Ransomware viruses (ransomware) in Russia

Main article: Ransomware ransomware ransomware viruses (ransomware)

2024

MorLock ransomware group increased the intensity of attacks on Russian business

On May 7, 2024, the company, a F.A.C.C.T. developer of technologies to combat cybercrime, announced the activation of the criminal ransomware group MorLock. The attackers attack the Russian of the company have significantly increased the intensity of their attacks since at least the beginning of 2024 and in April-May. Like the Muliaka group, MorLock is used to distribute ransomware on the victim's network. antivirus

The first attacks of MorLock ransomware to data , according to specialists from computer the Forensic Laboratory of F.A.C.C.T., were recorded at the very beginning of 2024, and from that moment on, at least 9 Russian companies from the medium and large business segment became their victims.

MorLock specializes exclusively in encrypting data in the victim's IT infrastructure using LockBit 3 (Black) and Babuk ransomware. For the restoration of access, the attackers demand a ransom, the size of which can be tens and hundreds of millions of rubles. True, in the process of negotiations, the amount can be almost halved.

Due to the fact that the group is not engaged in exfiltration - copying and theft - of data, MorLock attacks last only a few days from the moment they gain access to the start of the data encryption process.

As an initial vector of attacks, attackers used vulnerabilities in public applications (for example, Zimbra), as well as access purchased on such closed marketplaces as, for example, Russian Market. In the latest attacks, the attackers used the compromised credentials of the partners of the affected companies as initial access.

In all cases, if the victim had a popular Russian corporate antivirus installed, the attackers, having gained access to his administrative panel, turned off antivirus protection and used this product to distribute the ransomware on the victim's network.

Unlike the Shadow group, MorLock from the very beginning of its activity decided not to shine a "brand" and preferred to remain in the shadows: in a note demanding a ransom, attackers indicate only the ID for the Session messenger as contacts.

^{Fig. 1. Text of one and notes demanding redemption of MorLock}

However, one of the first MorLock attacks provoked a serious scandal at the end of January - a "showdown" at the Russian-language hacker forum XSS.is in connection with an attack on a Russian company using the LockBit 3 (Black) ransomware, violating the unspoken rule of Russian-speaking cybercriminals "Do not work on RP." Following the discussion, the administrators of the forum blocked the accounts of participants associated with the attacks on Russia (Figure 2).

^{Fig. 2. Administrator message about blocking accounts on the XSS.is}

Some of these members were directly associated with the MorLock group.

Russian companies - under attack by a group of Muliaka cyber drivers

, a F.A.C.C.T. developer of cybercrime technology, discovered the criminal ransomware group Muliaka. Attackers attack the Russian of the company since at least December 2023. In one of the attacks, attackers Windows took advantage of the popular corporate to distribute ransomware on the victim's network and run it on hosts. antivirus The F.A.C.C.T. reported on April 9, 2024.

In January 2024, one of the Russian companies was attacked by a previously unknown criminal ransomware group - as a result, the victim's Windows systems and VMware ESXi virtual infrastructure were encrypted.

The period from gaining access To IT infrastructure to the victim to the beginning enciphering data took the attackers about 2 weeks. During the investigation, F.A.C.C.T. specialists found out that the IT attackers used VPN the company's service to remotely access the victim's -infrastructure, and the WinRM remote management service (Windows Remote Management) to navigate the infrastructure nodes.

Specialists from the Forensic Laboratory computer of F.A.C.C.T. named the new Muliaka group, using as naming part of the name email of the kilamulia@proton.me account, which the extortionists leave to communicate with the victim, and the South Russian word "dummy," meaning dirty muddy water.

To distribute their ransomware on the victim's network and run it on Windows hosts, the attackers used the installed corporate antivirus software. To remotely launch the ransomware, the attackers created an installation package (see Figure) and an appropriate task. It should be noted that with the installed antivirus in the victim's IT infrastructure, advanced attackers are increasingly choosing to use this product for secretive and effective promotion over the network.

^{The contents of the ransomware installation package.}

Before encryption, attackers ran an auxiliary PowerShell Update.ps1 script on hosts, which is designed to stop and prohibit services databases and, backup delete recovery points and shadow copies of volumes, it also disables network adapters on the host, and thereby disconnects the host from the network. The F.A.C.C.T. recalled that a similar technique was previously used by the OldGremlin ransomware group.

The greatest interest among forensic scientists was caused by ransomware programs in service with the Muliaka group. For example, a ransomware for Windows was developed based on the source codes of the Conti 3 ransomware leaked to the public, but it is one of its most interesting modifications.

Encryption of files is carried out in two passes. This is done in order to block the victim's data as quickly as possible at the first pass, and to make it as difficult as possible to decrypt and restore them without paying the ransom.

A sample ransomware for ESXi could not be found on the victim's hosts, it was removed by the attackers. However, the information received was enough to find other sample ransomware for Windows and ESXi. Two months ago, a sample ransomware for ESXi was uploaded to the VirusTotal portal and is still not detected by any antivirus vendor. It is noteworthy that almost all the samples found were uploaded to the VirusTotal portal from Ukraine.

