Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Four reasons not to pay ransomware demands
1. Funds likely go to support further criminal or terrorist enterprises.
2. Successful ransom demands encourage further attacks, with possibly even higher ransoms involved.
3. There’s no guarantee you’ll get a decryption key, or that the key will work even if you do get one.
4. Similarly, there’s no guarantee that your data hasn’t also been exfiltrated, and you’ll be facing a further ransom demand not to disclose this information on the dark web.
NL Health Minister still quiet on nature of cyber attack
As the cyber attack on the Newfoundland & Labrador (NL) health system enters its second week, there is still no word on the nature of the ransomware involved, whether data has been exfiltrated, or details on any demands made by the attackers.
On November 3, NL Health Minister John Haggie confirmed that the provincial health network’s data centre had fallen victim to a cyber attack, adding: “Those involved in the attack may actually be monitoring what we are saying in media and on the floor of the (legislature),” defending the stance of taking every measure to avoid any action that would compromise the investigation and recovery efforts. Statements on November 5 still declined to provide specifics on the incident.
The province’s healthcare is reeling after the attack, with thousands of appointments cancelled, and staff resorting to use manual processes and paper records to manage case loads in the absence of online resources and systems. In a statement November 1, Haggie told reporters that the “brain” of the healthcare network’s data centre had been damaged, including its main and backup computer systems. The incident is being described in some corners as the worst cyber attack in Canadian history.
Email service for the Eastern region health unit was restored November 4, but others are still without communications. According to a CBC report, emergency services are still being handled, but most non-emergency services are being postponed across the province.
Each of the province’s four health units is providing their own periodic – usually daily – updates on their local service status:
– Eastern Health at https://www.easternhealth.ca/it-systems-outage/
– Central Health at https://www.centralhealth.nl.ca/post/update-central-health-services-up-to-monday-november-8-2021
– Western Health at https://westernhealth.nl.ca/news/944/603/Services-Impacted-by-IT-Systems-Outage-at-Western-Health/
– Labrador-Grenfell Health at https://www.lghealth.ca/latest-news/
Meanwhile, the provincial government of Newfoundland & Labrador has aggregated its press briefings on the matter on its YouTube channel.
BlackMatter ransomware gang shutting down operations
According to a Twitter post from security researchers at vx-underground, the ransomware-as-a-service provider BlackMatter has announced through their Russian-language dark web portal that they will be ceasing operations, citing pressure from local authorities. The researchers posted a screen shot from the BlackMatter website – translated from Russian, the home page advises: “Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) – project is closed.” By November 5, “the entire infrastructure will be turned off, allowing: issue mail to companies for further communication and get decryptor. For this write ‘give a decryptor’ inside the company chat, where necessary. We wish you all success, we were glad to work.”
BlackMatter is believed to be responsible for the attack on Japanese technology company Olympus in September and several critical infrastructure organizations earlier this year, including two companies in the American agriculture sector.
Most observers assume the gang members will re-appear in another form, but the disruption is a signal that heightened pressure from law enforcement is causing disruption in the ransomware-as-a-service industry. BlackMatter itself is believed to be a rebranding of the DarkSide ransomware gang, which launched the infamous attack on Colonial Pipeline in May 2021.
$10-million reward offered to track down DarkSide ransomware gang leadership
The U.S. Department of State is offering a reward of up to $10 million (all figures USD) for information that helps to identify or track down leaders of the infamous DarkSide ransomware group.
The State Department is also offering up to $5 million for information that leads to the arrest or conviction of anyone – in any country – “conspiring to participate in or attempting to participate in a DarkSide variant ransomware incident”.
“In offering this reward, the United States demonstrates its commitment to protecting ransomware victims around the world from exploitation by cybercriminals,” the State Department said. “The United States looks to nations who harbor ransomware criminals that are willing to bring justice for those victim businesses and organizations affected by ransomware.”
Zero-Day vulnerability in Android under active, targeted attack
Google has rolled out security patches for Android with fixes for 39 flaws, including a zero-day vulnerability for which it is seeing indications of “limited, targeted exploitation”.
Tracked as CVE-2021-1048, the so-called “use-after-free” vulnerability – which enable threat actors to access memory after it has been “freed” by the operating system – can be exploited for local privilege escalation and potentially full control over a victim’s device.
Google has not revealed any technical details of the vulnerability or the specific nature of the attacks seen in the wild, in order to afford users time to patch the vulnerabilities. Full details for all 39 fixes in the November release are provided on the Android advisory portal.