Christopher Eaton | February 25th, 2022

Freight Forwarding and Logistic Company, Expeditors International, Suffers Global Outage Following Targeted Ransomware Attack 

Seattle-based Expeditors International, one of the world’s largest logistics and freight forwarding companies, is continuing to feel the effects of a recent ransomware attack. As a result of the attack, Expeditors International was forced to shut down most of its global operations and IT networks, which include coordination of supply chain deliveries via land, air, and sea. Investigation into the ransomware attack is still ongoing, though the impact is further crippling the current supply chain issues facing many nations and industries. Expeditors International continues to operate but has yet to recover all its systems. 

Flaw Discovered in Hive Ransomware Encryption Algorithm Used Successfully As Master Decryption Key 

Researchers have described the ‘first successful attempt’ at decrypting Hive ransomware-infected data without using the private key used to lock access to the content. A group of academics from a South Korean University dissected Hive’s encryption process of using a cryptographic vulnerability identified through analysis and were able to recover the master key for generating the file encryption key without the threat operator’s private key. To generate the encrypted file, the encryption keystream, created by XORing the two keystreams, is XORed with the data in an alternate block. This technique can be used to guess keystreams and restore the master key, thus allowing encrypted files to be decoded without the private key. According to researchers, they were able to use the flaw to devise a method for reliably recovering more than 95% of the keys used during encryption. 

ASUSTOR Network Attached Storage Devices Are Being Actively Targeted By DeadBolt Ransomware Via A Zero-Day Vulnerability 

DeadBolt ransomware operators claim to have discovered a zero-day vulnerability in Asustor Network Attached Storage (NAS) devices are now exploiting that flaw by encrypting user data. When encrypting information, the ransomware renames files to include the ‘.deadbolt’ file extension and a note demanding .03 bitcoins (approximately $1,150) for a decryption key. Asustor encourages its users to update default and remote access ports, disable EZ Connect, create file backups, and disable Terminal/SSH and SFTP services. DeadBolt ransomware operators made an offer to provide information about the exploited zero-day vulnerability for 7.5 bitcoins and a master decryption key for 50 bitcoin. The company has not publicly responded to this extortion attempt. 

Newly Discovered Entropy Ransomware Used in Multiple Attacks, Connected to Evil Corp’s Dridex Malware 

A new ransomware variant known as Entropy was identified by security researchers in their analysis of two separate attacks, one against a media organization and the other a government entity. In both cases, the targeted organization maintained unprotected devices, but fortunately utilized endpoint detection software that stopped the ransomware from gaining a foothold in their environment. In analyzing the ransomware signature, the packer code for Entropy was originally identified as Dridex malware connected to the Evil Corp threat group. Entropy operators attempted entry by exploiting ProxyShell vulnerabilities in unpatched Exchange servers, highlighting the need to quickly patch such vulnerabilities.

Ransomware Among Numerous Cyberattacks Used Against Ukraine As Part of Russia’s Military Aggression 

As Russia increases its military aggression against Ukraine, it is accompanied by a greater number of cyberattacks. Over the past several days, multiple Ukrainian government, financial, and business networks have suffered DDoS attacks and extensive malware deployments. Shortly before troops began their invasion of Ukraine on Wednesday (2/23/22), Russian agents launched ransomware attacks utilizing HermeticWiper, which is programmed to expunge data from infected systems. Many analysts believe that the ransomware attacks were used as decoys or misdirections for the data wiping, which would essentially paralyze affected organizations and weaken Ukraine’s overall security defenses. These cyberattacks have been confirmed by Ukraine’s Ministry of Foreign Affairs, which is identified as one of the victims. 

With ransomware attacks on the rise, and now compounded by their implementation in support of acts of war, it is imperative for users, businesses, and governments to safeguard their critical data and operations against devastating ransomware like Hive, DeadBolt, and Entropy. At SpearTip, we provide an all-in-one security solution that combines our state-of-the-art ShadowSpear software with a 24/7 SOC staffed with certified engineers continuously engaged in cyber threat hunting. With an industry-leading incident response time, we assist organizations in eliminating downtime and protecting their business-critical data from malicious threat actors and ransomware.  

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.