^{Screenshot of the VirusTotal portal with the results of checking the ransomware for ESXi.}

F.A.C.C.T. specialists joined the investigation of the Muliaka group attack already at the stage of restoration by the company's employees of its IT infrastructure. The attackers used the victim's VPN, but whether it was initial access was not exactly established as of April 2024. The use of vulnerabilities in public applications or phishing as the initial vector of an attack cannot be ruled out, "said Anton Velichko, head of the Computer Forensics Laboratory at F.A.C.C.T. - According to our data, the group has been active since at least December 2023 and its victims are exclusively Russian companies. The actions of the attackers can be characterized as sufficiently qualified, after which they leave a minimum number of traces.

Interactive ransomware attack simulator launched in Russia

An interactive simulator of ransomware virus attack has been launched in Russia. We are talking about the development of Kasperkogo Lab. The press service of the company spoke about it in early March 2024. Read more here.

SugarLocker group of cyber drivers liquidated in Russia

Employees of the Ministry of Internal Affairs of Russia, with the support of specialists from F.A.C.C.T., a Russian developer of technologies to combat cybercrime, identified and detained members of the criminal ransomware group SugarLocker. The attackers worked under the guise of a legal IT company offering services for the development of landings, mobile applications and online stores. This was reported to TAdviser on February 20, 2024 by representatives of the F.A.C.C.T.

According to the investigation, the SugarLocker ransomware (aka Encoded01) appeared at the beginning of 2021, but was not actively used at first. In November 2021, on the underground RAMP forum from a participant under the nickname gustavedore, an announcement was published about the launch of a partner program based on the RaaS model (from the English Ransomware-as-a-Service, "ransomware as a service") and the recruitment of partners in the ransomware group using the SugarLocker ransomware. The essence of the RaaS model is that developers sell or lease malware to their partners to further hack the network and deploy ransomware.

The announcement said that hacker the group attacks targets through networks and RDP - the protocol, remote desktop does not work by to the countries CIS and is ready to immediately start working with partners on terms: 70% of revenue is received by the partner, and 30% by SugarLocker. If the income exceeds $5 million, the profit will be distributed on more favorable terms: 90% by 10%, respectively.

In early January 2022, F.A.C.C.T. experts established that some elements of SugarLocker's infrastructure were located on. the Russian hostings Due to the fact that the attackers made a mistake in the configuration of the web, servers it was possible to find SugarPanel - the ransomware control panel.

During the investigation, several defendants were identified who were not only engaged in the promotion of their ransomware, but also developed malicious software to order, created phishing websites of online stores, and caught up with user traffic to fraudulent schemes popular in Russia and the CIS.

Attackers worked under the guise of the legal IT company Shtazi-IT, which offers services for the development of landings, mobile applications, scripts, parsers and online stores. The company openly posted ads for hiring new employees - developers, the contacts indicated the Telegram account of the same @ GustaveDore. All the information collected by F.A.C.C.T. experts were transferred to the police - BSTM of the Ministry of Internal Affairs of Russia.

In January 2024, three members of the SugarLocker group were detained by officers of the BSTM of the Ministry of Internal Affairs of Russia with the participation of specialists from F.A.C.C.T. During the search, the suspects were found to have laptops, mobile phones, traces of correspondence, other digital evidence confirming their illegal activities. Among the detainees was the owner of nick-names blade_runner, GistaveDore, GustaveDore, JimJones.

According to F.A.C.C.T., the defendants have already been charged under Article 273 of the Criminal Code of the Russian Federation "Creation, use and distribution of malicious computer programs." An investigation is underway.

M0r0k T34m attacks organizations under the guise of "namesakes" of existing employees

The Response and Digital Forensics team Angara SOC has discovered a group of M0r0k T34m (Morok Team) (Sunset Wolf) - a cluster active since at least November 2023. Hackers attack various organizations for the purpose of distribution programs extortioners and then demand a ransom for decryption. The company Angara Security announced this on February 9, 2024.

The group uses its own ransomware - a M0r0k written with Python and using algorithm Fernet for recursive. enciphering files No additional extension is added, but the MR line is added to the beginning of the encrypted file!

Of note, the ngrok utility for port 3389 (RDP) is used as a anchor in a compromised network and communication with the so-called management server. This allows access to the internal resources of the machine.

ngrok in principle became very popular, for example, its use is characteristic of Shadow Wolf (also known as Shadow or C0met). In addition, the attackers also create accounts that are subsequently added to privileged groups, and choose the names of the accounts data as similar as possible to legitimate ones, including the "namesakes" of existing employees, "said Nikita Leokumovich, head of the Angara SOC response and digital forensics department.

Despite the fact that a complete reconstruction of the incident is still underway, experts note that obtaining initial access to the network is implemented through exploiting vulnerabilities in publicly available applications.

The risk of infection can be reduced by monitoring the information infrastructure, namely detecting and responding to mass deletion, creating or modifying files, adding privileged accounts, using remote connection utilities, and all external connections.

2023

"Transtelecom" attacked by a ransomware virus

Transtelecom was attacked by a ransomware virus, which became known at the end of October 2023. Sources in the information security market told Kommersant that the company has its own cyber incident response center, but nevertheless, hackers managed to hit the IT infrastructure of a provider of telecommunications solutions for private users and large businesses. Read more here.

