Report: Israel Is Country Most Affected by Ransomware Since 2020

Not too long ago, Israeli cybersecurity firm Check Point discovered that the country’s institutions were targeted in twice as many cyberattacks as other organizations in countries across the world

Reportedly, an average of one out of every sixty Israeli organizations or companies is attacked every week by cybercriminal entities leveraging on ransomware tools. It turns out that this frequency has increased by 30 percent when compared to 2020 figures.

In particular, the firm’s report indicated that the Israeli health sector was the most affected by threat actors looking to breach sensitive government services – it is estimated that the country’s health sector sustains an average of 1,443 cyberattacks every week.

In addition, the Check Point researchers revealed that other destinations across the world had their health and educational sectors accounting for the highest number of attacks. This was followed by government entities and security companies.

Separate new data shared in the latest VirusTotal Ransomware Activity Report seems to reflect the research conducted by Check point researchers. The report revealed a cyber-extortion boom from the first half of 2021, the findings have shadowed cases in the past year.

In the course of their research, VirusTotal investigators identified at least 130 different ransomware families – the findings were contingent on a number of standard practices in the cybersecurity industry, including naming conventions.

Israel Takes the Most Hits

Since last year, the cybersecurity experts collected study samples from more than 140 countries across the world with Israel, South Korea, Vietnam, China, Singapore, India, Kazakhstan, Philippines, Iran and the UK being the most affected countries based on the number of sample submissions to VirusTotal.

Few days ago, the Hillel Yaffe Medical Center in Israel’s northern city of Hadera raised alarm over a ransomware attack aimed at the facility. This case added up to several others involving Israeli medical institutions that have been targeted by hackers.

Through an official statement, the 506-bed medical center reported that it was facing “a totally unexpected ransomware cyberattack” that was meant to cripple the hospital’s computer systems.

The medical institution went further to intimate that they were engaging alternative systems to ensure that its large number of patients do not face life-threatening disruptions.

The announcement included a statement of assurance that medical treatments had not been affected, aside from non-urgent procedures. As such, the Hillel Yaffe Medical Center notified the authorities about the cyberattack in an effort to ensure that the issue is dealt with conclusively.

All the while, a number of Israeli media platforms were reporting that the medical institution had been forced to divert a number of emergency patients to other nearby hospitals in the heat of the ransomware attack.

Similarly in September this year, a host of cyberattacks were thwarted by Israel Health Ministry’s Cybersecurity Center on a weekend. According to official data, about 627 cyberattacks per organization were noted in Israel’s health sector – a staggering 72 percent more than the average was noted on a particular weekend.

According to cybersecurity experts, the numbers were considered to be more than in any other major sector in the country – the other sectors registered an average of 267 attacks per entity, with no significant increase.

Then, Barzilai Medical Center in Ashkelon, which is operated by former health ministry director-general Chezy Levy, ranked among the health institutions that were affected by the ransomware attacks.

Israel’s national cyber directorate, which is charged with ensuring that Israel avoids and responds to cyberattacks, responded to the recent threat actor actions by issuing an advisory about the ransomware incidents that were linked to unnamed attack groups.

As part of its investigations, the government agency shared identifiers that were discovered in the course of its probe into the recent threats. The identifiers were meant to assist vulnerable organizations across various sectors to have a clear picture of the threat environment in identifying and preventing similar attacks that may be targeted against them.

In addition, the cyber directorate prescribed a number of recommendations that would help them ascertain whether the identifiers have been noted on relevant systems over the past month.

One of the important processes that was proposed was for organizations and institutions to conduct active scans that would locate the identifiers directly – such an action would also enable the potential victims to send these identifiers into antivirus and endpoint detection & response systems.

The directorate also advised organizations to ensure that their email servers and corporate Virtual Private Networks (VPNs) were updated to latest versions as an additional layer of security against potential threats.

Separately, Israel’s Ministry of Health sent out letters to health institutions across the country – the correspondence was aimed at providing advisory on the importance of these centres to print out patients’ medical files in anticipation of possible cyberattacks that would be aimed at hijacking patient data.

Iranian State-backed Threat Actors

Further, as reported by Jerusalem Post, cybersecurity tech firm Cybereason revealed that MalKamak, an Iranian state-backed threat group, was operating s highly targettted cyber-espionage operation aimed at global aerospace and telecommunications firms.

The hacker group managed to harvest sensitive information from target institutions across the State of Israel and the larger Middle East. This also extended to destinations in the United States, Russia and Europe.

Essentially, the hacking campaign exploits a very sophisticated and previously mysterious Remote Access Trojan (RAT) called ShellClient that can dodge antivirus programs and other installed cybersecurity software. This ability provides it with an opportunity to breach the public cloud service Dropbox for command and control.

It turns out that creators of ShellClient made significant investments in authoring a RAT that’s very stealthy by leveraging several obfuscation mechanisms and recently deploying a Dropbox client with the aim of making it virtually undetectable.

While commenting on ShellClient, a host of cybersecurity experts highlighted that the malware has evolved significantly over the years. About three years ago, its code was very simplistic, but it has grown to become highly complex and potentially dangerous to victim computer systems and networks.

As part of its strategy to stay ahead of competing threat groups, it is reported that ShellClient creators abandoned their old server machinery and replaced it with Dropbox file hosting – this approach ensured that they hide it easily and efficiently.

