Ransomware ransomware viruses (ransomware)

Main article: Malware (malware)

Once on the "victim" computer, ransomware viruses encrypt the information most sensitive to the organization, after which attackers begin to demand a ransom.

Ransomware attacks in the world

Ransomware viruses in Russia

Main article: Ransomware viruses (ransomware) in Russia

Ransomware Viruses in Taiwan

Main article: Ransomware viruses (ransomware) in Taiwan

Ransomware Viruses in Japan

Main article: Ransomware viruses (ransomware) in Japan

Encryption viruses in the United States

Main article: Ransomware viruses (ransomware) in the United States

Ransomware viruses in Britain

Main article: Ransomware viruses (ransomware) in the UK

Creation and distribution of ransomware

How many attackers do you need to create and distribute an "effective" ransomware from scratch

The first thing to do is write a Trojan. Firstly, this will require a cryptographer who will embody a certain encryption algorithm in the code. Secondly, if the cryptograph is not strong in stealth technologies, another programmer is needed who will ensure the secrecy of the encoder's actions in the system. He should also make sure that the Trojan is not detected by well-known antiviruses. Sometimes a tester is even hired for this (already the third member of the team). If you plan to exploit vulnerabilities or other complex network "tricks," then you can't do without a specialist in network technologies^[1].

So, the Trojans were written and tested on antiviruses, with this order. Now it must be spread - after all, it is not a virus, and it itself does not know how to multiply. Even more people will be needed here. First, a social engineering specialist who will come up with the content of spam emails and formulate a task for the development of phishing sites. This is necessary in order for the maximum number of users to follow the link in the letter, save and launch the attachment or "buy" to a phishing site. Secondly, the web designer who will develop the mentioned site. Thirdly, spammers, ideally - with extensive mailing bases, best of all - clearly targeted (the base of companies, the base of individuals in a certain region, etc.). Fourth, a specialist in "concealing evidence," whose main task is to maintain the anonymity and secrecy of the actions of all members of the criminal community. And here you can conditionally rank "free artists" from the world of cyber crime - various researchers of vulnerabilities who look for "holes" in the OS and applications, after which they sell this information to malware developers.

Of course, often the services of each of these "specialists" can be simply paid for separately - for example, a stolen address database was bought and spam mailing ordered through it, and one programmer can apply knowledge from several areas of interest. In addition, you can "unearth" an existing Trojan and, by modifying it, distribute it as a new one. For the completely lazy, there is an option to buy a version of the ransomware ready for distribution on the black market, which is enough to configure for your details and release it to the network, or even buy access to a "malicious cloud" with a configured admin panel on the principle of SAAS. There are many options, but, as practice shows, the most successful attacks for attackers were carried out precisely with the help of new unique Trojans with a well-thought-out distribution strategy. This means that it was the result of the work of a whole group of qualified specialists who directed their knowledge by no means to a good cause.

How the Trojan can get to you on your PC and why you might want to run it

Mail. In the absence of an effective spam filter, an unthinkable amount of a wide variety of spam emails will pour into your mail. Yes, most of them will simply be inappropriate and intrusive advertising, but some may turn out to be very "interesting." Messages about fees for the treatment of sick children, to which "confirming medical documents" are attached, notifications from the tax inspectorate and Rostelecom demanding to pay tax, read the attached subpoena or urgently pay the attached bill for communication services are the most frequent tricks of intruders. Interestingly, often in the "From" field, these letters have real addresses of the tax inspectorate or existing employees Rostelecom - this means that the mailing is carried out from hacked accounts without the knowledge of their owners. The initial "credit of trust" for these companies, coupled with the low awareness of the vast majority of office employees about cyber threats, makes such attacks very effective. Of course, the "documents" attached to such letters turn out to be these very Trojans that the user launches when opening archives. It is important that although such "letters of happiness" look very serious for a person, a spam filter is unlikely to miss them, and an email antivirus will be able to neutralize threats known to him, thereby saving the user from the risk of falling for the bait of intruders.

Malicious sites. There are two options here. In the first case, the user, downloading applications or other files from phishing, hacked or simply not controlled resources (file sharing, torrents, etc.), launches them himself, not even suspecting that he received a malicious "add-on" along with useful material. The second scenario is even worse: it is enough just to go to the infected site so that the running script downloads the Trojan to the PC and activates it. Fortunately, this is possible only with completely "unsafe" browser and operating system settings. Unfortunately, it is these settings that most users have...