The number of cyberattacks of ransomware in Russia in 9 months increased by 75%, the average ransom amount for decryption - 37 million rubles

On October 20, 2023, the digital forensics laboratory of F.A.S.S.T. reported that it had investigated high-tech crimes of 2023 based on conducted responses to incidents in Russian companies. The number of ransomware attacks for 9 months of 2023 increased by 75% compared to the same period in 2022, and the average amount of the initial ransom for decrypting data exceeded 37 million rubles. The number of politically motivated cyber attacks, the purpose of which was the theft of confidential data or the complete destruction of IT infrastructure, grew even more rapidly - growth by 2022 amounted to 140%. Read more here.

Shadow ransomware has been linked to hacktivists from the Twelve group

Experts at the F.A.C.C.T. found that extortionists from the Shadow crime group and hacktivists from Twelve are part of the same hack group. The company announced this in September 2023. In their attacks on Russian companies and organizations, both groups use not only similar tactics, techniques and tools, but also a common network infrastructure. However, if Shadow is driven by financial motivation - ransomware demands a ransom of 140-190 million rubles from the victim for decrypting data, then Twelve's goal is sabotage: during the attack, they completely destroy the victim's IT infrastructure without requiring money.

For the first time, the activity of the Shadow group, which attacked several large Russian companies, computer was recorded by specialists from the Forensic Laboratory of F.A.C.C.T. in February-March 2023. Over the past six months, companies have become victims of ransomware industrial logistic power. For decrypting data, Shadow attackers demand from the victim an amount of 5-2 $1 million, approximately 140-190 million rubles at the current exchange rate.

Hackers is distinguished by careful preparation for attacks - they methodically seize IT the victim's -infrastructure, steal confidential information and at the last stage carry out full enciphering infrastructure. For - Windows systems, ransomware uses a version of the ransomware LockBit created using one of the billers published in September 2022. For - enciphering Linux systems, attackers use ransomware based on published source code Babuk.

To communicate with each victim, attackers place a chat panel on the Tor network, access to which a representative of the attacked company receives using a personal key from a ransom note. Subsequently, communication with the victim can take place in the attackers' Telegram channel. It is curious that hackers can steal Telegram sessions on the victim's computers, so gang members can receive information about her actions, a list of contacts of company employees, and also write directly to Telegram to company leaders.

In parallel with Shadow, in February 2023, attacks were recorded on the Russian organizations of the Twelve group, the purpose of which was the complete destruction of IT infrastructures the victim. It was this group - Twelve - in the spring of 2023 that claimed responsibility for a cyber attack on the structures of the federal customs service, and in RUSSIAN FEDERATION May - on the Russian manufacturer of hydraulic equipment.

Twelve also used a version of the LockBit ransomware in their campaigns, but the text file for the victim indicated the name of the Twelve group and did not leave their contacts to discuss the ransom. In their Telegram channel, hacktivists stated that their project is "the world's response to Russian cyber attacks.

Attackers attack Russian companies with leaked ransomware source codes

The criminal groups Battle Wolf, Twelve Wolf and Shadow Wolf use Babuk, Conti and LockBit ransomware leaked to the network to attack Russian organizations. According to cyber intelligence BI.ZONE, the number of attacks exceeds 40. The company announced this on September 6, 2023.

Since the beginning of 2022, there has been a rift within many criminal groups. At the same time, under the influence of geopolitical events, attention to attackers from law enforcement agencies and researchers has increased. Hacks of infrastructures used by criminals have become more frequent, groups publish data from their competitors on the network, information about the methods used and tools for conducting attacks, for example, billers that allow you to create malware.

Battle Wolf appeared at the end of February 2022 against the backdrop of geopolitical events. According to data published by the group in X (formerly Twitter), during this time it successfully attacked at least 15 large organizations in Russia: scientific, production, government, financial and others.

Twelve Wolf appeared in April 2023, implementing at least four successful attacks. In its Telegram channel, the group reported an attack on one of the federal executive bodies of the Russian Federation, which, according to them, led to the leakage of confidential information.

Shadow Wolf announced itself in March 2023 with several successful attacks on Russian engineering, insurance, transport and media companies. Unlike Battle Wolf and Twelve Wolf, the group is guided solely by financial motives. Communication between the Shadow Wolf representative and the victim usually takes place on a dark web page, the address of which is placed in a note demanding a ransom for decrypting and deleting the uploaded data. In some cases, attackers create a chat in Telegram, where all the IT staff of the affected organization are added.

The source code of malware published on the network is very popular among cybercriminals. Open access to such tools reduces the threshold for entering cybercrime, making attacks much cheaper and easier from the point of view of the organization. Even those countries and industries that previously did not fall under the attacks of the original criminal groups are now under the crosshairs, "said Oleg Skulkin, head of the cyber intelligence department of BI.ZONE.

Cyber ​ ​ intelligence solutions will help you learn about new groups of attackers, current techniques and tactics of cybercriminals. To effectively identify new threats, BI.ZONE experts advise using EDR (Endpoint Detection and Response) solutions.

