Full Report
The organization's responsibility for the ransomware attack by breaking into servers of domestic companies containing a number of personal information, including hospitals and apartment management offices, was arrested in Kazakhstan. This is the first time that police have directly arrested suspects in cooperation with Kazakhstan's investigative agencies. The cyber investigation department of the Gyeonggi Southern Police Agency said on the 15th that it arrested a 35-year-old Kazakh man suspected of violating the Information and Communication Network Act (spreading malicious programs) and attempted blackmail in July last year. From 2022 to July last year, A served as the head of the ransomware organization and broke into the servers of six domestic companies, including hospitals and apartment management offices, and encrypted internal data. Original article: (보도자료) 경기남부청 사이버수사과 국내 업체 대상 랜섬웨어 피의자 검거 @ https://www.ggpolice.go.kr/main/bbslist.do?bbsId=FD31
Analysis Summary
# Incident Report: Arrest of Kazakhstan-Based Ransomware Lead
## Executive Summary
A 35-year-old Kazakh national, acting as the leader of a ransomware organization, was arrested in Almaty, Kazakhstan, for orchestrating attacks against South Korean infrastructure. The group targeted hospitals and apartment management offices, encrypting internal data and demanding Bitcoin ransoms. The incident marks the first successful direct arrest through joint cooperation between South Korean police (Gyeonggi Southern Police Agency) and Kazakhstan's National Safety Commission (NSC).
## Incident Details
- **Discovery Date:** September 2022
- **Incident Date:** 2022 to July 2023
- **Affected Organization:** Six (6) domestic companies (unnamed), including hospitals and apartment management offices.
- **Sector:** Healthcare, Property Management, Critical Infrastructure
- **Geography:** South Korea (Victims); Kazakhstan (Attacker Origin)
## Timeline of Events
### Initial Access
- **Date/Time:** 2022 (Ongoing through July 2023)
- **Vector:** Credential Stuffing / Brute Force
- **Details:** Attackers exploited weak security configurations by using frequently used account information and default administrative IDs/passwords that had not been updated by the target companies.
### Lateral Movement
- **Details:** Upon gaining entry through default or simple credentials, the threat actor seized system-level authorities to move across the victims' internal networks.
### Data Exfiltration/Impact
- **Details:** Internal data on servers was encrypted using ransomware. While no Korean companies reportedly paid the Bitcoin ransom, the organizations suffered operational paralysis and server downtime.
### Detection & Response
- **Detection:** September 2022, following victim reports to the Gyeonggi Southern Office.
- **Response Actions:** Police analyzed affected servers, traced the origin to a Kazakh IP address, and initiated international criminal justice cooperation.
## Attack Methodology
- **Initial Access:** Brute-force/Credential stuffing targeting default/weak administrative credentials.
- **Persistence:** Not explicitly detailed, but maintained through the duration of the campaign until July 2023.
- **Privilege Escalation:** Seizure of system administrative authority post-entry.
- **Defense Evasion:** Not detailed; likely relied on legitimate administrative tools.
- **Credential Access:** Random substitution of commonly used/default passwords.
- **Lateral Movement:** System-wide penetration once administrative control was achieved.
- **Impact:** Encryption of data and attempted blackmail for Bitcoin.
## Impact Assessment
- **Financial:** Attempted extortion via Bitcoin; significant costs related to server downtime and recovery.
- **Data Breach:** Personal information stored on hospital and management servers was compromised/encrypted.
- **Operational:** "Paralysis of the server for a while," disrupting healthcare and residential management services.
- **Reputational:** High-profile compromise of sensitive personal data in the public sector.
## Indicators of Compromise
- **Network indicators:** Kazakh-origin IP addresses (Specific IPs not disclosed in the report).
- **Behavioral indicators:** Failed login attempts on administrator accounts; unauthorized large-scale file encryption.
## Response Actions
- **Containment Measures:** Real-time disruption of active attacks during the police raid in Almaty on July 1, 2023.
- **Eradication Steps:** Arrest of the group leader and seizure of hardware/digital evidence.
- **Recovery Actions:** Collaboration with KISA (Korea Internet & Security Agency) to share secured ransomware decryption technology with victims.
## Lessons Learned
- **Credential Hygiene:** The primary point of failure was the retention of default passwords or the use of simple, easily guessable strings for administrative accounts.
- **International Cooperation:** The success of this case highlights the necessity of cross-border investigative coordination to apprehend actors in non-extradition or distant jurisdictions.
## Recommendations
- **Authentication:** Enforce Mandatory Multi-Factor Authentication (MFA) for all administrative logins.
- **Password Policy:** Immediately change all default vendor passwords upon server installation; enforce complex password rotations.
- **Access Control:** Implement strict access control lists (ACLs) and monitor account usage history for anomalies.
- **Backup Strategy:** Maintain offline, encrypted backups to ensure operational continuity without paying ransoms.