Removable storage media. This is the main infection path for computers that either have no network connections at all, or are part of small local networks without accessing the Internet. If the removable media, be it a flash drive or a removable hard drive, is infected, and the autorun function is not disabled on the computer and there is no antivirus program, then there is a great risk that to activate the Trojan, it will be enough to simply insert the device into the USB connector.

These three paths are the main ones and make up the very 90% of "own-hand" infections. The remaining 10% are in the already mentioned epidemics, as well as various sabotage and sabotage, remote installation and Trojans launch.

Protection against ransomware viruses (ransomware)

Main article: Protection against ransomware viruses (ransomware)

Ransomware of Things (RoT)

Main article: Ransomware of Things (RoT)

According to cybersecurity reportCheck Point 2020, presented on July 8, 2020, in the world of growing hyper-connectivity, when devices connect to the same networks, there is an evolution of cyberattacks using ransomware. Instead of intercepting information or data from a company or individual, attackers take full control of devices connected to the Internet. Users will not be able to use them until the ransom is paid. This tactic is called Ransomware of Things (RoT). Traditional ransomware attacks pose a risk to organizations, but RoT attacks have serious consequences for society as a whole.

Known viruses

Rasket

Main article: Rasket (ransomware virus)

Conti

Main article: Conti (ransomware virus)

DoppelPaymer

Main article: DoppelPaymer (ransomware virus)

Pay2Key

Main article: Rau2Keu (ransomware virus)

RegretLocker

Main article: RegretLocker (ransomware virus)

Ragnar Locker

Main article: Ragnar Locker (ransomware virus)

CovidLock

Main article: CovidLock (ransomware virus)

Ryuk

Main article: Ryuk (ransomware virus)

Reveton

Main article: Reveton (ransomware virus)

Maoloa

Main article: Maoloa (ransomware virus)

DemonWare

Main article: DemonWare (ransomware virus)

CryWiper

Main article: CryWiper (ransomware virus)

LockBit

Main article: LockBit (ransomware virus)

Sphynx

Main article: Sphynx (ransomware virus)

HardBit

Main article: HardBit (ransomware virus)

2024

100 medical institutions in Romania attacked the ransomware virus. Their computers are locked

On February 12, 2024, the Ministry health care Romania reported that more than 100 medical institutions in the country were affected by the ransomware attack. Hospital computers were blocked, and files and databases were encrypted, which is why they cannot be used. More. here

2023

Ransoms to ransomware hackers in the world reached a record $1 billion in a year

Ransoms to ransomware hackers in the world for 2023 reached a record $1 billion. This is evidenced by the data of the information security company Positive Technologies, published at the end of April 2024.

Experts cited the example of Caesars Entertainment (one of the world's largest representatives of the hotel and entertainment business): it paid a ransom of $15 million to ransomware who threatened to publish stolen customer data from a loyalty program.

In 2023, hackers switched from simple encryption to the threat of publishing stolen data, Positive Technologies analysts said. The trend appeared against the background of how companies began to implement more comprehensive protection measures - from the point of view of attackers, this makes ransomware attacks less effective. In addition, the rejection of encryption and the transition to extortion through the threat of publishing stolen data may be due to the release of various decoders by security experts, said Irina Zinovkina, head of the Positive Technologies research group.

According to the study, medical organizations were most affected by ransomware attacks in 2023 (18% of all incidents were in the medical industry), which led to the closure of some institutions, the redirection of ambulances to other hospitals and a delay in the provision of medical services. In addition, in 2023, ransomware viruses were often attacked by organizations from the field of science and education (14% of the total number of ransomware attacks), government agencies (12%) and industrial organizations (12%). Almost all ransomware in 2023 was distributed by e-mail and by compromising computers and servers.

Hackers increased by 20% the requirements for ransom in ransomware attacks to $600 thousand.

In 2023, the average amount of initial ransom that attackers demanded when introducing ransomware into the victim's IT infrastructure was $600 thousand. This is 20% more compared to the previous year, when this indicator was at around $500 thousand. Such data are provided in a report by Arctic Wolf Networks, published on February 20, 2024.