Russian companies attack mailings with the PyCrypter ransomware under the guise of a crypto exchange with VPN

On July 11, 2023, the center cyber security F.A.C.C.T. recorded a mass mailing harmful of letters aimed at, and the Russian industrial- transport IT company. In letters intercepted on July 9, 2023 by F.A.C.C.T.'s automated email Business Email Protection system, recipients are encouraged to use application CryptoBOSS to work with and. cryptocurrency VPN

The message advertises "safe and completely anonymous access to all currencies." However, the link for downloading a free license actually leads to downloading the PyCrypter ransomware. It is curious that the domain from which the HPE is downloaded - crypto4boss [.] com is very fresh, registered on July 6 specifically for an attack on a user with vladymir.stojanov @ hotmail [.] com

This account with the user name Vladimir Stoyanov has already been used in the fall of 2022 and in the spring of 2023 in the mailings of another ransomware - Cryptonite. Then, letters on behalf of Prime Minister Mikhail Mishustin warned of an "attack" on a certain spyware prepared by "American IT specialists." Users were required to download a "program from the Ministry of Internal Affairs," which allegedly removes HPE and protects against re-infection. But in fact, the ransomware was downloaded through the Google Drive link.

Now this story repeats itself in the form of a cryptopharse.

New ransomware viruses attack Russian companies and demand a ransom of 8 million rubles

On May 18, 2023, experts from the company's Digital Forensics Laboratory F.A.C.C.T. warn of the activation of Russia LokiLocker and BlackBit ransomware. A third of all victims of these ransomware around the world are in the Russian Federation - 21 companies. Extortionists demand a ransom of up to $100,000 (up to 8 million) rubles for decrypting the data attacked company, but do not steal information or encrypt it on, files where computers Persian is chosen as the main interface language.

As reported, experts from the Digital Forensics Laboratory recorded the first ransomware attacks from the LokiLocker family in the Middle East in the spring of 2022, although the ransomware itself appeared a year earlier in the summer of 2021. In the future, attacks using LokiLocker, which is distributed through the RaaS partner program (Ransomware-as-a-Service, "extortion as a service"), were noticed around the world.

In Russia, along with LokiLocker, attackers used a "related" ransomware under the BlackBit brand to attack medium and small businesses. In its functionality, it is almost identical to LokiLocker, the main difference is only in naming: an extension is used for encrypted files. BlackBit.

Despite the fact that the partners who took on LokiLocker and BlackBit do not steal data from their victim and do not upload it to the Data Leak Site (DLS) for further blackmail, forensic scientists F.A.C.C.T. managed to reveal who exactly the ransomware attacks, using data obtained from responding to incidents and analyzing third-party sources, including from the VirusTotal portal.

Since April 2022, the "ransomware twins" LokiLocker and BlackBit have attacked at least 62 companies around the world, of which 21 victims were in Russia. These are mainly small and medium-sized businesses from the field of construction, tourism, retail. This is another confirmation that no one is immune from ransomware attacks, and the scale of the business is not an important criterion for some of them.

The initial ransom amount demanded by ransomware ranges from $10,000 to $100,000 (from 800 thousand rubles to 8 million rubles), the final size depends on the solvency of the company and the number of decryption keys purchased by the victim - each encrypted host requires its own original decryptor.

One of the features of ransomware that experts drew attention to is checking the input language - if the malware finds the installed Persian language (Persian) on the computer, it finishes its work. However, the question of attributing attackers to a particular country is still open.

Some researchers are convinced that the LokiLocker and BlackBit attacks are deliberately carried out "under someone else's flag" in order to make it difficult for researchers to work. In turn, forensic experts at F.A.C.C.T. do not exclude that the composition of the group may be international, despite the fact that the partner program and the first versions of the ransomware were originally created by native Persian speakers.

F.A.C.C.T. found that the average duration of LokiLocker and BlackBit ransomware attacks is from a day to several days. As the initial vector of the attack, attackers use compromised remote access services (T1133) and, above all, a publicly available terminal server - RDP (Remote Desktop Protocol). To gain access to the RDP server, attackers can use both the method of matching the login/password pair (T1110) and their purchase on darknet resources from initial access brokers.

Having gained initial access, the attackers seek to gain a foothold on the network and gain privileged credentials data - for this they use the popular legitimate Mimikatz utility (T1003). In the process of intelligence to assess the solvency of the victim, attackers can study files documents on hosts, but do not steal them.

The "bay" of ransomware IT infrastructure into victims on - Windows systems is carried out by attackers mainly manually, usually on a weekend or holiday. Previously, ransomware tries to disable anti-virus software using legitimate utilities (T1562.001). As a channel of communication with victims hackers , they use and. After email the expiration Telegram of the 30-day period - if the ransom is not received and the decryptor is not used, the ransomware destroys all data in the compromised system.

During a period of geopolitical tension, Russian business is increasingly subjected to cyber attacks, among which recently ransomware programs, which were previously encountered in the Russian Federation extremely rarely, for example, the same LokiLocker, have begun to play a prominent role. Despite the fact that the partners LokiLocker and BlackBit do not demonstrate particularly sophisticated or innovative methods in their attacks, and the ransomware itself is well known to many security tools, this does not save victims from data encryption. The success of the attacks is largely due to the frivolous attitude of the business to the security of its external remote access services, primarily publicly available terminal servers - this significantly expands the attack surface and optimizes the task for attackers. noted Valery Baulin, CEO of F.A.C.C.T.

