October 17, 2020 — Eric Swotinsky
Malware analysisIncident reportsClient education

Cyberthreat update from Acronis CPOCs: Week of October 12, 2020

Cyber Protect

Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.

Part of this work includes video updates to inform you of modern hazards in the digital landscape — such as ransomware attacks against major infrastructure and new malware campaigns to look out for. Here’s a look at some of the most recent breaking news and analyses:

Ryuk ransomware knocks out US hospitals

Universal Health Services, a hospital and healthcare provider, was forced to shut down systems at healthcare facilities around the US after being struck by a cyberattack late last month.

With over 400 locations across the US, UHS provides healthcare for over 3.5 million patients every year. System shutdowns forced ambulances and emergency patients to be rerouted to other hospitals. This may have led to the death of four individuals waiting on lab results.

The ransomware variant responsible for this attack appears to have been Ryuk, delivered through a TrickBot malware infection. With the advanced behavioral analytics and antimalware capabilities in Acronis Cyber Protect, both TrickBot and Ryuk are stopped completely before they can cause any damage to your data or infrastructure.

Microsoft unveils new cybersecurity report

Two years after retiring their Security Intelligence Report, Microsoft has released a rebranded Digital Defense Report, providing similar annual insights as their prior security reports.

This year's Digital Defense Report covers topics ranging from the COVID-19 impact on cybercrime trends to new ransomware threats, increased targeting of supply chains, and the recent activity of nation-state attackers. One statistic of particular interest is the speed at which ransomware can take over and encrypt an entire network — in some cases, as quickly as 45 minutes after the initial point of entry.

Acronis takes these threats very seriously, providing a range of solutions in Acronis Cyber Protect to keep you safe — from automatic alerts of current threats, to file backups, to antimalware protection that guards against ransomware and other cyberthreats.

Mozilla shuts down Firefox Send after misuse

Mozilla has shut down its Firefox Send file transfer service following abuse by cybercriminals.

Firefox Send allowed users to host and share files as large as 2.5 GB. Threat actors recently began using this generous data allocation — and the trusted Mozilla hostname — to effectively distribute ransomware via spear phishing campaigns. Over the summer, the service had already been pulled temporarily offline after a surge in attackers using it to distribute Sodinokibi and other malware variants.

Acronis Cyber Protect’s URL filtering capabilities prevent users from accessing malicious links, and blocks threatening files from being downloaded. It also integrates with Acronis Cyber Files — an enterprise-grade sync-and-share service — providing you with a secure way of sharing large files online.

New phishing campaign distributes malware bundle

A new phishing campaign spotted in the wild is targeting employees from various global organizations and trying to convince them that their employment has been terminated.

Instead of relying on attachments, these emails contain legitimate-looking links to Google Docs files that purport to have information regarding employees in the organization who are being laid off. These files themselves contain links to malicious PDFs hosted on Google Drive or similar services. Downloading and opening the PDF leads to malware being installed on the victim’s system.

This campaign utilizes the Bazar backdoor as well as the Buer loader — unusual in that a single campaign is utilizing two separate malware strains. Acronis Cyber Protect’s integrated Active Protection technology can detect and block both of these variants, keeping your system safe from infection.

French shipping giant shuts down systems after ransomware attack

French container shipping giant CMA CGM is the fourth major shipping carrier to be hit by ransomware since 2017. The company was given just two days to make contact via live chat and pay for a special decryption key. The amount of the ransom demanded is unknown at this time.

The CMA CGM group includes over 10 brands, covering maritime activities, logistics, and ports and support. Their brands can be found in 755 offices across 160 countries, and they employ over 110,000 employees worldwide. Following the Ragnar Locker ransomware attack, the company was forced to shut down networks and systems across all of their brands except CEVA Logistics in order to stop the malware from spreading further.

Ninety percent of global trade is transported by the maritime industry, which is becoming increasingly digitally connected and automated — putting shippers at heightened risk from cyberattacks. Acronis Cyber Protect uses advanced behavioral heuristics to stop ransomware variants like Ragnar Locker before they can spread across your network, and easily restores encrypted files in seconds.

# # #

October is National Cybersecurity Awareness Month — celebrate with us at the Acronis Cyber Summit 2020, which is being offered this year as a free virtual conference from October 19–21. And for the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and receive our CPOC updates as they’re posted.