The so-called UNC 1878 hacking group, which is reportedly behind a string of ransomware attacks on hospitals, seems to have risen from the dead, again using its malware family of choice, Ryuk.
Reuters reported Wednesday that the FBI is investigating a wave of ransomware attacks currently underway against hospitals across the U.S. and other countries that are tied to UNC 1878. This news came the same day as research from Mandiant, stating one out of every five ransomware attacks the company responds to are from Ryuk malware family, while one out of every five of those attacks was carried out by UNC 1878.
It also comes after researchers at Check Point said earlier this month that an average of 20 organizations have been attacked with Ryuk ransomware every week since July, and other threat firms like Kaspersky have estimated that a business is attacked by ransomware every 40 seconds. UNC 1878’s modus operandi plays into both of those trends, leveraging Ryuk and other tools for speedy attacks against a high volume of targets.
“The best way to summarize UNC 1878 as we know it today would be based on two key themes: speed and scale,” said Van Ta, a senior threat analyst on Mandiant’s FLARE team on an Oct. 28 webcast hosted by the SANS Institute.
Interestingly, however, recent activity comes after an extended lull. Mandiant tracked “prolific” Ryuk-enabled intrusions coming from UNC 1878 in late 2019 and early 2020. Then in March, everything went quiet. For the next five months, researchers didn’t see a single incident tied to UNC 1878, and by August they “almost thought this might be the end of Ryuk,” said Aaron Stephens, another senior threat researcher at Mandiant.
“Obviously, we were really, really wrong.”
“UNC” stands for “Uncategorized” and represents one of the earliest stages at which potential threat groups and activities are classified. Unlike the more mature data and surveillance around APT and FIN hacking groups, where researchers have a much better sense of who might be behind the keyboard, their motivations, possible state sponsorship and other details, UNCs are really just a collection of common tactics, techniques and procedures that are used as part of the same intrusion toolset. It could be a singular threat group, but companies like Mandiant don’t yet know enough about them – or even if the activity they’re tracking comes from the same group – to make that determination.
But what seems clear, is the group was just taking a break. Like an undead zombie rising from the grave, UNC1878 made a “harrowing” return to the ransomware game in September and October, still using Ryuk but with some notable upgrades.
They also ditched Trickbot – a popular form of malware used in the early stages of many ransomware attacks – for a newer loading tool called KegTap (also known as “Bazar”) and upgraded versions of Cobalt Strike, a commercially available penetration testing tool.
These differences initially caused Mandiant to create another UNC group for the new activity, but they eventually felt confident enough in the amount of overlap to attribute it back to UNC 1878.
But the chief among the differences was speed. While the average incident time to response for ransomware attacks could be measure in months as recently as 2019, Mandiant now says that dwell time for UNC 1878 intrusions has been cut down to two to five days. Researchers behind the DFIR Report have said that Ryuk actors are utilizing newly discovered vulnerabilities like Zerologon to escalate privileges, move laterally and deploy the malware in as little as five hours.
Unlike many other ransomware actors, they don’t exfiltrate data beyond credentials or threaten to leak the data. Continuing the zombie analogy, Stephens said the group’s modus operandi about volume and speed. He compared them to the undead hordes seen in modern horror films like “28 Days Later” who don’t shuffle or walk towards their dinner, but sprint.
The researchers point out that these are not academic differences for companies. Knowing which group or threat actors you’re dealing with can help IT security teams or incident responders flag commonly used TTPs and consult existing research or intelligence to identify what their next steps might be once they’re inside your network.
“They’re very, very fast," he said. "It almost feels to me like they really just stick to their playbook, they have a very singular mission and just want to get there as soon as possible and move on."