F.A.C.C.T. experts recommend that small and medium-sized businesses use simple and easy-to-use Attack Surface Management products that analyze "gaps" in protecting the company's external perimeter, including inadvertently left open ports, "forgotten" and uncontrolled IT resources and other potential ways for attackers to penetrate the organization's infrastructure.

If the company was attacked - the fastest way to respond to an incident is the so-called retailer - this is a package of prepaid proactive and reactive services for professional response to an attack in 24/7/365 format. On the first signal, a forensic team travels to respond or conducts it remotely to minimize infrastructure downtime and damage from a cyber attack without wasting time coordinating legal documents.

Ransomware attacks recorded in Russia without the ability to recover data

In March 2023, BI.Zone, a cybersecurity company, reported attacks by the Key Wolf hacker group on Russian users. According to information security experts, attackers distribute a file with a ransomware virus that encrypts all data on the computer. Moreover, victims do not have the opportunity to decrypt data, even for a ransom. Read more here.

2022

Almost 68% of cyberattacks investigated in Russia ended with data encryption

On March 17, 2023, Group-IB announced that it had investigated high-tech crimes of 2022 on the basis of conducted responses to incidents in Russian companies.

According to the study, in 2022 the number of cyber attacks financially-motivated hackers increased almost threefold compared to 2021. The most popular type of cyber threats encountered during reactions by experts computer from the Group-IB Forensic Laboratory were ransomware attacks - they accounted for 68% of all incidents. The victims of ransomware most often became Russian, retailers production insurance and companies. By comparison, 70 hacker % of activity five years ago was linked to targeted attacks on the financial sector.

The most aggressive ransomware groups in Russia in 2022 were Phobos, CryLock and Sojusz, and the OldGremlin group set a record for the amount of ransom required, demanding 1 billion rubles from the victim. The average downtime of the attacked organization was reduced from 18 to 14 days - recovery was much faster.

Another trend in 2022 was the use of ransomware by hacktivists - politically active hackers. The purpose of such attacks, as a rule, is not related to financial motivation: they seek to destroy or stop the work of the IT infrastructures victim and create a public outcry. Cyberdiversions are a hallmark of 2022. This was largely facilitated by the geopolitical crisis and the appearance source code of ransomware in the public space Conti LockBit , and Group-IB criminologists have repeatedly seen their use in attacks on organizations in Russia.

For the first time, the most popular technique used to gain initial access to corporate networks was the exploitation of vulnerabilities in publicly available applications - it was used in 61% of investigated incidents, followed by phishing - 22% and compromise of remote access services - 17%.

A year earlier, the main vector of attacks for most ransomware gangs were public RDP servers (52%), phishing (29%), and only then exploitation of public applications (17%).

It is noteworthy that the technique of operating publicly available applications was used by both ransomware operators trying to get a ransom and hacktivists trying to destroy the IT infrastructure of the attacked organization.

However, it is too early to write off a long-playing threat - phishing. The OldGremlin group traditionally used targeted well-crafted mailings "sharpened" for a potential victim company to attack large Russian business.

Another way to gain initial access to the IT infrastructures of companies was to compromise remote access services and penetrate through publicly available terminal, servers or through - VPN services. In this case, the attackers could use passwords both the brute force method (brute force, brute force) and data those stolen using information dealers (a type malware designed to steal data from online wallets, logins, passwords) or purchased from brokers of initial access.

Almost 68% of the attacks investigated ended with data encryption. As a ransomware, attackers could also use legitimate software, for example, Microsoft's BitLocker program. At the same time, if the attackers wanted to unload valuable data from the servers of the attacked company, they were previously archived, downloaded and only then launched the ransomware on the hosts.

The Group-IB study confirms our long-standing forecast - ransomware came to Russia and became one of the main cyber threats to business. During the response, we saw that the vast majority of victim companies were not only technically not ready to repel ransomware attacks, but also did not have a plan to respond to a cyber incident. In this case, in a short time, it is virtually impossible to stabilize the work of specialized units. In order to effectively organizationally and technically resist the actions of attackers and minimize damage to the company, it is necessary either to quickly attract specialists on outsiders, or, which is easier to have a subscription to the incident response retailer in advance. told Valery Baulin, CEO of Group-IB in Russia and the CIS

The incident response retailer service is gaining popularity on the Russian market, the study says. Riteiner is a package of prepaid proactive and reactive services for prompt professional response to an attack, whenever it does not occur, in the format of 24/7/365. On the first signal, a forensic team travels to respond or conducts it remotely to minimize infrastructure downtime and damage from a cyber attack without wasting time agreeing on contracts and other legal documents. For the first time, the retailer service in Russia was launched by the Group-IB Computer Forensics Laboratory in 2015.

In 2022, international consultancy Aite-Novarica recognized Group-IB as one of the largest providers of Incident Response Retainer (IRR) in an Impact Report.

