Symantec Alerts 31 Customers to Cyberattacks

Symantec sent an alert to its customers Thursday night, notifying them to a series of attacks against U.S. companies by threat actors attempting to deploy WastedLocker ransomware on their networks.

“The end goal of these attacks is to cripple the victim’s IT infrastructure by encrypting most of their computers and servers in order to demand a multimillion dollar ransom,” according to a blog post by Symantec’s Critical Attack Discovery and Intelligence Team. “At least 31 customer organizations have been attacked, meaning the total number of attacks may be much higher. The attackers had breached the networks of targeted organizations and were in the process of laying the groundwork for staging ransomware attacks.”

The attackers linked to WastedLocker are known as Evil Corp; the U.S. Department of Justice (DOJ) has indicted two Russian men connected with the group on charges of hacking and bank fraud offenses committed over a decade.

All 31 organizations that Symantec identified as impacted by the attacks are located in the United States—many of them are major corporations.

“Manufacturing was the sector most affected, accounting for five targeted organizations,” Symantec said. “This was followed by Information Technology (four) and Media and Telecommunications (three). Had the attackers not been disrupted, successful attacks could have led to millions in damages, downtime, and a possible domino effect on supply chains.”

The threat actors behind the cyberattack were able to compromise and inject code into these organizations’ networks at a rate not previously seen and capable of causing major damage.

“The attackers behind this threat appear to be skilled and experienced, capable of penetrating some of the most well protected corporations, stealing credentials, and moving with ease across their networks,” Symantec explained. “As such, WastedLocker is a highly dangerous piece of ransomware. A successful attack could cripple the victim’s network, leading to significant disruption to their operations and a costly clean-up operation.”

In an interview with The New York Times, Symantec Technical Director Eric Chien said that the attack was designed to target remote workers—looking for signals that the victim’s computer was part of a government or major corporate network before infecting it.

Ransomware’s new look: the work-at-home vulnerability. With ⁦@nicoleperlroth⁩ https://t.co/iKDM6TEZOi

— David Sanger (@SangerNYT) June 26, 2020

“Security firms have been accused of crying wolf, but what we have seen in the past few weeks is remarkable,” Chien added. “Right now, this is all about making money, but the infrastructure they are deploying could be used to wipe out a lot of data—and not just at corporations.”

The discovery of these recent Evil Corp attacks is just one of many cyberattacks and infiltrations designed to take advantage of the mass transition to remote working and potentially weaker security controls due to the coronavirus pandemic. Earlier this spring, the World Health Organization (WHO) and the FBI issued warnings about increases in schemes leveraging the COVID-19 pandemic.

Along with the mitigation measures released by Symantec in its blog post, there are additional steps organizations can have employees connecting remotely take to help prevent cyberattacks and breaches. These include providing social engineering awareness, creating strong password policies, and regularly updating systems, according to Lance Sptizner, director of the SANS Institute Security Awareness Program.

“Our goal is to make security as simple as possible for people,” Spitzner said in a webinar hosted by SANS on preparing workforces to go remote. “They’re overwhelmed, and you might think [multi-factor authentication and virtual private networks] are simple—for a lot of people they are scary and confusing.”