—and that’s partially because ransomware operators had previously avoided claiming they had access to victims’ data in order to maintain the “trust” required to extract a payment. Cyber insurance has made paying out an attractive option in cases where there’s no need for an organization to reveal a breach, so the economics had favored ransomware attackers who provided good “customer service” and gave (usually believable) assurances that no data had been taken off the victims’ networks.
Unfortunately, that sort of model is being blown up by the Maze and Sodinokibi (REvil) ransomware rings, which have adopted a model of using stolen data as leverage to ensure customers will make a payment. Even in cases where a victim can relatively quickly recover from a ransomware attack, they still will face demands for payment in order to avoid the publication or sale of information stolen by the attackers before the ransomware was triggered.
Maze and REvil are targeted ransomware attacks that break from the established norm of ransomware attacks in other ways. Telling users not to click on email attachments and to recognize phishing sites isn’t stopping these attackers from getting in. Both have relied on exploits of known weaknesses in Internet-facing infrastructure of their victims—be it an Oracle WebLogic vulnerability, a long-ago patched weakness in Pulse Secure VPN servers, or hacks of managed service providers’ systems.
Ars has been tracking activities on Maze’s “customer” portal, where the group posts proofs of breaches and “full dumps” of data from victims who did not pay the ransom in time. As we reported in January, the Maze operators gave the City of Pensacola a reprieve from their data dump, removing files that had been dumped from their site as a “gift” to the city—but had data on dozens of other victims. Some of those victims, including a radiology clinic in California, have apparently paid to have their “dumps” removed. It is not clear that any of these victims, including the clinic, have disclosed the breaches to customers or others who were potentially affected.
Other organizations have not paid before Maze’s deadline and have had larger tranches of data posted as a result—including a Michigan-based grocery chain and the Houston law firm Baker Wotring LLP (with client-protected information and medical information associated with a lawsuit included). Ars reached out to both companies; a Baker Wotring representative said the firm is not speaking to press about the matter and that the firm is aware of the breach. The grocery chain, Busch Inc., has not responded to calls or emails.
Meanwhile, the REvil ring has posted content from victims on Russian hacker forums. While this sort of behavior runs counter to the long-worn “customer service” ethic of other ransomware operators, it shows that having a good backup is no longer enough to prevent real damage from ransomware.