A study by risk solutions provider, Kroll, indicated that a group of hackers from Russia managed to file fraudulent unemployment claims with the Washington State Employment Security Department, or ESD, through a ransomware attack against a healthcare provider in the US.
According to research published on June 17, the firm investigated browser history logs that the cybercriminals reportedly navigated to various Gmail accounts. They then activated two profiles on the ESD site using these email addresses.
International organized cybercrime groups appearing in the scene
The ransomware attack, launched on May 12, is a Mamba category exploit which uses full disk encryption to attack its victims. Kroll found that data was associated with Washington state residents.
The report says that the collected information shows that there are transnational organized crime groups, or TOCs, launching widespread unemployment insurance fraud against residents of various US states — specifically Washington and Massachusetts.
The hypothesis appears to be that cybercriminals are likely leveraging stolen batches of personally identifiable information from various dark web marketplaces.
Kroll clarifies that hackers began accessing the unknown healthcare provider's network in late April. They say the attackers initially launched an unsuccessful GoGoogle ransomware attack that was quickly neutralized by the IT staff.
Unemployment fraud keeps rising in the U.S.
Speaking with Cointelegraph, Nicole Sette, a senior vice president in Kroll’s Cyber Risk practice and a former FBI cyber intelligence analyst, said that Ransomware and COVID-related unemployment fraud continue to plague organizations across the United States:
"In this case, Kroll investigated a dual ransomware/unemployment fraud scam that revealed the various tactics, techniques and procedures actors use to monetize victim networks. We continue to see cyber criminals conducting multifaceted intrusions, capitalizing on various schemes to siphon PII, funds and proprietary data from victim networks. The key takeaway from this report is that cyber threat actors will employ a variety of techniques to take advantage of their network access during a cyber intrusion event."
Sette also provided more details about the Mamba ransomware attack:
"Since Mamba utilized full disk encryption, a different attack method that would be more difficult for the IT to remediate. Mamba is known to exploit Remote Desktop Protocol (RDP) to gain access to victim networks and can move laterally throughout a network."
Sette cautions that Kroll believes that ransomware attacks will continue to gain steam during the COVID-19 pandemic due to increased network vulnerabilities related to expanding work-from-home requirements, and "many organizations have not successfully secured their RDP/VPN."
Recent ransomware incidents
Recently, Cointelegraph reported another Kroll's study that identified a growing trend in the use of the Qakbot trojan, or Qbot. This trojan is known to launch email thread hijacking campaigns and deploy ransomware attacks.
On May 28, Microsoft's security team revealed a new type of ransomware that uses "brute force" against a target company's systems management server. It has mainly has targeted the healthcare sector amid the COVID-19 crisis.