Ransomware from the OldGremlin group set a record of the year in the amount of the required ransom - 1 billion rubles

The company Group-IB released an analytical report, "OldGremlin. Analysis attacks of a group of ransomware aimed at Russian business, "dedicated to the Russian-speaking hacker ransomware group. This became known on October 20, 2022. In just two and a half years, Gremlins, according to to data Group-IB, conducted 16 malicious campaigns with the aim of obtaining a ransom for. interpretation data For the second year in a row, ransomware broke the record: if in 2021 the group demanded 250 million from the victim for rub restoring access to data, then in 2022 their price tag rose to 1 billion rubles. For October 2022, it is known that OldGremlin attacks exclusively Russian targets, but the group's appetites could potentially have a wider geography.

Despite the lightning growth of the threat of ransomware attacks on the international market, business Russia has long time considered itself an unattractive target for this threat. However, in 2021, he denied this well-established opinion: the number of ransomware cyberattacks on Russian companies increased by more than 200%.

The activity of OldGremlin (aka TinyScouts) was first noticed by analysts at Group-IB Threat Intelligence in March 2020 and detailed in September 2020 in the blog "Big Hunt OldGremlin: ransomware operators attack large companies and banks in Russia."

2020 turned out to be the most saturated for Gremlins - ransomware sent ten mailings allegedly on behalf of microfinance organizations, a metallurgical holding, the Belarusian MTZ plant, as well as the RBC media holding. In 2021, only one, but extremely successful campaign was carried out on behalf of the Internet Trade Association, in 2022 - already five - allegedly from the services Consultant Plus, 1C-Bitrix, payment system, etc.

Gremlin mailings are clearly aimed at certain industries. Among their victims banks are,, and logistic industrial insurance companies, as well as, developers, retailers companies specializing in. In software development 2020, the group attacked even one of Russia's arms factories.

According to Group-IB experts, the average amount of the required buyout of OldGremlin is about 100 million rubles, and the maximum amount of the required buyout - this is a record for Russia in 2022 - reached 1 billion rubles. Unlike other ransomware groups - participants in "Big Game Hunting" - hunting for a large target, "gremlins" after a successful attack can afford long vacations.

Like most "classic" ransomware specializing in attacks on corporate networks, OldGremlin used phishing emails to gain initial access. The current agenda and topic of mailings (pandemic, remote work, anti-Russian sanctions), combined with the well-prepared text of letters in the form of an interview request, commercial proposal or financial document, allowed attackers to easily force recipients to follow links and upload malicious files. The massive nature of the mailing allowed attackers to compromise the workstations of several employees at once, which simplified the development of the attack within the victim's network.

Despite the fact that mostly OldGremlin target corporate networks under control, the OC Windows latest attacks showed that they also have a ransomware program developed for the OS in their arsenal. Linux Attackers follow the latest trends in the world cyber security and "mix" vulnerabilities and methods of conducting attacks with time-tested tools, for example, Cobalt Strike and open source projects (for example, PowerSploit). As a way to elevate privileges during incident responses, the exploitation of vulnerabilities in was identified. Cisco AnyConnect For their attacks, Gremlins developed a whole Tiny-framework and actively developed it from campaign to campaign.

On average, "gremlins" spend 49 days on the victim's network before deploying a ransomware program on the network, which makes relevant not only reactive, but also proactive methods for detecting cyber threats that cut off the possibility of infection by the ransomware through the email channel and others.

The study, based on the results of incident responses by experts from the Group-IB Digital Forensics Laboratory and Threat Intelligence, analyzed in detail all 16 of the group's campaigns and, for the first time, presented a full cycle of gremlin attacks (Kill Chain), from phishing mailings and initial access to encryption, and a ransom demand from the victim.

According to our data, OldGremlin has almost two dozen attacks with multimillion-dollar buyouts, and the attackers choose increasingly large corporations as victims, "said Ivan Pisarev, head of dynamic analysis at Group-IB Threat Intelligence. Despite the fact that while the geography of the organizations attacked by OldGremlin is limited to Russia, we believe that we should not underestimate them: many Russian-speaking criminal groups, having begun their activities in the post-Soviet space, gradually switched to international goals. By publishing the first analytical report on this group, we set ourselves the goal of warning cybersecurity specialists about this threat and giving them the opportunity to take preventive measures to prevent it.

As always, the Group-IB report provides access to a set of data and detailed information about current attacker techniques, tactics and procedures (TTPs) described based on the MITRE ATT&CK. This information will be useful both to organizations that are fighting cybercrime, and in particular to cybersecurity team leaders, SOC analysts, incident responders, and potential victims in order to secure their infrastructure from new OldGremlin attacks.

Hackers spreading ransomware viruses in Russia reduced the average ransom size by 51% to $36 thousand

Hackers spreading ransomware viruses began to demand much less ransom in Russia. This is evidenced by the data of the company "RTK-Solar," which were published in November 2022.

According to information security experts, the amount of redemption for the year has decreased by more than 20 times. Positive Technologies analyst Fedor Chunizhekov confirms the trend, but cites other figures. In the second quarter of 2022, the median buyback amounted to about $36 thousand, which is 51% less than the end of 2021. Cyber ​ ​ insurance startup Coalition in its report claims that in the first half of 2022, attackers offered their clients to pay an average of $896 thousand, which is a third less than at the end of 2021.

