Ransomware cyber-attacks in Costa Rica and Peru drives national response

Highlights

• Effectively, one out of every 60 organizations globally have been impacted by attempted ransomware attacks every week, so far in in the first four months of 2022
• A 14% increase of attempted ransomware attacks to organizations globally every week compared to the same period last year.

To mark the 5th anniversary of the WannaCry attack, Check Point has created a Ransomware hub with reports, blogs, webinars, podcasts, videos and live statistics around ransomware attacks and its impact. To find out more, visit this link.

Ransomware cyber-attacks drives national response

Amid large scale ransomware attacks in Costa Rica and Peru, reportedly both executed by the infamous Conti ransomware gang, the US state department issued a statement on May 6^th, offering a reward of up to US$10 Million for information leading to the identification or location of individuals involved in the Conti ransomware group.
Earlier, the state of Costa Rica declared a national emergency after the Conti ransomware attacks which led to a 672GB leak of data belonging to the Costa Rican government agencies, was published by the Conti group.

The Conti group demanded a $10 million ransom from the Costa Rica government, which declined to pay.

In Peru, the group attacked “The National Directore of Intelligence”, the country’s intelligence agency, and according to a screenshot posted on Twitter have stolen 9.1GB of data. The Conti ransomware gang also posted that they are “giving Peru a head start to look for them in their networks, despite the fact they refused to cooperate”.

One out of 60 organizations globally impacted by ransomware

In the first four months of 2022, Check Point Research (CPR) reports that on average, one out of every 60 organizations globally has been impacted by an attempted ransomware attack every week – a 14% increase YoY.

About Conti Ransomware group

For a while, The Conti gang was the face of ransomware, along with fellow gang REvil – until this February, when 14 REvil operatives were arrested by the Russian authorities, leaving Conti effectively alone in its position as a major league ransomware operation. The Conti Ransomware group was first seen in the wild in 2020 and is believed to be led by a Russian-based group. Sin its emergence, they have been the perpetrators of multiple attacks against organizations worldwide. Their modus operandum is to reveal their identity at the final stage of a successful intrusion into their victims’ network. Initial intrusions might be performed using spearphishing campaigns, stolen or weak credentials for RDP, or phone-based social engineering campaigns.

On February 25th, 2022, Conti released a statement pledging full support for the Russian government — coupled with a stern warning addressed to anyone who might consider retaliating against Russia, via digital warfare.

On February 27^th, 2022, a new Twitter account appeared by the name of “ContiLeaks” and started doing unto Conti as they often did unto corporations who would not pay up. Allegedly a Ukrainian security researcher, ContiLeaks published a huge log containing hundreds of thousands of Jabber and Rocket.Chat messages that the Conti group had used for internal communication.

CPR researchers have analyzed these leaks in a detailed blog and provided insights into how the Conti group is run and operates.

How to Protect Against Ransomware

Proper preparation can dramatically decrease the cost and impact of a ransomware attack. Taking the following best practices can reduce an organization’s exposure to ransomware and minimize its impacts:

1. Cyber Awareness Training and Education: Ransomware is often spread using phishing emails. Training users on how to identify and avoid potential ransomware attacks is crucial. As many of the current cyber-attacks start with a targeted email that does not even contain malware, but only a socially-engineered message that encourages the user to click on a malicious link, user education is often considered as one of the most important defenses an organization can deploy.
2. Continuous data backups:  The definition of ransomware is explained as malware designed to force a ransom payment as the only way to restore access to the encrypted data. Automated, protected data backups enable an organization to recover from an attack with a minimum data loss and without paying a ransom. Maintaining regular backups of data as a routine process is a very important practice to prevent losing data, as well as to be able to recover it in the event of corruption or disk hardware malfunction. Functional backups can also help organizations to recover from ransomware attacks.
3. Patching: Patching is a critical component in defending against ransomware attacks as cyber-criminals will often look for the latest uncovered exploits in the patches made available and then target systems that are not yet patched. As such, it is critical that organizations ensure that all systems have the latest patches applied to them, as this reduces the number of potential vulnerabilities within the business for an attacker to exploit.
4. User Authentication: Accessing services like RDP with stolen user credentials is a favorite technique of ransomware attackers. The use of strong user authentication can make it harder for an attacker to make use of a guessed or stolen password

• Reduce the Attack Surface:With the high potential cost of a ransomware infection, prevention is the best ransomware mitigation strategy. This can be achieved by reducing the attack surface by addressing:

1. Phishing Messages
2. Unpatched Vulnerabilities
3. Remote Access Solutions
4. Mobile Malware

• Deploy Anti-Ransomware Solution: The need to encrypt all of a user’s files means that ransomware has a unique fingerprint when running on a system. Anti-ransomware solutions are built to identify those fingerprints. Common characteristics of a good anti-ransomware solution include:

1. Wide variant detection
2. Fast detection
3. Automatic restoration
4. Restoration mechanism not based on common built-in tools (like ‘Shadow Copy’, which is targeted by some ransomware variants)

Reach out for help

The Check Point Incident Response Team (IRT) is available 24x7x365 to deliver security incident handling. if your organization has been pray of a ransomware attack,  Check Point’s security experts will help you contain the threat, minimize its impact, and keep your business running.  After full containment, our experts will work with you to strengthen your cybersecurity controls in order to thwart further attacks.

The statistics and data used in this report present data detected by Check Point’s Threat Prevention technologies, stored and analyzed in ThreatCloud. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide, over networks, endpoints and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from the Check Point Research (CPR) – The intelligence & Research Arm of Check Point.

To mark the 5th anniversary of the WannaCry attack, Check Point has created a Ransomware hub with reports, blogs, webinars, podcasts, videos and live statistics around ransomware attacks and its impact. To find out more, visit this link.