Ransom Group Qilin Attacks Morgan County 911 Service
Yesterday, the RaaS group Qilin claimed another victim: the Morgan County 911 Service in the State of Alabama. The public safety service is publicly funded and not a privately owned commercial entity; it operates a county-wide radio system and provides ambulance services.
Known as a Public Safety Answering Point (PSAP), it operates a hub that answers 911 calls and coordinates emergency responses. Furthermore, Qilin targeted the organization and exfiltrated an undetermined number of files as proof of the intrusion and subsequent data theft.
The collection of screenshots shows 10 photos consisting of a variety of information.
- Financial spreadsheets showing revenue and expenditures
- Personal identifying information (PII)
- Spreadsheet showing call time, containing PII.
- Other financial information
Aside from the information the group published on their Tor site, there is not much known about which servers were targeted or which attack vectors were used. However, a brief look at their known attack patterns can shed insight into how this group finds and exploits its targets.
Dark Web Databrokers
The most common way ransomware and data extortion gangs find their targets is by purchasing infostealer logs on dark web markets. Infostealers such as RedLine, Racoon Stealer, Vidar, Lumma, and Steac, to name a few, harvest vast amounts of information from the machines they infect, including systems infected with a botnet.
The information they contain includes the following:
- Browser-stored credentials
- Cookies and session tokens
- Auto-fill form data
- Windows system information (usernames, hostname, software list)
- Screenshots or desktop metadata
- FTP credentials
- Crypto wallet information
Logs are usually sold at a very cheap price, and can be purchased at $2 to $50, depending on the quality and access. This is turned into access, where the attackers log in through remote desktop protocol or VPN and begin performing network reconnaissance to map out what’s running on the network. From here, they can escalate privileges, deploy ransomware, or download data.
It’s certainly easier than learning how to hack into specific targets. In fact, most modern ransomware operations no longer need to hack their way in, because infostealer malware does the work for them.
The logs it produces are harvested and sold, giving threat actors direct access to credentials and systems. As a result, infostealer logs have become the fundamental backbone of virtually all ransomware operations.
Conscience and Cybercrime
Those who possess a working knowledge of web server hacking may be fewer in number than those who simply know where to find and purchase logs. While ransomware groups typically do not discriminate and will attack anything that offers the potential for financial gain, even fewer seem to possess a conscience or operate by any standards that prohibit targeting schools, hospitals, nursing homes, or emergency services that can affect public safety.
It’s a curious thing to contrast the motives of your everyday robber or street criminal with ransomware groups. Traditionally, even organized crime rings that aren’t above robberies and extortion wouldn’t conceive of considering these industries as profitable targets.
The emotional detachment that comes with operating in digital spaces fosters no emotional connection to the victims that ransomware gangs target. There are no voices, no crying children, and certainly no dying patients to be confronted with.
Furthermore, many ransomware groups and their affiliates operate in loosely organized, decentralized ecosystems where there is little to no oversight or accountability at all. This means they do not operate with a moral code, and nothing is considered off-limits.
Furthermore, due to the ransom group’s distance from the consequences of their actions, they often exhibit psychopathic tendencies, driven by apathy and a disturbing pleasure in others’ misfortune. For some, the motivation is simply to cause destruction 'for the lulz,' meaning for fun or laughs.
It is not uncommon for these groups to view their actions as a game, a competition, or an act of digital domination, punishing institutions based on untested ideologies that they are 'just part of the machine.’
Ultimately, to them, it's all just data and dollars.