A study by risk solutions provider Kroll indicated that a group of Russian hackers managed to file false unemployment claims with the Washington State Employment Security Department, or ESD, through a ransomware attack on a U.S. health care provider.
According to an investigation published on June 17, the company looked at the browser history of cybercriminals who accessed several Gmail accounts. They then activated two profiles on the ESD site using these email addresses.
Hackers increasingly rely on Trojans to implement ransomware attacks
Organized groups of cybercriminals
The ransomware attack, carried out on May 12, executed the Mamba virus that uses full hard disk encryption to attack its victims. Kroll found that the data was associated with residents of Washington state.
The report says that the information gathered shows that transnational organized crime groups are making false claims to unemployment insurance from residents of several U.S. states, specifically Washington and Massachusetts.
The hypothesis seems to be that cybercriminals are probably taking advantage of stolen lots of personal information exposed in various markets on the darkweb.
Kroll discovered that these criminals began accessing the network of healthcare providers in late April and claims that the attackers attempted a failed ransomware attack on GoGoogle that was quickly neutralized by IT staff.
New human-operated ransomware targets the health care sector
Attacks continue to increase in the U.S.
Speaking to Cointelegraph, Nicole Sette, senior vice president of Kroll and former FBI cyber intelligence analyst, said ransomware attacks and false unemployment claims related to COVID continue to affect organizations across the United States:
„In this case, Kroll found ransomware attacks and false unemployment claims that revealed the various tactics, techniques and procedures that actors use to steal from victims. We continue to see cybercriminals conduct multi-faceted intrusions, taking advantage of various schemes to extract personal information, funds and property data from victims. The key finding of this report is that these cybercriminals use a variety of techniques to exploit their access to the Web.
Sette also provided further details on the ransomware attack with the Mamba virus:
„Because Mamba uses full-disk encryption, a different method of attack that is more difficult for IT teams to remedy. Mamba is known to violate the Remote Desktop Protocol (RDP) to gain access to victim networks and can move laterally across a network“.
Sette warns, „Kroll believes that ransomware attacks will continue to gain momentum during the COVID-19 pandemic due to increased network vulnerabilities related to working remotely, and many companies have not properly secured their RDP/VPN.
Ransomware Group Recognized for Attacking U.S. and Canadian Companies
Recent ransomware incidents
Recently, Cointelegraph reported on another study by Kroll that identified an increasing trend in the use of the Bitcoin Trader Qakbot, or Qbot Trojan. This Trojan is known to launch email thread hijacking campaigns to deploy ransomware attacks.
On May 28, Microsoft’s security team revealed a new type of ransomware that uses „brute force“ against its target company’s system administration server. It has mainly targeted the healthcare sector in the midst of the COVID-19 crisis.