The practice of abusing cloud services like Dropbox is not a new idea. Recent years have been marked with threat groups leveraging on cloud services like Github to achieve the much-needed camouflage from cybersecurity detectors.

Moreover, cybersecurity experts discovered that the threat actor used the ShellClient to deploy more attack tools in performing a number of espionage activities against target networks – this included more reconnaissance activities, lateral movement and the harvesting of sensitive user data.

It turns out that the threat posed by the hacker group is still active to this day, with activities being mainly focused in the Middle East region, including other firms in the U.S., Russia and Europe. Generally, the cybercriminals seem to have a preference for aerospace and telecommunications entities.

Still, another hacker group called Deus claimed that it had leaked data obtained in a cyberattack aimed at the Israeli call centre service firm Voicenter. The breach affected the organization’s main clients including 10bis, CMTrading, Mobileye, eToro, Gett and My Heritage.

It turns out that the data that was leaked included security camera and webcam footage, identification documents, photographs, WhatsApp messages, emails and phone call recordings.

All the examples that we have provided above seem to add up to the stark reality that cybercriminal elements may be having a mentality that Israel is easy prey to their attacks. This has been a reality over the past two years as Israel Aerospace Industries, the Shirtbit insurance company and the Amital software firm add up to the long list of Israel-based companies and organizations that have been targeted by cybercriminals.

As such, the country’s cyber directorate reported that it had dealt with more than 11,000 inquiries on its 119 hotline in the year 2020 alone – the figure happens to account for a 30 percent increase compared to number obtained from last year.

The directorate added that it made nearly 5,000 requests to firms to handle their individual vulnerabilities that may expose them to threat actors, and that it had kept close contact with about 1,400 establishments concerning attempted and successful attacks.

Additional Findings – GandCrab Was the Most Active Group

More findings published in the VirusTotal Ransomware Activity Report showed that GandCrab ransomware family was the most active group in early 2020, before its prevalence ebbed significantly in the second half of the year.

Like the majority of ransomware types, the GandCrab ransomware-as-a-service product works by holding files on infected computers hostage until a ransom payment is made by victims.

The service runs an online portal where cybercriminals sign up and pay to receive access to custom versions of the GandCrab ransomware that would be used to distribute email spam, exploit kits and other cybercriminal tools of trade.

The original GandCrab author earns a commission whenever an infected user meets the ransom demand of the malware distributor – the rest of the cut is earned by the cybercriminal who planted the malicious software in the victim’s computer.

An interesting observation that has since been made about the ransomware is that it does not target computers and networks in Russia or the former Soviet Union – this reality gives a strong indication that creators of the malicious software are probably based in the region.

As reported by Krebs on Security, GandCrab far outshone its competition by virtue of its operators ensuring that the malware was continuously kept updated to circumvent antivirus programs and other cybersecurity defences.

VirusTotal investigators noted GandCrab’s massive peak in Q1 2020 that has since changed in dynamic to take a more subtle magnitude in 2021. The ransomware gang ranked among ten other prolific threat groups that wreaked havoc across the world (See below).

Figure 1: Chart showing the Top 10 most active ransomware families since Q1 2020 (Source: VirusTotal)

GandCrab Was Actually Going Down

Sometime in 2019, GandCrab authors announced that they were closing down their ransomware-as-a-service operation. It was reported that the news was made public following a post made by GandCrab authors in a notable hacking forum that had served as their advertisement platform since its day of inception.

According to details shared in the forum post, the ransomware’s creators were boasting about making as much as $2 billion in ransom payments over the course of its lifetime – they claimed that the figure accounted for $2.5 million in weekly earnings, and $150 million being made every year.

The GandCrab crew went on to say that they had “successfully cashed the money and legalized it in various spheres of white business both in real life and on the internet”. Quite obviously, the above estimates that were shared by the ransomware group should be treated as just that; claims.

In fact, an analysis conducted by ZDNet indicated that the RaaS group was showing all signs of a hacker group that was on a steady decline. Cybersecurity investigators noted that GandCrab was losing its customers way before they announced that they were hanging their boots.

Still, the ZDNet publication reported that GandCrab had been a formidable force in the ransomware industry as evidenced by the expert data until the year 2019.

According to the cybersecurity news site, the ransomware family was considered to be one of the most active ransomware threats in existence. It was identified as one of the few ransomware types that were being distributed in mass through email spam and exploit kits – this also included targets against high-profile establishments in a technique dubbed “big-game hunting.

Attempts to Beat GandCrab

Apart from government-sponsored programs to deal with threats involving the notorious ransomware family, cybersecurity company Bitdefender produced a number of GandCrab decryptors that would enable victims to recover encrypted files without parting with huge sums of money in ransom settlements.

Further back in 2018, reports about the GandCrab author being bitter about the move by a South Korean cybersecurity vendor AhnLab releasing a vaccine for the GandCrab ransomware hit the airwaves.

The spat boiled over to a point where the ransomware’s author contacted Bleeping Computer to reveal the planned release of a version of the GandCrab ransomware that would have an alleged zero-day for the Annlab v3 Lite antivirus.

Leave a Reply

Your email address will not be published. Required fields are marked *