Ransomware group attacks a New Jersey bank — then shuts down

A ransomware group called Avaddon recently attacked a New Jersey bank, and shortly after that, shut down its operations and released the keys victims could use to unlock their files.

It's unclear why Avaddon suddenly shut down, but observers speculate that in this and other instances, attackers see law enforcement closing in them and try to back out before they get caught.

The recent attacks on Colonial Pipeline and the meat company JBS drew public attention to this form of cyber threat. But ransomware has been on the rise for the past year and John Chambers, the former CEO of Cisco Systems, said on Monday he expects U.S. companies to be hit with more than 65,000 ransomware attacks in 2021.

Banks are on many attackers’ lists, as is any organization that might be able to pay ransom. DarkSide, the ransomware group that attacked Colonial Pipeline, went after banks in Florida and California before it shut down.

The attack on Valley National Bank

Earlier this month, on its website in the dark web, Avaddon Ransomware posted a warning to a division of the $41 billion-asset Valley National Bancorp in Wayne, New Jersey.

“Your network has been compromised, we exfiltrated sensitive and confidential documents,” the attackers wrote. “If you do not contact us before timer expiration all data will be leaked!” A ticking timer on the page gave the bank six days to respond.

A bank spokesman reached on Tuesday said Valley National is still investigating the ransomware threat.

“Valley is aware of and investigating a cybersecurity issue relating to a legacy network obtained through the acquisition of Oritani Bank,” he said. Valley National acquired Oritani Financial in New Jersey in December 2019. “This legacy network is isolated from the Valley network and is not critical to our operations. We have been and remain operational.”

As soon as the bank identified the issue, it took immediate steps to investigate and contain it, he said, and it’s working with enforcement authorities and cybersecurity experts.

FBI warnings

The FBI has been warning about Avaddon for some time. In a lengthy alert it issued in May, the agency said Avaddon ransomware actors target a wide variety of organizations and that they have broken into victims’ networks by compromising users’ login credentials for remote desktop protocol and virtual private networks.

This is classic behavior for ransomware groups. According to an analysis conducted by Group-IB, more than half of ransomware users break in by compromising usernames and passwords to remote access programs such as virtual private networks and software that uses remote desktop protocol; 29% get in through phishing attacks (sending emails to employees with malicious links or attachments containing malware).

After Avaddon hackers break in, they typically map the victim’s network and identify which databases and files they want to delete or encrypt, the FBI said. Before they proceed, they make sure the victim is not located in Russia. They not only encrypt victims’ data for a ransom, but also exfiltrate data from their victims. The actors threaten to leak the victims’ data unless their ransom demand is paid in virtual currency within days of infection.

The FBI declined to answer questions for this story.

Is Avaddon coming back?

DarkSide, the cybercriminal group that, like Avaddon, is a loose network of people, some of whom develop and sell ransomware-as-a-service and the others who use the malware to conduct attacks, also shut down recently, shortly after Colonial Pipeline paid its ransom in bitcoin and the FBI retrieved the digital currency. Observers speculated that the group would just pop right back up again, perhaps with a different name and modified organizational structure.

In Avaddon’s case, security experts suspect the group is gone for good.

“The Colonial Pipeline and JBS incidents have got governments and law enforcement agencies increasingly looking at this problem,” said Brett Callow, threat analyst at Emsisoft. “They have seized funds in one case, they have made arrests in connection with ransomware-related operations,” he noted. “These groups are not guaranteed to have such plain sailing as they used to. That's given some cold feet and they’ve decided to head for the hills while they still have their liberty and cash.”

Callow cautioned, however, that though the creators of Avaddon ransomware have called it quits, the people who were using the software to carry out the attacks will probably align themselves with another group and keep going.

“So this is really going to have quite a minimal impact on the overall threat landscape, unfortunately,” he said.

Before the Avaddon group shut down, it provided the decryption keys to its ransomware to Emsisoft and a few other companies, so that victims could unlock their files. Emsisoft researchers tested the keys and found they worked. But any data the cybercriminals stole from their victims might have already been bought by other criminals, Callow said.

For any victim, “If data was stolen, that data is still out there,” he said. “The only thing that has really changed now is that any organization which still has data encrypted as a result of an Avaddon attack can now recover that data.”

In some cases, data that is encrypted is corrupted in the process, “so that even if you were to pay the ransom to get a decryption key, that bit of the data has gone forever,” Callow said.

And even with Avaddon and DarkSide out of operation, ransomware groups are expected to continue conducting their attacks against hospitals, local governments, banks and whoever they can get.

“Ransomware is so profitable that it's not going to come to an end by itself,” Callow said. “If one group decides to call it quits, others will invariably replace them. And that will continue to be the case, I think, until we find some way of either taking the money out of ransomware, cutting off the flow of cash so it's no longer worth their while, or really ramping up law enforcement efforts and starting to bring a number of people to justice.”

For reprint and licensing requests for this article, click here.
Cyber security Cyber attacks Ransomware
MORE FROM AMERICAN BANKER