The United States has witnessed a rise in public sector ransomware attacks in recent years. These attacks can severely impact an organization's processes and leave them without the data they need to operate and deliver mission-critical services to the community. A recent report from the state's DOJ Wisconsin Statewide Intelligence Center (WSIC) advises reports of two (2) Ryuk ransomware occurrences impacting Wisconsin's education sector. While these two occurrences are still under investigation, here is what we know so far:

Who?
Wisconsin's education sector - including school districts.

What?
This attack vector uses a downloader (TrickBot / BazarLoader) with a ransomware payload (Ryuk). It is generally distributed via email through social engineering victims using sub-tactics like phishing.

  • TrickBot / TrickBot is a malware downloader that was initially devised as a banking Trojan virus. Since its inception, it has evolved in several different ways, adding new modules that provide different types of functionality. In attacks that have been observed recently, TrickBot has been mainly used as a conduit to drop additional malware, and, in this particular case, the Ryuk ransomware.
  • BazarLoader / BazarLoader is another malware downloader similar to TrickBot, often used to deliver a Ryuk ransomware attack.
  • Ryuk / Ryuk is a ransomware variant that uses several common tool techniques that minimize the risk of detection and spread through a network and encrypt files. This results in a demand for large ransom payments. Ryuk is unique in that ransom demands will not be made until the victim contacts the cybercriminal.

How?
Recently observed activity indicates that the attack's initial steps use social engineering methods to trick users into downloading and executing the downloaders (TrickBot / BazarLoader), which downloads payload - the Ryuk ransomware.

TrickBot is generally distributed as an attached Microsoft Word or Excel file. Once opened, the file will prompt the user to enable macros to see the document's content. Instead of actually enabling macros, the malware is downloaded and will display a message that the file failed to download.

BazarLoader, unlike TrickBot, has been identified using legitimate email software to send messages containing a Google Doc link that appears to be a legitimate email attachment. Once clicked, the landing page indicates the user needs to download the file to view the document. Instead of downloading the document, this step downloads an executable file containing BazarLoader, beginning the infection process.

Once the downloaders (TrickBot / BazarLoader) start the infection chain by distributing the payload, they deploy and execute a backdoor from the command and control (C2) server and install Ryuk on the victim's machine.

What Should You Do?

  • If you believe you have been compromised or have a confirmed ransomware event, please contact Sheila Mishich, Litigation Case Manager, at smishich@aegis-wi.com or 800.236.6885 immediately.
  • Based on the availability of organizational resources, to the greatest extent possible, refer to best practices to help manage the risk posed by ransomware and support your organization's coordinated and efficient response to a ransomware incident. The CISA and MS-ISAC "Ransomware Guide" provides information on preventing and responding to ransomware incidents, and can be found on the CISA Publications page: https://www.cisa.gov/publications/ransomware-guide
  • Additional information on Ryuk, including its connections with TrickBot and BazarLoader and general best practices, can be found on the CISA Alert page: https://us-cert.cisa.gov/ncas/alerts/aa20-302a
  • Conduct routine backups of your systems and data. Store them separately and securely, and ideally, offline. Having backups is an essential defense of ransomware events. Having a readily available backup and isolating and removing the downloader and malware will increase the ability to back to normal operations quickly.
  • Implement a cybersecurity user awareness and training program that includes identifying and reporting suspicious emails/activity.
  • If you have general best practice questions, need additional guidance, or inquire about training, please contact Seth Johnson, Risk Management Consultant, at sjohnson@aegis-wi.com 715-614-4150.
REFERENCES
[1] CISA MS-ISAC Joint Ransomware Guide; September 2020.
[2] CISA Alert (AA20-302A): Ransomware Activity Targeting the Healthcare and Public Sector; Original release date: October 28, 2020.
[3] Wisconsin Statewide Intelligence Center (WSIC) Analytic Note: Ryuk Ransomware Infections in Wisconsin’s Education Sector; February 1, 2021.
Community Insurance Corporation will communicate possible cyber threats posed to our insurance program members as proactively as possible. Members are encouraged to sign up for official notification services - including the United States Cybersecurity & Infrastructure Security Agency (US-CISA) Alerts. If you would like to be added to the distribution of these Cyber Threat Alerts, please contact Josh Dirkse at josh@aegis-wi.com or 800.236.6885.