It is noted that the size of the ransom varies depending on the scope of activity of the attacked organization. So, in the legal, state, retail and energy industries, cybercriminals in 2023 demanded an average of $1 million or more. Arctic Wolf Networks experts say that the trend of an increase in the ransom amount among ransomware groups remains. This is due to new initiatives to combat cybercrime and the growing number of refusals of victims from transferring the requested money.

The average amount of initial ransom that attackers demanded when introducing ransomware into the victim's IT infrastructure was $600 thousand.

Ransomware attacks are guarded by organizations of both large and small size, and there are good reasons for this: the damage caused by such viruses leads to huge losses, not counting the actual ransom, say Arctic Wolf Networks experts.

The study also notes that in 2023, cybercriminals actively exploited vulnerabilities identified in 2022 and earlier. Such holes were involved in almost 60% of incidents. At the same time, only 12% of cyber attacks were associated with zero-day vulnerabilities. In 2023, hackers often carried out attacks related to the compromise of business email: the number of such incidents turned out to be approximately 10 times more than the number of ransomware attacks. In general, the volume of cyber incidents continues to grow every year. Attackers are adopting new tactics based on the use of generative artificial intelligence.^[2]

Payments of victims of ransomware viruses in the world reached a record $1.1 billion

In 2023, the total volume of payments to victims of ransomware viruses on a global scale amounted to $1.1 billion, which is a new record. For comparison, in 2022 this figure was estimated at $567 million. Thus, a twofold increase was recorded on an annualized basis, as stated in a study by the analytical company Chainalysis, the results of which were published on February 7, 2024.

The report notes that the income of ransomware operators in the form of buyouts steadily grew at the height of the COVID-19 pandemic. In particular, in 2019 it amounted to about $220 million, and in 2020 it reached $905 million. In 2021, attackers received $983 million from their victims. But in 2022 there was a sharp decline. Experts attribute this to the current geopolitical situation: the conflict not only disrupted the activities of some cybercriminal groups, but also shifted their focus from financial gain to politically motivated cyberattacks aimed at espionage and destruction of IT infrastructure. But already in 2023, ransomware virus operators returned to their usual activities, and the volume of payments to victims began to grow again.

In 2023, the total volume of payments to victims of ransomware viruses on a global scale amounted to $1.1 billion

The study says that in 2023, in the segment of ransomware, there was a significant increase in the frequency, scale and volume of attacks. Such cyber campaigns were carried out by a wide variety of hacker communities - from large syndicates to small groups and individuals. In addition, attackers are introducing new tactics, in particular, a hunting scheme for the so-called "big game." It allows you to carry out fewer attacks, while receiving larger buybacks from large corporations and organizations.

In 2023, among the largest victims of ransomware viruses were the oil and gas company Shell, US government organizations, British Airways, etc. An increasing share in the total amount of payments is buyouts of $1 million or more.^[3]

The number of ransomware viruses increased by 20% over the year

The number of attacks viruses-encryptors increased by 20% in 2023. This information TAdviser was shared with representatives of IT the company "" Cyberprotect on February 2, 2024. According to to data the company, the leaders were,,, and USA. Canada Great Britain Australia Russia Cyberprotect experts have calculated how often over the past year there have been large and public losses of information due hackers to violent attacks, which industries suffered the most and what was the average ransom amount.

According to data for 2023, 150 large such attacks were reported, which is 30 attacks more than a year earlier. At the same time, the share of Russia increased from 1 to 4 percent. In terms of growth rates, our country is ahead of only the United States - the number of known attacks there increased by 17% over the period from 2022 to 2023.

Most often in 2023, attacks on the public sector were reported (24 attacks), and this dynamics persisted for the second year in a row. In 2022, 22 major attacks on government agencies appeared in the media. IT companies are also in the top of the most attacked victims, but in 2023 the dynamics are positive. The number of attacks fell by 30 percent - 18 attacks in 2023 against 24 attacks in 2022. Also at risk of hacker attacks are social institutions - universities, hospitals and schools. In 2023, they were attacked 30% more often than in 2022.

Permanent leading groups in 2022 and 2023 - the Lockbit and Conti groups. Western authorities and computer experts associate them with immigrants from Russia and the countries of the post-Soviet space, but there is no exact confirmation of this.

