Introduction
In Spring 2022, Lincoln College announced that it would permanently close on May 13 and noted that a December 2021 ransomware attack had contributed to its closure. Unfortunately, at the same time that Lincoln College was struggling in vain to remain open, other SLED (state, local and educational) institutions were suffering new ransomware attacks, despite years of consistent warnings of ransomware groups’ particularly heavy targeting of those sectors and previous research finding that educational institutions and local governments may be less capable of detecting attacks than other targets and more likely to pay ransoms to attackers in the wake of an incident.
Particularly Active Groups: ALPHV/BlackCat and LockBit 2.0
Of the year’s publicly-disclosed ransomware attacks against higher education and local government, the LockBit 2.0 and ALPHV/BlackCat groups have figured particularly prominently. Both groups have claimed responsibility for a number of 2022 attacks against colleges and universities. ALPHV has also attacked local governments: On June 3, 2022, the town of Alexandria, Louisiana, reported that it had suffered a breach resulting from an attack by ALPHV. Commentators have noted that the group took a particularly aggressive stance against media coverage in addition to making more predictable threats to leak data directed at state officials.
ALPHV and LockBit 2.0 are both ransomware-as-a-service (RaaS) operations that reportedly conduct double and, in some cases, triple extortion against their victims – they not only threaten to publish stolen data on their leak sites but also occasionally launch distributed denial of service (DDoS) attacks against their victims to apply additional pressure by way of further disruptions to their operations and recovery efforts.
LockBit 2.0 appeared in Summer 2021 as a successor to the earlier LockBit ransomware operation, which first surfaced in 2019. According to an FBI advisory released in February 2022, LockBit 2.0’s affiliates have accessed target systems by a variety of means, including remote access purchased through initial access brokers, exploitation of vulnerabilities both novel and published, and malicious insiders. More recent analysis of the group found that LockBit 2.0’s operators have sought affiliates to compromise target systems through phishing, remote services including RDP and VPN, previously exposed credentials, and insider access.
ALPHV first appeared in early December 2021. Like other ransomware operations, the group steals documents from victim systems in order to conduct secondary extortion and uses Cobalt Strike after initially compromising victim systems. More recent research found that some BlackCat affiliates have exploited a Microsoft Exchange vulnerability to initially access unpatched servers. Although the research does not explicitly name the Exchange vulnerability in question, it may be the widespread ProxyLogon vulnerability that was first disclosed in early 2021, given that researchers link to guidance about it.
Case Studies: Alexandria, Louisiana and Somerset County, New Jersey
SecurityScorecard investigated recent attacks against the Alexandria, Louisiana, and Somerset County, New Jersey local governments, identifying suspicious activity on both governments’ networks in the weeks prior to the attacks. The suspicious IP addresses observed communicating with Alexandria, Louisiana city government are the following:
149.255.169[.]10
41.93.45[.]129
41.93.45[.]130
178.128.55[.]198
The following are the suspicious IP addresses observed communicating with the Somerset County government:
165.225.242[.]248
208.87.239[.]180
208.40.200[.]194
192.216.142[.]51
162.142.125[.]211
174.128.243[.]54
154.89.5[.]80
70.39.102[.]189
128.14.133[.]58
174.128.243[.]54
103.240.208[.]197
103.92.85[.]202
37.111.205[.]165
Findings:
Recent incident response efforts in which SecurityScorecard was involved indicate that ransomware groups’ TTPs have remained largely continuous with those employed in 2021, with exploitation of known vulnerabilities remaining a consistent feature of recent attacks. The particular vulnerabilities exploited, though, have changed as researchers publish new CVEs. Thus far in 2022, Confluence, GitHub, and Apache vulnerabilities have figured particularly prominently in SecurityScorecard cases.
Recent cases have also revealed two novel features of ransomware operations in 2022: increased dwell time and aggression. In the municipal emergency service incident, SecurityScorecard determined that the attacker spent 90 days in the victim’s system prior to detection. SecurityScorecard also observed ransomware groups taking increasingly aggressive steps to pressure their victims to pay ransoms. In addition to the secondary and tertiary extortion methods mentioned above, attackers have taken more personal steps in recent incidents, contacting friends and family members of executives of some affected organizations to exert additional pressure.
Conclusion
Although some statistics suggest that the targeting of educational institutions by ransomware operators has decreased in 2022, their targeting of local governments may have increased. SecurityScorecard’s findings indicate that a number of issues affecting organizations in these sectors could render them particularly vulnerable to ransomware. To reduce their vulnerability, organizations should make every effort to keep software up to date; unpatched software is easier to exploit. Those observed in recent SecurityScorecard engagements may merit particular attention. They should also remain on guard against phishing: while the use of SPF, DKIM, and DMARC can reduce the risk of email spoofing, individual employees may also require training to remain vigilant against possible phishing attacks. While some credential exposures may be unavoidable, organizations can also reduce the risks associated with these exposures by advising employees against password reuse, requiring 2FA, and requiring fairly stringent length and complexity requirements for passwords.
SecurityScorecard’s products and services can support efforts to prevent attacks by identifying vulnerabilities, investigating possible threats, and responding to incidents. SecurityScorecard can support SLED organizations both before and after ransomware attacks:
Our ratings platform and Attack Surface Intelligence (ASI) and Automated Vendor Detection (AVD) products can enable continuous monitoring of their and their vendors’ digital assets,
Our Cyber Risk Intelligence as a Service (CRIaaS) offering can provide tailored insights about the threats facing them,
In the event of a successful or attempted attack, SecurityScorecard can support incident response efforts.