Ransomware's New Front: Uncovering the Latest Threats Facing Hong Kong

Ransomware remains a significant threat in the cybersecurity landscape, continuously evolving with new tactics and techniques. HKCERT explored the current attack vectors of ransomware incidents and the latest developments in ransomware and offered practical recommendations based on findings, focusing on the Asia-Pacific region, especially in Hong Kong.

Last Update Date: 12 Aug 2024 Release Date: 9 Aug 2024 4807 Views

Recent Ransomware Incidents

In August 2023, Hong Kong tech hub Cyberport alerted police and privacy watchdog after reports of a ransomware attack exposing 400GB of data^[1]. The initial breach was due to hackers obtaining an administrator's credentials and accessing the network through RDP, who employed brute-force attacks to gain initial access. They then used credential dumping and other methods to compromise three additional administrator accounts, which allowed them to move laterally within the network, disable firewall protections, and stop anti-malware programs. Finally, multiple servers and network storage devices were compromised.

In September 2023, due to the Consumer Council allowing employees to remotely connect to the network without multi-factor authentication, the hacker group ALPHV obtained an account with administrative privileges from the Consumer Council^[2]. They entered the Council's network through VPN and deployed ransomware on 19th September, encrypting 93 systems and infiltrating 11 servers and endpoint devices, resulting in unauthorized access to the personal data of more than 450 individuals.

In September 2023, the Council of the Hong Kong Laureate Forum Limited were also subject to a ransomware attack^[3]. Due to poor information system management and a lack of monitoring of security measures, the hacker was able to obtain an account credential with system administrator privileges through brute force attacks. The hackers used brute-force attack to obtain an account credential with system administrator privileges. They used the account to access the Laurel servers through the virtual private network area of the firewall. The hacker then moved laterally and placed the ransomware "Elbie" within the Laurel Forum's network, encrypting the files of a group of servers and seven endpoint devices. Due to an inadequate data backup solution, the hackers also corrupted the backup data, resulting in the compromise of sensitive information of 8,122 individuals.

In October 2023, The Hong Kong Ballet (HKB) notified PCPD of a ransomware attack. Hackers gained access to HKB's network by exploiting a vulnerability in the outdated operating software on their servers^[3]. Hackers then used various malicious tools and software, including a dump certificate tool and a remote access tool, to obtain the account passwords of administrators and users, and moved laterally across their network and placed the ransomware "LockBit", which resulted in the encryption of files stored in HKB's information system. Hackers have stolen sensitive information and files of approximately 37,840 individuals, including HKB employees, job seekers, ticket bookers, guest artists, event attendees, donors, sponsors and suppliers.

In April 2024, the Hong Kong Vocational and Continuing School was attacked by hackers using ransomware, and approximately 450GB of files including campus management, financial management, student activities and other information^[4], were leaked. Attack analysis identified vulnerabilities, including one employee URL and 18 user URLs susceptible to hacker infiltration. This vulnerability made them a prime target for the data theft and extortion tactics employed by RansomHouse.

There was a similar incident in the computer system of Hong Kong Union Hospital in Tai Wai. The hospital was maliciously attacked by hackers in April 2024. Hackers used ransomware called "LockBit" to attack, and many files were encrypted for ransom^[5]. This ransomware incident happened through a phishing email campaign. Hackers crafted emails that appeared to be legitimate communications from trusted sources, containing malicious links and attachments. These emails were delivered to hospital employees, bypassing inadequate email filtering measures. When an employee clicked on a malicious link or opened an infected attachment, triggering the download and execution of the LockBit ransomware.

Ransomware Attack Vectors

Hong Kong has witnessed a surge in ransomware attacks, with a number of incidents disrupting businesses and organizations across various sectors in recent months. Attackers have deployed a range of sophisticated attack payloads to infiltrate target systems. HKCERT has analyzed these incidents and identified current ransomware vectors of entry, which are summarized as follows:

Phishing Emails: Malicious attachments or links that deliver ransomware payloads.
Remote Desktop Protocol (RDP) Exploits: Exploiting weak or compromised RDP credentials.
Vulnerabilities: Exploiting unpatched vulnerabilities (e.g. database, software).
Drive-by Downloads: Malicious downloads initiated through compromised or malicious websites.
Mal-advertising: Malicious advertisements that lead to ransomware downloads.
Supply Chain Attacks: Compromising a third-party vendor to access the target.
Brute Force Attacks: Guessing passwords to gain access.
Exploiting Misconfigured Services: Gaining access through misconfigured network services.
Social Engineering: Manipulating individuals to gain access or credentials.

