GlobeImposter 2.0 Encrypted Almost All Systems in Auburn Food Bank

Delaware, USA – June 11, 2019 – The attack occurred on June 5 in the middle of the night, when there were no employees in the office of the non-profit organization. Only one computer remained unencrypted which now is used as a server to partially maintain operations of the organization. Auburn Food Bank provides relief to people living within the boundaries of the Auburn School District and is located in King County, Washington. The organization didn’t pay the ransom and now is looking for the help of fascinated citizens with the recovery of lost information. It will take about $8,000 to recover and a lot of hours of manual work to digitize “tons of forms that need to be recreated.” GlobeImposter 2.0 is installed manually after compromising RDP connections, which seems to be the case with Auburn Food Bank. The rise in the number of attacks using this ransomware strain started in April, and one of the most significant victims was A2 Hosting: in a result of the attack, not only the web hosting provider suffered financial losses, but also many of its customers.
Because of the shutting down of the Ransomware-as-a-Service platform GandCrab, cybercriminals are moving to other platforms and ransomware families. Last week, RIG Exploit Kit operators began distributing Buran ransomware. It is expected that other RaaS platforms will soon increase the number of affiliates. To detect attacks on your RDP connections, you can use the Brute Force Detection rule pack, which helps SIEM to determine the unauthorized access attempts using various brute force techniques with modern methods of hiding their actions: https://my.socprime.com/en/integrations/brute-force-detection-arcsight