Daily Standup - 07.26.

2021
July 26, 2021

Average Ransomware Payment Declined by 38% in Second

Quarter of 2021, New Coveware Report Says (CyberScoop)

Target audience: Incident Response, Security Ops, Threat Intel

​ Summary: The average ransomware payment declined to $136,576 in the

second quarter of 2021, according to numbers published Friday by ransomware
response firm Coveware. The company did not share how many companies that
data was based on. The 38% decrease is a dramatic drop from the average
demand of $220,298 that the firm reported in April for the first quarter. That
1
 number was a 43% increase from the last quarter of 2020. The decline comes in
the shadow of three major ransomware attacks hitting the U.S. supply chain.
Since May, U.S. officials have faced three high-profile ransomware attacks against
fuel provider Colonial Pipeline, meat supply company JBS, and most recently
Florida IT company Kaseya. The latter two attacks have been attributed to REvil, a
ransomware gang thought to be based in Russia. Since the attacks, the Biden
administration has increased pressure on Russia to take actions against
cybercriminals in its borders. The attention may be one reason REvil went dark
earlier in July.
​ Analyst comment: Coveware’s report includes their observations of
ransomware payments over the past quarter. As highlighted in the report, a
number of external factors are likely contributing to the observed decrease
in average ransomware payments. These include increased law enforcement
operations against ransomware groups, a White House interagency task
force, stricter cyber insurance underwriting, and an increased general
awareness of ransomware threats. Additionally, projects like No More
Ransom help companies decrypt their data—the company has free tools
matching 151 ransomware families.
See also:

​ Q2 Ransom Payment Amounts Decline as Ransomware Becomes a National

Security Priority (Coveware)
​ Unhacked: 121 Tools Against Ransomware on a Single Website (Europol)
​ No More Ransom”
*Ransomware 2021: Trends and Targeting (Flashpoint)
​ *Ransomware 2021: Statistics and Kill Chain (Flashpoint)
​ Industry Ransomware Dashboard (Flashpoint Analytics)
​

* You have to be a Flashpoint’s customer to view Flashpoint’s curated intelligence reports. Please feel free to reach out
to programs@flashpoint-intel.com if you have any questions.

FIN7’s Liquor Lure Compromises Law Firm with Backdoor (Threatpost)

Target audience: Incident Response, Threat Intel

​ Summary: Financial cybercrime gang FIN7 has rebounded after the jailing of
some key members, launching a campaign that uses as a lure a legal complaint
involving the liquor company that owns Jack Daniels whiskey. The gambit
successfully compromised at least one law firm, giving them a shot of the
JSSLoader remote-access trojan (RAT), researchers said. “One of the victims of the

2
 malicious legal complaint campaign was a law firm,” researchers said in a posting
this week. “The lure successfully bypassed the law firm’s email filters, and it was
not detected as suspicious by any of the firm’s employees.” The ultimate purpose
of installing the backdoor is unclear. FIN7 usually carries out targeted attacks on
point-of-sale systems at casual-dining restaurants, casinos and hotels; or, it
infiltrates systems to steal bank-card data and sell it. “It is plausible that
proficient financial cybercrime groups, such as FIN7, are providing initial access
to seasoned ransomware groups, such as REvil (aka Sodinokibi), Ryuk, etc. as a
way to monetize their access,” according to [eSentire’s Threat Response Unit].
​ Analyst comment: Organized cybercriminal groups are increasingly
resilient, showing advanced capabilities to maintain operations despite
arrests of key group members. This report on FIN7 also demonstrates that
threat actor groups may be pivoting from operations involving financial
information to initial access or ransomware because of higher payouts.
See also:

​ Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake
Legal Complaint Against Jack Daniels’ Owner, Brown-Forman Inc. (eSentire)
​ *Actor Profile: "FIN7" (Flashpoint)
​ *Arrests and Takedowns: January-June 2021(Flashpoint)

* You have to be a Flashpoint’s customer to view Flashpoint’s curated intelligence reports. Please feel free to reach out
to programs@flashpoint-intel.com if you have any questions.

Dutch Police Bust Alleged 'Fraud Family' Phishing Service Members

(CyberScoop)
Target audience: Incident Response, Threat Intel

​ Summary: Dutch police have arrested two people for their alleged involvement
in a phishing fraud-as-a-service scheme, one of them a 15-year-old suspect and
the other a 24-year-old due to appear in court on Friday. The unnamed
24-year-old is accused of developing the phishing service kits, while the
15-year-old allegedly sold them. The younger suspect was released pending
further investigation. Dutch police also said they searched a third 18-year-old
suspect. Group-IB said the Fraud Family operation, which has mainly hit victims
in the Netherlands and Belgium since at least 2020 but perhaps as far back as
2018, is focused on stealing banking credentials. The criminals advertised their
service to less-skilled cyber crooks on the encrypted messaging app Telegram,
where Fraud Family’s eight channels have nearly 2,000 subscribers.

3
 ​ Analyst comment: Information theft continues to be a profitable line of
business for many threat actors. As this arrest indicates, threat actors are
increasingly shifting from cybercrime forums to Telegram to advertise their
illicit services. Phishing kits and phishing panels continue to create risk for for
organizations and contribute to a large volume of global cybercrime.
See also:

​ Phishing Software Developer Arrested [Dutch] (Politie)

​ *Fraud Family (FF) (Telegram, Flashpoint Collections)

* You have to be a Flashpoint’s customer to view Flashpoint’s curated intelligence reports. Please feel free to reach out
to programs@flashpoint-intel.com if you have any questions.

Additional stories are included below, as they are of interest to threat intelligence
teams:

​ Kaseya Obtains Universal Decryptor for REvil Ransomware (Threatpost)

​ Kaseya Attack 2021—Are Ransomware Attacks Inevitable? (Security
Boulevard)
​ The 25 Most Dangerous Software Vulnerabilities to Watch Out For (ZDNet)
​ Combating Shadow IT: A Customer Uses DTEX for Cybersecurity & More
(Security Boulevard)
​ Researchers Find New Attack Vector Against Kubernetes Clusters via
Misconfigured Argo Workflows Instances (ZDNet)
​ Pegasus Spyware Is Back, Twitter Hacker Arrested, 16 Year Old Printer Bug
(Security Boulevard)
​ What Will Cybersecurity Look Like Over the Next Five Years? (Security
Boulevard)
Please find past standups at https://fp.tools/home/intelligence/standup!