The top 3 in activity after Lockbit and Conti in 2022 included the supposedly Russian group Hive, which during its existence received more than $100 million from its victims as ransoms. Despite the activity in 2022 (10 major attacks), in 2023, the group was eliminated by the joint efforts of the US and EU authorities. But "a holy place is not empty": last year BlackCat (AlphaV) took its place, having committed 9 major cyber attacks and became a news hero 6 times.

The largest ransom, which appeared in the media in 2023, was contributed by the American casino chain Caesars Entertainment - $15,000,000 (half of what hackers demanded). The attackers stole a database of the company's loyalty program, which also contained driver's license data and customer social security numbers.

The average ransom check, in turn, ranged from $250,000 to $10,000,000. However, 2022 was more successful financially for hackers: the largest single payment from the victim was $60,000,000. He cybercriminals was demanded for decrypting files a large automobile Great Britain Pendragon dealer.

Meeting the requirements of hackers usually does not guarantee anything. After making a ransom, the data may not be decrypted, they can also be leaked to the Internet or transferred to competing companies. In addition, according to our observations, cases of repeated attacks on the company have become more frequent. Attackers remain in the business system and encrypt data again, after a while.

The only effective method of protecting data from the effects of a ransomware attack is backup - the core element of any organization's cyber resilience. Practice shows that not all companies use it systematically and often come to the implementation of full-fledged backup after they first encountered an incident and lost valuable data, suffered material and reputational losses. This problem is especially acute in the segment of small and medium-sized businesses, where budgets for protecting information systems are limited, but at the same time, data loss can lead not only to damage, but also to the loss of the entire business, "said Elena Bocherova, executive director of Cyberprotect. - Incidents with such companies rarely become public, statistics denote a problem that is even more acute.

40 countries led by the United States agreed never to pay ransom to hackers

At the end of October 2023, 40 countries led by the United States announced the signing of a document securing their promise to never pay a ransom to hackers, as well as work to destroy the economic basis for the existence of cybercriminals.

This alliance was named The International Counter Ransomware Initiative. Its appearance is not accidental, as the number of ransom hackers continues to grow every year. In 2023, 46% of such cyber attacks occurred in the United States. The volume of payments to cyber drivers in the first half of 2023 alone reached half a billion dollars.

Hackers hack into the victim's protection, encrypt files and then demand a ransom to restore access to them. Often, personal private data is stolen, which, in the absence of payment, leak to the Internet.

Victims are not only ordinary users, Internet but also large companies - for example, in the fall of 2023, casino operator MGM Resorts International and the creator of household chemicals suffered from ransomware attacks. Clorox

While people transfer money to ransomware, this problem will continue to grow, said Anna Neuberger, national security adviser to the US president with a specialty in cyber technology.

Alliance members plan to exchange information with each other about the channels used by ransomware to receive and withdraw money. It is planned to create two platforms for the exchange of information, their creation will be engaged in Lithuania, Israel and the UAE. In addition, countries will create a "black list" of digital wallets that are used to withdraw money obtained by extortion. It is planned to attract artificial intelligence to analyze blockchain chains.^[4]

How ransomware attacks on companies begin. 3 Most Popular Scenarios

In May 2023, Kaspersky Lab published a study in which it named the most common vectors of ransomware attacks. According to the antivirus company, 43% of ransomware attacks in the world in 2022 began with the exploitation of vulnerabilities in public applications. In almost every fourth case (24%), ransomware attacks began with the use of previously compromised user accounts, and in 12% with malicious emails.

Experts note that in some cases, the goal of the attackers was not to encrypt data, but to gain access to personal information of users, intellectual property and other confidential data of organizations.

During the investigation of incidents involving ransomware, the company's experts found that in most cases the attackers were on the client's network for some time after the penetration. Attackers often use PowerShell to collect data, Mimikatz to elevate privileges, and PsExec to remotely execute commands or a Cobalt Strike-type framework to carry out all stages of an attack.

Compromised user credentials, software vulnerabilities and social engineering methods in most cases allow attackers to penetrate corporate infrastructure and carry out malicious actions, including attacks through ransomware. To minimize these risks, it is important that companies introduce and control strong password policies, regularly update corporate software, and also teach employees the basics of information security, "said Konstantin Sapronov, head of Kaspersky Lab's global computer incident response team.