Market participants attribute this trend to the tightening of regulatory requirements for business response to such incidents, as well as to the relatively low cost of the services of incident investigators.

On September 1, 2022, according to the Law "On Personal Data," organizations that process information about users are obliged to notify Roskomnadzor of  the incident within 24 hours in case of a leak, and provide the results of an internal investigation within 72 hours.

It is important to understand that by involving the company in the investigation, the customer receives information about how the attackers entered the network, what vulnerabilities they took advantage of, and can close this path, "said Vladimir Dryukov, director of the Solar JSOC Cyber ​ ​ Attack Center at RTK-Solar.

At the same time, it is reported that the cost of such attacks by scammers remains, so they can remain profitable. Experts note that a number of groups remain in Russia that are engaged in fraudulent actions, and their income is about 1 billion rubles.^[1]

2021

16 thousand Russian companies suffered from ransomware viruses

16 thousand Russian companies suffered from ransomware viruses in 2021. This is evidenced by the data of Kaspersky Lab, published on February 16, 2022.

Experts of the antivirus company in 2021 identified 49 new families of ransomware and more than 14 thousand new modifications of malware of this type around the world. It is noted that attackers using ransomware have begun to use Linux builds more often to increase the surface of attacks. According to Fyodor Sinitsyn, an expert on cybersecurity at Kaspersky Lab, the preparation and conduct of attacks using ransomware is carried out within entire ecosystems with a clear division of labor.

Mass attacks are gradually giving way to targeted ones as potentially more profitable for attackers. At the same time, the target of such attacks can be any organization, regardless of scope and size, because not only corporations work with large amounts of confidential information. In the coming years, we are likely to observe a complication of the tactics used by fraudsters, the expert added.

The study also says that in 2021, the trend towards organizing attacks using ransomware viruses for ransom continued. Before encryption, operators steal data from companies and threaten to put it on public access if they are not paid.

Kaspersky Lab gave companies several recommendations to help reduce the likelihood of successful ransomware attacks:

• prevent employees from connecting to remote desktop services (such as RDP) from public networks, if this is not seriously necessary;
• Install updates for commercial VPN solutions
• Regularly update software on all devices in use
• focus the security strategy on detecting network movements and transferring data to the Internet;
• apply comprehensive cybersecurity security solutions;
• Back up data regularly.^[2]

The most "aggressive" ransomware viruses in Russia have been named. Loss amounts

On November 24, 2021, Group-IB named the top three most "aggressive" ransomware viruses attacking Russian business. The list includes ransomware Dharma, Crylock and Thanos.

With the help of each of these malware, more than 100 attacks on Russian companies were carried out in 2021. It is noted that the maximum requested ransom amount was 250 million rubles (it was demanded by the OldGremlin group). In general, this indicator depends both on the size of the business and on the appetites of the attackers themselves. The average amount of the ransom paid is 3 million rubles, and the maximum paid is 40 million rubles.

The most popular method that is used to penetrate ransomware in the networks of Russian organizations is the compromise of publicly available terminal servers via the Remote Desktop Protocol (RDP). This method accounted for up to 60% of all cyber attacks investigated by the Group-IB incident response team.

Phishing emails, where email has become the primary vector of the ransomware attack, account for 22% of incidents. Group-IB experts discovered the Rat Forest group, which received initial access to corporate networks precisely through phishing emails. 14% of incidents were vulnerabilities in publicly available applications.

Vulnerabilities in publicly available applications also caused many successful ransomware attacks Russia in 2021 - 14% of incidents take place on them. For example, a rather old vulnerability in - VPNservers Fortigate (CVE-2018-13379) by November 2021 remains relevant and critically dangerous for many Russian companies. In one of the incidents investigated by Group-IB, attackers took advantage of a similar vulnerability and gained access to the organization's corporate network. After that, they used enciphering the drive tool built into the operating system - BitLocker, and requested a ransom for decryption in the amount of 20 million rubles.^[3]

For the first time, ransomware viruses attacked medical institutions in the Russian Federation

In early February 2021, it became known about the first ransomware attacks on Russian hospitals. Hackers use such malicious programs to encrypt user data and steal important information, said Nikolai Murashov, deputy director of the National Coordination Center for Computer Incidents (NCCCA, created by order of the FSB to combat the threat of hacker attacks on Russian infrastructure). Read more here.

2019: ESET records Shade ransomware attack on Russian companies

On February 13, 2019, ESET announced another type of Shade ransomware attack targeting Russian companies.

The program is distributed through spam mailing. The letters are disguised by attackers as notifications from well-known brands.

The attachment of such letters contains a ZIP archive, which contains a JavaScript file called "Information.js"; after extraction and startup, this file downloads a malicious bootloader detected by ESET products as Win32/Injector. In turn, the bootloader launches the final payload - the Shade ransomware (aka Troldesh), which encrypts a wide range of files on local disks.

The victim's computer saves instructions for paying the ransom in a TXT file, the message is written in Russian and English.

ESET antivirus solutions NOD32 detect the program as Win32/Filecoder.Shade.

