Understanding Carnival's ransomware attack, hitting two different data types

Data stored in separate databases are susceptible to the same cyberattack. If a hacker can find their way into multiple repositories, they will take full advantage of both.

Last week Carnival Corporation disclosed a ransomware attack on one of its brands' IT systems. The company's initial investigation led it to believe personal customer and employee data were accessed.

The week prior, the Metropolitan Community College of Kansas City (MCCKC) announced it also suffered a ransomware attack. MCCKC couldn't definitively say the intruders extracted personal data, it's "possible" they accessed names, Social Security numbers, drivers' license information, medical information, and bank account information of employees and "former, prospective, and current students," according to the announcement.

Within two weeks, two organizations operating in different industries experienced ransomware actors double-dipping in two separate types of data. While it's unknown how the data was stored (i.e. separate databases), bad actors accessing multiple repositories at once is an escalation bad actors will take if they can.

"It's becoming increasingly common for this to happen," for bad actors to access different kinds of data in one attack, said Allan Liska, senior security architect at Recorded Future. But cybercriminals need to learn the network before they can get the escalations required to invade other databases.

"With the rise of extortion sites, you have to make sure you're stealing the right data. Even though customer data is in one database, employee data is in another database, both of those are really valuable," said Liska.

Carnival is an international company, but due to the pandemic, it's losing an estimated $650 million in "monthly average cash burn," according to a company filing in June.

"They're kind of disjointed as they're trying to figure out what to do next. And that's going to be a problem," said Liska.

Sit and wait

Some malware infections were planted long before COVID-19 hit stateside, they're only just now deploying.

In July, Blackbaud, a cloud-based software company used by charities and universities, disclosed a ransomware attack discovered in May. Upon detection, three months after the February intrusion, the company "successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system," according to the announcement. But not before a "subset of data" was removed from "our self-hosted environment."

Blackbaud paid its intruder, demanding the copied data be destroyed. At this point, the company has "no reason to believe" any data "went beyond the cybercriminal."

"A lot of these attackers typically have foothold into tons of places, because they're just rolling through cable networks and anybody who's connected online, and they're just harvesting these kinds of opportunities," said Jason Rader, national director of network and cloud security at Insight.

Bad actors lurk in systems anywhere between zero and 299 days between "first evidence of malicious activity and the deployment of ransomware," according to FireEye. Three-quarters of ransomware is typically deployed in off-hours, on the weekends, before 8 a.m., or after 6 p.m.

If a cybercriminal can access a machine, recover the password and it's the same password throughout an organization, they have a foothold on the targeted company where their "mothership" of cybercriminals can move laterally with, said Rader. "They just want to lock up as much stuff as they can."

The longer cybercriminals can sit idly, unnoticed in a system, they can figure out the most important assets. Waiting has zero costs, said Rader. "They can even work themselves into your backups … That's more money for them."

Ransomware = data breach

Last year ransomware had an identity change. While the operational strains of ransomware remain — encrypted and stalled systems — cybercriminals have upped the ante by stealing encrypted data. Some bad actors are going as far as publishing stolen data online.

"At this point, with very few exceptions, a ransomware attack is pretty much a data breach," said Liska.

Ransomware puts a spotlight on a company's security practices and its data management. Best practices are as simple as "not storing the encryption key in the same area of the system where [hackers] can easily find the key," and continue accessing databases, said Eva Pulliam, partner at Arent Fox.

If a cybercriminal obtained HR administrative credentials, the post-mortem investigation has to find out how the intruder was able to access disparate databases dedicated to customers, not employees.

The more data a cybercriminal can gather, the more likely its target will pay the extortion.

"You get in, you understand, you learn the network, and you're like, 'Oh, that's your HR database. Let's grab that,'" said Liska. If the HR personnel has administrator rights to the entire network, "you may be able to just get everything," though that shouldn't always be the case.

Some hackers are able to elevate themselves so aggressively they can create an admin account on the Active Directory server.

If a bad actor obtains administrative credentials, then security falls by the wayside. "They can get whatever they want," said Liska. To stop escalation, companies can adopt network segmentation and threat detection.

Unforgiving forensics

In Carnival's case, employee and consumer data might overlap in some areas, such as TSA documentation and passport information for international travel.

A cruise line has to keep track of everyone aboard the ship, regardless of employment, customers and employees might "move between" data segmentations, said Pulliam. "They have very sensitive data probably on both sides of their system. That's very different from what you might consider from maybe a retailer."

Even if network segmentation is done well, or the HR database is under the purview of a third party, a keylogger on the head of HR's computer could lead a hacker to the data. But hackers may not have to do anything "that dramatic," said Liska. They could just pull down credentials for locally-stored databases.

Carnival is still unsure what data was accessed by its attackers, only noting "certain" data was compromised. Companies unable to know what data was impacted usually means they haven't yet been able to crack the password on the encrypted file, said Rader.

Forensics should eventually uncover the impacted data, but a lot of organizations are incapable of identifying such data. "Ransomware is tricky, because once it locks down your system, you may not know exactly whether or not they can see the data or something in your system that just locked it," said Pulliam.

Forensic investigations post-ransomware attacks can be unforgiving, however. Sometimes remediation can inadvertently erase evidence. If a company isn't logging who accesses systems, investigators can't know what access the cybercriminals had.

"Unfortunately, that's a really common problem. Security teams get overwhelmed and they're like, 'Okay, we're just gonna have to turn off logging on these systems,'" said Liska. The hackers can more easily get away with their crime because there's nothing tracking what they're doing.