The nature of information security - Kaspersky Lab research for 2022

The largest IT university in Ireland was stolen 6 GB of employee data, including salary. Classes canceled

In early February 2023, the Munster University of Technology in Ireland was subjected to a professionally organized cyberattack using a ransomware virus. In total, hackers stole 6 GB of confidential data, including commercial information. Read more here.

Ransomware virus blocks computers of the largest Israeli IT university

In February 2023, hackers attacked the Israeli Technion Institute of Technology, demanding $1.7 million. The attackers demanded the 80 of bitcoins and threatened to increase the amount by 30% if the ransom was not paid within 48 hours. More Technion - Israeli Institute of Technology.

2 Years Hackers Exploit VMware Software Hole for Successful Ransomware Virus Attacks

In early February 2023, the French Computer Emergency Response Team (CERT-FR) warned of the spread of a new ransomware program dubbed ESXiArgs. It penetrates victims' systems through a hole in VMware server software. Read more here.

Ransomware viruses attacked dozens of GIS in Italy and turned them off

On February 5, 2023, the National Agency for cyber security Italy (ACN) warned of a large-scale campaign to distribute ransomware. Malware attacks thousands of servers To Europe in and. North America

The hack reportedly affected several dozen national information systems in Italy. Security features are damaged on many of the attacked servers. Resources in Finland, the United States, Canada and France were also affected. According to a preliminary investigation, the attack targets a vulnerability in VMware ESXi technology, a specialized hypervisor. The patch for the hole in question was released back in February 2021, but so far not all organizations have installed an update. This is what cybercriminals who distribute malware use.

It is estimated that thousands of computer servers have been compromised around the world, and according to analysts, their number is likely to increase. The French cybersecurity agency (ANSSI) has issued a warning recommending that an update for VMware ESXi that fixes the issue be downloaded as soon as possible. Some of the affected GIS were inoperable.

It has been suggested that the attacks may be related to government agencies or unfriendly countries. However, experts who studied the nature of this cybercriminal campaign came to the conclusion that it is most likely organized by a certain hacker group for the purpose of blackmail and extortion. The amount that attackers want to receive from their victims is not reported.

There is no evidence that these cyber attacks are related to organizations related to any state structures or unfriendly countries, the Italian government said in a statement.[5]

2022

Europe was the leader in the number of ransomware attacks

In 2022, Europe became the leader in the number of ransomware virus attacks. Such data are provided in a study by IBM, the results of which were published on February 22, 2023.

Cybercriminals are aimed primarily at the most critical industries and enterprises. By introducing ransomware into the victim's IT infrastructure, attackers use intense psychological pressure to get the ransom paid. Manufacturing was the most attacked industry in 2022: organizations in this sector are an attractive target for extortion, given their extremely low resistance to downtime.

Attackers are developing new ways to extort money from victims. One of the latest tactics is to maximize the financial impact of stolen data. By involving customers and business partners in the scheme, fraudsters increase pressure on the hacked organization. The goal is to increase the potential costs of the attacked structure.

The transition to detection and active response allowed security agents to impede the actions of attackers in earlier stages of attacks, which somewhat deterred the spread of ransomware. However, attackers are constantly looking for new ways to avoid detection. Good protection is no longer enough - companies need to implement a proactive security strategy, "said Charles Henderson, head of IBM Security X- Force.

In 2022, power ranked fourth among the most attacked industries, as the current macroeconomic situation and crisis have a strong impact on global energy trade. North American energy organizations accounted for 46% of all attacks in the sector, up 25% from 2021.^[6]

Why ransomware hackers started asking for 28% less ransom

On February 21, 2023, the results of a company study CrowdStrike on the spread of ransomware were released. It is reported that in 2022, the average ransom size demanded by attackers decreased by 28% compared to the previous year.

According to The Wall Street Journal, citing CrowdStrike data, in 2022 cybercriminals involved in the distribution of ransomware wanted to receive an average of $4.1 million from their victims. For comparison: a year earlier, the ransom size averaged $5.7 million. This situation is explained by several reasons. These are, in particular, the arrests of members of hacker groups, the fall in the cost of cryptocurrencies and the strengthening of measures to combat cybercrime in general. It is noted that some groups of network attackers are even forced to cut staff due to falling profits. In particular, the cybercriminal company Conti in 2022 fired 45 employees due to the deterioration of its financial situation.

