With Garmin, Canon, and Xerox all becoming victims to human-operated ransomware gangs, the InfoSec community did not have to wait long to see which major corporation was next. Customers of Konica Minolta, the massive business technology firm, took to Reddit to try and find out why services could not be accessed for several days. Later Bleeping Computer learned that the company that employs approximately 44,000 people and earned 9 billion USD in 2019, had become the latest high profile, ransomware victim.
At the time of writing, the business technology giant was yet to make a statement regarding the incident. That being said a number of cybersecurity researchers seem to confirm what Bleeping Computer believes. Initially, customers began reporting as far back as July 30, 2020, that the product services and support site were down. The site remained down for almost a week with little information being provided as to why the site was down. Many customers were presented with the following message when attempting to access the support services,
“The Konica Minolta MyKMBS customer portal is temporarily unavailable. We are working hard to resolve the issue and apologize for any inconvenience this may have caused you. If you need immediate assistance for service, please call our Global Customer Services at 1-800-456-5664 (US) or 1-800-263-4410 (Canada).”
Further, some printers presented an error message to users. Bleeping Computer looked to ask the company for information regarding the outage, but received no response to their inquiries. While the company was not willing to share any information, one of the publication's sources shared with the publication a ransomware note addressed to Konica Minolta, and the ransom note’s file name had the company name in it as means to draw the attention of whoever was unlucky to find it.
Based on the ransom note it would seem that Konica Minolta has fallen victim to a relatively new ransomware gang, RansomEXX. The ransomware, also going by Ransom X is best known for attacks on government agencies in Texas. Both the court system and the department of transport were hit by the ransomware in May 2020. Luckily, despite being so new on the ransomware threat landscape MalwareHunterTeam managed to get a malware sample for analysis.
The sample was then shared with several security researchers including Advanced Intel’s Vitali Kremez who named the ransomware. Naming malware, in general, can be difficult, especially if the malware’s developers did not name it themselves, however, the name for this particular piece of ransomware came from a string within the code that read “ransom.exx”. It was quickly determined that RansomEXX can be considered human-operated, much like Sodinokibi and Ryuk. This was determined from when the executable is opened a console is opened which provides information about the infected system to the attacker.
The first operation of the ransomware is to terminate 289 processes. The processes terminated relate to security software, database servers, MSP software, remote access tools, and mail servers. Once that is done the ransomware will attempt to bypass a host of Windows system folders and files containing the following extensions: .ani, .cab, .cpl, .cur, .diagcab, .diagpkg, .dll, .drv, .hlp, .icl, .icns, .ico, .iso, .ics, .lnk, .idx, .mod, .mpa, .msc, .msp, .msstyles, .msu, .nomedia, .ocx, .prf, .rtp, .scr, .shs, .spl, .sys, .theme, .themepack, .exe, .bat, .cmd, .url, .mui. This is done in all likelihood so as to avoid detection, and not clash with any system folders that might hinder the encryption process. Throughout the encryption process the ransomware will perform a number of tasks in order to do the following:
- Clear Windows event logs
- Delete NTFS journals
- Disable System Restore
- Disable the Windows Recovery Environment
- Delete Windows backup catalogs
- Wipe free space from local drives.
The tasks above are intended to target backups and shadow copies to remove them. This makes recovery from an attack far harder. If the victim has no external backups or off-site backups recovery can become near impossible to recover lost data and restore company operations. This places increased pressure on business leaders to pay the ransom or consult a third party to assist in negotiations relating ransom payment. Despite this it is still advised that victims do not pay the ransom for several reasons, one in particular may land the victim in more trouble than its worth. That being that paying the ransom may violate US Sanctions if the ransomware gang had been sanctioned by US officials. This can result in heavy fines and massive court costs for the victim paying the ransom. For those who have already become a victim of RansomEXX, the silver lining is that currently the gang is not also stealing data to be released to the public if the ransom is not paid, like Maze and other human-operated ransomware strains.
Ransomware getting worse
Ransomware involves a brutally simple idea, namely encrypt data to prevent the user from accessing it. Then demand a ransom to once again grant the user access to it. While simple, the code backing up the idea has gone through several refinements. That is not the important issue, rather it has been the rapid adoption of tactics that have enabled a malware strain used to target home users and block them from accessing cherished memories, to suddenly cripple Fortune 500 companies with impressive budgets dedicated to securing the company’s network. When researchers discovered the change in tactics it was referred to as big-game hunting, now human-operated ransomware is more in vogue, regardless of jargon ransoms skyrocketed from a few hundred dollars to millions of dollars depending on the size of the victim.
Towards the end of June 2020, warnings of 31 US companies being targeted by WastedLocker. Later it was revealed that infamous state-sponsored hacking group Lazarus may be behind VHD Ransomware. This comes as no surprise as the gang that operates NetWalker netted 25 million USD since March of this year, it is important to note that the 25 million may be a conservative number as that was what could be traced with a fair degree of certainty. It is little wonder the heavily sanctioned North Korea would be interested in ransomware as a means to fund the hermit country's weapons projects.
We are also seeing partnerships between ransomware operators and other malware gangs to share resources. Often a botnet operator will compromise a network, steal data, and then offer up the network to a ransomware gang. Where once it would be PCs that were targeted, now hackers specifically target networks and network drive. This allows them to encrypt vast swathes of important files and data often causing the organization to cease operations entirely. This adds to the cost of the entire episode as now it is not only the ransom but downtime, forensic audits, loss of earnings, and potential court appearances that have to be accounted for.
With numbers of high profile victims increasing weekly at a rate never seen before it is hard to say the storm is over. In 2019, ZDNet predicted that the problem is going to get worse. Nearly a year on and it can be safely said that it is indeed worse as this prediction occurred before ransomware gangs began stealing and either releasing the data to the public or selling it to the highest bidder if the ransom was not paid in time. At the time the article was being written managed service providers were being targeted as a means to compromise high profile clients. Now some gangs actively recruit people either with access to a network and privileged access or other hackers with the skills to compromise vast enterprise networks in hyper-targeted ways. The article concluded by stating,
“Already there are fears that ransomware could be used against voter databases in the run up to the 2020 US presidential election. A ransomware attack which makes it impossible for some people to cast their vote would have huge consequences. And it's hardly implausible to see criminals and state-backed hacking groups trying to expand the use of ransomware across more devices and scenarios in the near future. As we get more reliant on everything from smart cities to driverless cars the risks get greater.”
That election is only a few months away and the questions posed by ransomware are demanding answers many organizations cannot begin to answer. This for a problem that is generally regarded as preventable.