As of February 2019, the Shade ransomware is most active in Russia (more than 52% of all detected malicious investments). Users of Germany, Japan and Ukraine were also attacked.

2017

Bad Rabbit ransomware attacked Russian media and Ukrainian government agencies

Russian media and Ukrainian government agencies were hit by Bad Rabbit ransomware cyberattacks on October 24, 2017, according to a report by Check Point Software Technologies. Other victims included Turkey and Bulgaria.

The BadRabbit ransomware demands a ransom of 0.05 bitcoins (about $280) from victims in the first 40 hours of infection, after which the price probably begins to rise to unknown limits.

The ransomware is distributed through a fake installer, software Flash said to appear as a pop-up from the official news site in. Russia When clicked, the pop-up redirects the victim to a malicious site, which in turn downloads an executable dropper (a program for covert installation on the malware computer victim).

The ransomware uses open source software called DiskCryptor (available on GitHub) to encrypt the victim's disks. The lock message screen that the user sees is almost identical to the Petya and NotPetya lock screens. However, this is the only similarity that Check Point experts have observed so far between the two malware, in all other aspects of BadRabbit - a completely different and unique kind of ransomware, the company emphasized.

After a successful infection, the ransomware creates a unique key for each victim, which is visible in the READ ME.txt file, there is also a payment site located in Tor.

When entering a user key on the payment site, each user receives a unique bitcoin wallet, to which they are asked to transfer 0.05 bitcoin.

According to Check Point, as in the case of WannaCry and Petya, the Bad Rabbit attack can be prevented. Check Point customers using Check Point Threat Emulation blade and Check Point Anti-Virus blade are protected against this threat.

Russia is no longer in the focus of ransomware

According to a Kaspersky Lab report published on June 26, 2017, Russia left the list of top 10 states with the most intensive increase in the number of incidents with ransomware. According to the results of the reporting period (the results of the periods 2015-2016 and 2016-2017 are compared), our country lost its place to Turkey, Vietnam and Japan. The share of ransomware in the total number of mobile malware infections in Russia decreased to 0.88% (in 2015-2016 this figure was 4.91%), the antivirus company said.

Kaspersky Lab analysts explain such a sharp drop by two factors: an increase in the number of malicious attacks ON in general, against which the share of ransomware has disappeared; as well as a decrease in trojan the activity of Small, which traditionally attacks, first of all, Russia the countries of the post-Soviet space.

In general, the number of victims of Trojans encrypting files in the world has almost doubled - from 718,536 in 2015-2016. to 1,152,299 in 2016-2017. The number of victims of all ransomware programs over the same period increased by 11.4%: from 2,315,931 to 2,581,026.

According to experts from the antivirus company, ransomware attacks are increasingly aimed at financial and industrial infrastructure. This is due to the fact that targeted malicious attacks on organizations are considered by criminals as more profitable than mass attacks on ordinary users.

"The recent outbreaks of the WannaCry and ExPetr Trojans in June this year, which hit thousands of computers from commercial companies and government organizations around the world, only confirm our concerns," said Anton Ivanov, an antivirus expert at Kaspersky Lab.

As you know, this year there were two large-scale cyber attacks using ransomware. In May, the WannaCry ransomware paralyzed computers in more than 150 countries around the world. At the end of June, Russian and Ukrainian energy sector companies, critical infrastructure and government agencies were attacked by ransomware NotPetya.^[4]

2016: LC: 75% of ransomware created by Russian-speaking hackers

Of the 62 families of ransomware discovered by Kaspersky Lab in 2016, at least 47 were created by Russian-speaking cybercriminals. In total, about 1.5 million users worldwide, including various organizations, were affected by such malware, according to the company.

Kaspersky Lab experts became aware of the origin of most ransomware after a close study of the underground community of Russian-speaking virus writers and their "partners." The Russian-speaking cybercriminal environment is actively developing, and small groups with disabilities are being replaced by large coalitions with all the necessary resources to attack any targets around the world, including large enterprises. The rapid growth in the number of "Russian" ransomware became possible precisely thanks to this factor - the developed and flexible ecosystem of the cybercriminal community.

Kaspersky Lab has identified three main layers in the structure of the "business" for the creation and distribution of ransomware. The most technically advanced people are engaged in writing new and updating already created malware families - these are the most privileged members of the underground community. Another group of people develops and supports partner programs that help distribute malware through exploits, spam and other support tools. At the lowest stage of this hierarchy are actually "partners" - cybercriminals who help in the spread of malware in exchange for their share of money received from victims of ransomware in the form of ransom.

According to Kaspersky Lab, the daily revenue received by cybercriminals under one partner program can be tens or even hundreds of thousands of dollars. At the same time, 60% of revenue is net profit.

"We see that small groups working with these malware are gradually giving way to large associations of attackers who are able to carry out large-scale attacks. We observed something similar earlier with Russian-language financial cybercrime - just remember the sensational Lurk group. That is why we decided to carefully study the Russian-speaking cybercriminal community. The groups that create ransomware turn into a strong enemy, and we should know as much as possible about it, "says Anton Ivanov, an antivirus expert at Kaspersky Lab.

See also

• Ransomware viruses (ransomware) in the United States

Notes