At the same time, the American company Mandiant, specializing in cybersecurity issues, reported that in 2022 the number of cyber incidents related to ransomware decreased by about 15% on an annualized basis.

At the same time, the number of ransomware attacks on industrial organizations in 2022 increased by 87% compared to the previous year, and such malware is aimed primarily at the production sector. Thus, hackers attacked mining companies in Australia and New Zealand, as well as renewable energy companies in the United States and the European Union. Attackers are increasingly focusing on the power, food, water and natural gas sectors.^[7]

The number of ransomware viruses attacks on the global industry doubled in a year

In 2022, the number of ransomware virus attacks on industrial infrastructure doubled. This is stated in a study published in February 2023 by Dragos, a technology company. cyber security

Dragos tracked more than 600 ransomware virus attacks on industrial infrastructure in 2022, up 87% from 2021, with nearly three-quarters targeting the manufacturing sector. According to experts, hackers are increasingly targeting operational technologies (OT) and industrial control systems (ICS), which control the main functions of factories and other industrial facilities. According to Dragos, among the more than 600 attacks tracked by the company, the number of attempts to use ON ransomware against OT and ICS increased by 35%.

According to Dragos, hackers most often attacked the resources of mining companies in Australia and New Zealand in 2022, as well as American and European companies specializing in renewable energy sources. Attacks on the power, food, water, electricity and natural gas sectors have intensified. One ransomware virus, according to Dragos information security specialists, is enough to disrupt dozens of systems that help manage engineering networks around the world, the report said.

In total, 437 manufacturing plants were targeted by ransomware viruses in 2022, including 42 attacks on metal products companies, 37 on automotive plants and more than 20 on plastics, industrial equipment, building materials and electronics or semiconductors. The rest of the list includes dozens of attacks on companies operating in the aerospace industry, furniture, cosmetics, chemicals, clothing, medical equipment, paper.

Among the major incidents listed by Dragos, major attacks were on Subex, Kojima, AGCO, Foxconn, South Staffordshire Water, DESFA and several attacks on mining and metallurgical industries such as Copper Mountain Mining. Despite the increase in the number of incidents related to ransomware viruses, in 2022 their victims paid a ransom much less: $456.8 million compared to $765.5 million in 2021.

In 2022, according to Dragos, the LockBit group was in the lead, making 169 ransom attacks, followed by Conti, then Black Basta, Alpha V (or ALPHV) and Hive. Dragos found that of the 57 hacker groups it monitors, 39 were active in 2022, up 30% from 2021. ^[8]

Ransom volume after ransomware attacks in the world decreased by $300 million

On January 19, 2023, Chainalysis released data from a study according to which the income of cybercriminals distributing ransomware on a global scale in 2022 decreased by approximately $300 million.

In 2019, ransomware operators received approximately $174 million from their victims as a ransom. In 2020, this amount increased sharply, reaching $765 million. In 2021, it is estimated that the introduction of ransomware malware brought cybercriminals $765.6 million, and in 2022 - approximately $456.8 million. Thus, the fall for the year was 40.3%. This situation, according to experts, is associated primarily with the growing reluctance of victims to pay attackers, and not with a decrease in the actual number of attacks.

Claims data in the cyber insurance industry shows ransomware remains a growing cyber threat to businesses and businesses. However, there are signs that disruptions in the activities of groups of people involved in such malware lead to fewer than expected successful extortion attempts, says Michael Phillips, director of Resilience.

Other specialists also point to a decrease in the intensity of payments. So, Bill Siegel from Coveware said that in 2019, the likelihood of paying a ransom to a ransomware victim was at around 76%. In 2020, this value decreased to 70%, and in 2021 - to 50%. In 2022, a further reduction was recorded - up to 41%. One of the reasons for such a significant drop is that the payment of the ransom has become more risky from a legal point of view, especially after in September 2021, the Office of Foreign Assets Control (OFAC), which is part of the US Treasury Department, published a document on the possible imposition of civil law sanctions on companies and organizations in connection with the fulfillment of ransomware requirements.^[9]

Named the most common ransomware viruses

On January 5, 2023, the SpiderLabs division of TrustWave announced a rating of the most common ransomware that attacked various organizations and users around the world in 2022.

