In 2021, the threat of ransomware has loomed large. In many ways, it’s exactly what cybersecurity experts expected (and predicted) after the major cyber attacks of 2020—including hospital ransomware attacks on a healthcare industry hard-hit by both ransomware and Covid-19.
But in other ways, this surge is unprecedented.
Because of our DNS filtering technology at DNSFilter, we are able to identify trends in malware and phishing domains on our network. Over the last year, we’ve seen traffic to domains categorized as malware rise and fall. Stepping back and looking at domain traffic to malware domains so far in 2021, we noticed a few spikes in traffic. Including a brief spike between January and February that coincided with the Silver Sparrow ransomware attack.
Here, we’ll examine a few periods of time that had high traffic to malware domains on the DNSFilter network.
Starting the year with a surge in malware traffic: Silver Sparrow and more
In mid-February, the Silver Sparrow malware was detected on 30,000 Mac computers.
This malware used installer packages leveraging the macOS Installer JavaScript API, which is unlike other malicious macOS installers that use pre-install or post-install scripts. The network component of this malware launched to execute a shell script that then downloaded a JSON file to disk from their C2 checking every hour. Silver Sparrow made liberal use of AWS S3 bucket infrastructure for distribution.
On our network, malicious queries to related Silver Sparrow domains were found between January 21 and February 21—DNSFilter customers were notified, though any customers blocking the “malware” category were blocking these domains.
Around this time, there was a large spike in malicious domains on the DNSFilter network. In this image, the orange line represents blocked DNS queries.
At the beginning of the year, security researchers discovered a new ransomware threat in Babuk ransomware. The timeline of when this ransomware was particularly active coincides with when traffic to malicious domains can be found on the DNSFilter network.
Also active during this time was Conti ransomware. The ransomware gang targeted a non-profit hospital in New Mexico between January 21 and February 5 of this year, matching the malicious uptick seen on our network. Data such as patient information, passports, and background check authorizations were compromised in this attack impacting 200,000 patients of the hospital.
It is highly likely that these strains of ransomware targeted other organizations outside of the ones we know of. Malware will often linger for 800 days before discovery, though ransomware attacks usually have a shorter average timeframe of 43 days from the first occurrence to discovery because of its attack method. No matter what, 2021 began with a rise in malicious domains.
Springtime for malware
In March of 2021, Acer was the victim of a massive ransomware attack. And only two months later, the Colonial Pipeline was breached, triggering gas shortages and increased oil prices. Interestingly, attempted traffic to malicious domains on our network mirrored the timelines of these two breaches.
Though it’s worth noting that by spring of this year, ransomware had essentially become the second pandemic. While the big-name organizations targeted by ransomware gangs garnered headlines, the real issue was (and still is) schools, hospitals, and other industries that make up our critical infrastructure were being heavily bombarded with ransomware. Often, these are industries that have slim IT budgets and limited cybersecurity resources—creating a perfect storm of vulnerable targets with information that has a significant value on the dark web.
At the end of April, Biden issued an executive order around new cybersecurity standards. This announcement happened right around the time a secondary spike of attempted visits to malware domains occurred on our network. This could be coincidental, though it could be evidence of an increase in ransomware activity as a direct response to this order.
The Kaseya breach: Still in progress
On July 2, 2021, the Kaseya ransomware attack became the most recent breach to absorb our attention. Just prior to the fallout from that breach, DNSFilter noticed another large spike in traffic to malware domains at the end of June with the peak occurring June 29.
A configuration file of CNC domains was shared shortly after the announcement of the breach. While DNSFilter has been blocking these released CNC domains since they were made available, there is a theory circulating that these domains are actually decoys. REvil, the ransomware group responsible for the Kaseya breach, has gone silent recently. What this means is still unclear, but even if REvil disappears, another ransomware group will soon take its place.
With each successful ransomware attack, our critical infrastructure is progressively put at a higher and higher risk. We have not seen full-scale destruction at the hands of ransomware yet. But it’s the logical next step in a trend that is slowly turning from ransom to extortion.
If you’re interested in learning more about how extortion ransomware’s impact on our critical infrastructure, join us for a Cybersecurity panel on double extortion ransomware on August 25 with Jen Ayers of DNSFilter and Wias Issa of Ubiq.