In cybersecurity, there’s no such thing as an isolated incident. A glaring, obvious security flaw is often the product of several other discreet, under-the-radar ones. When it comes to the ransomware cases we investigate daily, we see connections in tactics, tools, and even the industries attackers may compromise. In this case study, we unpack how an attack on a healthcare organization had connections to two foreign universities, a common Cloud environment, and a potential ransomware cartel.
SunCrypt Ransomware Connections
Ransomware operates in an organized business, and some developers of the extortion malware have expanded into franchises. One such franchise family member refers to themselves as SunCrypt. While it is still unclear as to who’s umbrella they operate under, their ransomware characteristics follow that of Maze, Sodinokibi, and others.
Tetra’s incident response team identified this threat actor group as one distributing the SunCrypt ransomware by analyzing sample encrypted files from the network in conjunction with the ransom letter produced by the ransomware binary. This threat actor group is known to double extort their victims — that is they commonly exfiltrate data and encrypt the victim’s files, demanding a ransom to both decrypt the data and prevent the stolen information from being sold or made publicly available.
While each case we investigate involves different variables, these attackers play from a surprisingly small book of attack game plans. Hijacking work-from-home access via external exposure, phishing emails, or other known vulnerabilities from third parties make up the majority of how attackers get in.
This ransomware attack was against a healthcare system, and it was brought to our attention in late 2020. Our investigation began with the healthcare system in question, but we quickly discovered two separate organizations that were connected, compromised, and leveraged as well. These separate organizations happened to be universities in Hungary and Mexico that were meant to stage data.
How were these three organizations all victims of a single threat actor? They all had their credentials compromised.
How SunCrypt Ransomware Got In
The root point of compromise in this case was a vulnerability in this healthcare system’s Fortinet FortiGate Virtual Private Network (“VPN”) appliance. VPNs are a highly recommended tool for secure work-from-home access, making this vulnerability an attractive target for attackers. The vulnerability, CVE-2018-13379, is described as an improper limitation of a pathname to a restricted directory under the VPN web portal. This vulnerability was discovered in 2018, but unpatched versions are still vulnerable, and that’s how this incident occurred as recently as December 2020.
When exploited, an attacker is able to view a file containing plaintext usernames and passwords of users authenticated to the VPN. In a case like this, even with strong password credentials, they are no match for an attacker who can clearly read them and use them elsewhere.
SunCrypt Ransomware Timeline
Our investigation led us to this timeline: Starting in late November of 2020, the attacker gained access to the healthcare system’s network by leveraging a user’s VPN account to establish network connections to multiple systems. The attacker then escalated their privileges by taking over an administrator account and laterally moved to access other systems within this network via Remote Desktop Protocol (“RDP”).
During this time, the attacker was unfortunately able to steal this healthcare system’s data using Microsoft OneDrive — another lucrative target for attackers considering its wide usage and ample storage. Armed with credentials of several organizations, the attacker transferred data from the healthcare system’s server to a separate OneDrive folder — that of a Microsoft account from a foreign University.
In November of 2020, the attacker exfiltrated data using a compromised Microsoft account from a University in Hungary. Then again in December of 2020, just before deploying the ransomware on the original healthcare system, the attacker exfiltrated data using another compromised Microsoft account from a University in Mexico. There was also evidence of data archiving, a step taken to compress data for faster exfiltration — the attacker compressed data and transferred it from the healthcare server to another compromised Microsoft OneDrive account from a foreign University.
University login credentials are valuable to attackers for several reasons. In this case, the attacker was able to leverage two universities’ vast storage to archive data from a separate victim. Universities also can provide attackers with unauthorized access to databases, new research, intellectual property, student information, and a plethora of other information that can be leveraged in a potential ransom.
Responding to SunCrypt Ransomware
Tetra deployed SentinelOne, an Endpoint Detection and Response tool to the healthcare system’s network in order to gain deep visibility and eliminate any malware that may have been present on the systems. With SentinelOne, we were able to detect and remove all malware associated with the intrusion. Due to the unfortunate data theft, the healthcare system requested we negotiate a settlement payment with the attacker on their behalf. As is typical with ransomware operators, they provided a utility to decrypt systems affected by the ransomware and prevent the release of data.
Despite the payment, there is one silver lining to consider — attackers need to provide an effective decryptor so as to maintain their “reputation.” If the industry is reporting that certain ransomware groups cannot restore the data they stole / manipulated, they are sure to never receive payments in the future. Although this case is an unfortunate example of payment, Tetra was able to get a healthcare system back up and running by rebuilding critical systems and restoring impacted devices back to normal operations.
How to Prevent SunCrypt Ransomware
While no security system can be 100% impenetrable, it is important to keep in mind that this attack is not a forgone conclusion. Attacks like this are preventable, and two important security features could have kept it from happening at all:
Since this vulnerability is still being exploited on unpatched FortiGate systems, Tetra highly recommends implementing patching procedures to make sure your tools are as up to date as possible to protect against attacks like this. This vulnerability in particular is still very viable to attackers, so Fortinet FortiGate VPN users are urged to patch as soon as possible.
- Multi-Factor Authentication (MFA)
Across the industry, we’ve seen too many accounts rely only on credentials to keep them protected. While strong passwords are important (anything is better than 123456, password, or admin), they are worthless when attackers can guess them, see them in plaintext, and use them against other accounts. To prevent this, we cannot recommend MFA highly enough. MFA is a simple security feature that is widely available on many apps and devices, and it prompts a user to verify their account via a separate device, token, or question. Using MFA, even if an attacker has credentials to an account, they will not be able to access it without this second layer of authentication.
Across the industry, our Cyber Risk Management team has seen the rapid struggle against security threats. The management of privileged accounts by IT teams often involves risk acceptance or compromise to keep the lights on. Teams with lacking resources often utilize privileged accounts as their daily accounts for email, helpdesk support, and project management. Attackers seize upon this, especially with tasks like signing into workstations or remote assistance. In this industry, treating any routine or workflow as trusted systems cannot mitigate bad actors. Securing IT administration with industry best practices such as dedicated administrative accounts, hardware tokens, privileged key management, and a change management process are now required.
Ransomware groups are constantly changing their behavior to best ensure their criminal business’ success. They leverage the connections they have whether they be credentials from universities, vulnerabilities from years ago, or even their malware franchise family. As SunCrypt and their connected criminals manipulate whatever data they can get their hands on, be sure to follow Tetra’s resources on how to stay ahead of them.