It is noted that malware encrypting the victim's files for the purpose of further ransom remains a serious threat. In the event of a successful attack, attackers require an average of $570 thousand to $812 thousand. In addition, the victim can incur significant associated costs associated with business downtime, the involvement of information security experts, etc. On average, one in every 40 organizations is targeted by ransomware.

In the first place of anti-rating is the LockBit malware. This ransomware attacks a variety of structures - from large corporations to government agencies. LockBit reportedly accounted for approximately 44% of all successful ransom cyber intrusions in 2022. The updated version of LockBit, released in June 2022, includes additional features that help bypass security tools and reduce the likelihood of IT security experts decrypting data.

The second position went to the new cyber campaign Black Basta. It is noted that it may have connections with other groups such as Conti, REvil and Fin7 (also known as Carbanak). From identification in April 2022 to September of that year, Black Basta compromised more than 90 organizations.

Closes the top three Hive. This malware stands out from the background of other ransomware with an approach to choosing victims. The malware attacks organizations from the fields of health, power and agriculture. Some ransomware groups try not to attack critical infrastructure or core services for moral reasons or to get less law enforcement attention. On the other hand, Hive is ready to attack any sectors and IT systems.^[10]

Canadian copper ore company Copper Mountain Mining stops plants due to ransomware virus attack

Canadian copper ore company Copper Mountain Mining has shut down factories due to a ransomware virus attack. She announced this on December 27, 2022. Read more here.

Cyberattack on Lisbon port that caused site shutdown

On December 25, 2022, the port of Lisbon was attacked by hackers, as a result of which its site was disabled and did not work for several days. By January 5, 2023, the resource remains inaccessible, as the TAdviser journalist was convinced. Read more here.

The Australian Department of Defense was subjected to a cyber attack. The data of tens of thousands of servicemen leaked

On October 31, 2022, it became known that the Australian Department of Defense was subjected to a hacker attack: attackers injected malware with ransomware functions into one of the department's information subsystems. It is said that in the hands of criminals could be personal information about tens of thousands of military personnel. Read more here.

The German arms supplier for Ukraine was subjected to a cyber attack. His data stolen

On October 30, 2022, the cybercriminal group behind the distribution of the Snatch ransomware reported hacking and stealing data from Hensoldt France, the French division of the German Hensoldt Group. Read more here.

Ransom Cartel hackers use REvil ransomware tools and source code

On October 19, 2022, it became known about the suspicious connection between the RaaS group Ransom Cartel and REvil, researchers from the Unit 42 division of Palo Alto Networks said . According to their report, Ransom Cartel started just two months after REvil collapsed.

According to Unit 42 experts, when Ransom Cartel first appeared, it was unclear what it was - REvil under a different name or not associated with a REvil group that simply imitates the infamous gang of hackers.

But when Ransom Cartel started using a certain set of tools, things started to fall into place. Experts said that the group uses not only tactics popular among ransomware, but also unusual tools (for example, DonPAPI, which was not previously used in ransomware attacks).

The researchers note that Ransom Cartel operators have access source code encoder to REvil, but they do not have an obfuscation mechanism in their arsenal that is used to enciphering string and hide API calls.

Based on all of the above, experts concluded that Ransom Cartel actively collaborated with REvil before it became a full-fledged group.

In the conclusion of the report, Unit 42 warns of a possible increase in attacks using [malware]] from Ransom Cartel and calls on large companies to install special security software, since the group is aimed specifically at "large production^[11].

Microsoft Threat Analysis Center announced a cyber attack on transport firms in Ukraine and Poland

On October 11, 2022, transport and logistics companies in Poland and Ukraine were attacked by the new Prestige ransomware virus. This was stated in the Microsoft Threat Analysis Center (MSTIC).

The Microsoft Threat Analysis Center (MSTIC) has identified evidence of a new ransomware campaign aimed at organizations in the transport and related logistics industries in Ukraine and Poland, Microsoft said in a statement.

ciphers data The victim's Prestige program leaves a ransom note stating that the data can only be unlocked when buying a special decryption tool.

Microsoft has not previously encountered such a program and has not yet been able to identify involvement in the attack of well-known cyber groups^[12].