Latest Developments In Ransomware Attacks

In our comprehensive analysis and recent studies of ransomware incidents, HKCERT has identified a significant shift in the evolution of ransomware attacks. Cybercriminals not only employ innovative attack vectors, but also have a new understanding of the deployment methods of ransomware.

Ransomware-as-a-Service (RaaS): An increase in the use of RaaS platforms, making ransomware accessible to less sophisticated attackers (e.g. REvil, DarkSide, LockBit).
Multiple Extortion: An advanced ransomware tactic where attackers leverage three methods of coercion.
Encrypting Data: Locking files and demanding payment for the decryption key.
Data Theft and Public Release: Stealing data and threatening to release it publicly if the ransom isn't paid.
DDoS Attacks: Launching Distributed Denial of Service (DDoS) attacks against the victim's infrastructure to further pressure them into paying the ransom.
AI and Machine Learning: Utilizing AI to automate and enhance attack strategies, making them more efficient.
Vulnerabilities Exploits: Increased use of vulnerabilities to bypass traditional security measures (e.g. CVE-2020-0796, CVE-2021-34527, EternalBlue).
Cryptographic Innovations: Attackers use advanced cryptographic techniques to make decryption harder without paying the ransom.

Recommendation for Prevention

In summary, the ransomware threats facing Hong Kong in 2024 highlight the widespread and diverse nature of these attacks. From public departments to private enterprises, few sectors can be immune to these organized ransomware incidents. In order to effectively combat these threats, general and business users need to strengthen their awareness and adopt suitable cybersecurity strategies. HKCERT advises users to stay alert and take appropriate protection measures.

General User:：
1. Be Cautious with Emails: Avoid opening emails or attachments from unknown or suspicious sources. Then verify the sender's email address before clicking on any links or downloading attachments.
2. Use Strong Passwords: Create strong, unique passwords for all accounts. For example, avoid using easily guessable information like birthdays or common words.
Business User:：
1. Multi-Factor Authentication (MFA): Implement MFA for all accounts, especially those with administrative privileges, to add an extra layer of security.
2. Risk Management: Ensure all systems and software are regularly updated and patched to protect against known vulnerabilities. Conduct regular security risk assessments, vulnerability scanning and penetration testing.
3. Strengthen Protocols Security: Disable protocols, such as RDP, Telnet, FTP, etc., if not needed. Restrict access using VPNs and strong authentication methods. Perform regularly software update to patch vulnerabilities in protocols services.
4. Implement Advanced Email Security: Use advanced email filtering and anti-phishing solutions to detect and block malicious emails, then conduct regular phishing simulation exercises to train staff.
5. Implement Endpoint Detection and Response (EDR): Enable real-time monitoring and automated response measures to detect abnormal behaviours, including ransomware. Install EDR on all endpoints and configure appropriate detection policies based on threat intelligence, which can enhance the detection rate of attacks, shorten response times, and reduce the losses caused by ransomware.
6. Network Segmentation: Segment critical systems and data to limit the spread of ransomware. It is important to use firewalls and access controls to enforce segmentation.
7. Encrypted storage and data backup and recovery: Encrypt sensitive data to ensure its security and implement appropriate access control, authentication and authorisation. Define clear data retention periods, and conduct data cleanup regularly. For important data, offline backups should be saved regularly, and necessary test backup and recovery procedures should be established to ensure that the data can be quickly restored.
8. Incident Response Plan and User Training and Awareness: Regularly developing, updating the response plan and conducting regular cybersecurity training focused on ransomware prevention.

For more details or security advice, please refer "Fight Ransomware" Theme Page and the security blog"Unmasking Cybercrime-as-a-Service: The Dark Side of Digital Convenience" and "Incident Response Guideline for SMEs".

Professional Help: In case of cyber security issue, contact HKCERT for enquiry or assistance.