Found ransomware cyber groups capable of attacking different operating systems at the same time

Kaspersky Lab announced on August 25, 2022, the discovery of two cybergroups of ransomware. They can attack different operating systems at the same time without accessing multi-platform languages. Earlier in 2022, Kaspersky Lab experts told how the creators of ransomware are developing their cross-platform capabilities. However, this time we are talking about software that is written in simple languages, but can also attack different systems.

The first of these groups uses the RedAlert malware written in C. The second, discovered in July 2022, is the Monster malware written in Delphi. The distinctive feature of Monster is the graphical user interface. Such a component has never been implemented by ransomware before. The Monster authors included it as an additional command line option.

Also, attackers use exploits of the first day for ransomware attacks on Windows versions 7 to 11. These are programs that exploit vulnerabilities in software products for which patches have already been released. One example is the CVE-2022-24521 vulnerability. It allows you to gain privileges on the system on an infected device. Two weeks after creating a patch for this flaw, the attackers developed two other exploits that support different versions of Windows.

The company is already accustomed to the fact that the authors of ransomware began to create them using cross-platform languages. However, in 2022, they learned to write malicious code for attacks on different operating systems in simple programming languages. Current trends in the development of the ransomware industry require companies to pay increased attention to whether effective measures have been taken to detect and prevent such attacks. In addition, it is very important to regularly update all software, commented Sergey Lozhkin, cybersecurity expert at Kaspersky Lab.

To protect businesses from ransomware attacks, Kaspersky Lab reminds companies to follow the following measures:

• prevent the ability to connect to remote desktop services (such as RDP) from public networks without strict need; Configure security policies to use strong passwords for these services.
• Timely install available patches for commercial VPN solutions used in the network
• Regularly update the software on all devices in use
• focus the security strategy on detecting network movements and transferring data to the Internet; Pay special attention to outgoing traffic to identify malicious communications
• Regularly back up data and verify that it can be accessed quickly if needed
• Leverage end-to-end solutions to protect the entire infrastructure from cyberattacks of any complexity
• conduct training of employees on cybersecurity rules;
• use a reliable security solution. It has exploit prevention functions, a behavioral detection module and an engine for rolling back malicious actions. Also, the solution has self-defense mechanisms that prevent attackers from deleting it;
• Provide SOC specialists with access to the latest threat data.

The Greek operator of the gas transmission system is attacked by a ransomware virus. IT systems disabled

At the end of August 2022, it became known that the operator of the Greek national gas transmission system DESFA was attacked by a ransomware virus. The company's IT systems were turned off. The operator operates both the natural gas transportation system in the country and the gas distribution networks. Read more here.

Closure of 7-Eleven stores in Denmark due to ransomware virus attack

In early August 2022, 7-Eleven in Denmark was forced to close 175 stores. According to representatives of the retail network, this was due to an attack by a ransomware virus. Read more here.

Hackers stole 78 GB of Italian tax data

On July 25, 2022, it became known that a group of hackers was able to steal data from the Italian tax office using a ransomware program. The group claims to have stolen 78GB of data, including company documents, scans, financial statements and contracts, it plans to publish screenshots of files and samples during August 2022. Read more here.

HavanaCrypt ransomware disguises itself as Google update

Researchers from Trend Micro discovered the HavanaCrypt ransomware package, which is distributed as a fake update ON Google and uses the capabilities Microsoft as part of its own. attacks This became known on July 12, 2022. Malware uses an open source Obfuscar obfuscator designed to protect code in the assembly. To .NET avoid detection after launch, the ransomware hides its window using the ShowWindow function, assigning it the "0" parameter.

The malware also uses several anti-virtualization techniques that help avoid dynamic analysis when executed on a virtual machine, the researchers wrote.

According to experts, malware can shut down if it detects that the system is working in a virtual environment. HavanaCrypt checks the virtual machine in 4 stages:

• Checks services in the virtual machine (VMware Tools and vmmouse)
• searches for files associated with VM applications;
• searches for the names of the files used by the VM for their executable files;
• looks at the system MAC address and compares it with the Organization Unique Identifier (OUI) prefixes used by the VM.

After making sure that the victim's system does not work on the virtual machine, HavanaCrypt downloads the file from the IP address of the Microsoft web hosting service, saves it as a batch file and runs it. According to Trend Micro, using the C2 server, part of Microsoft's web hosting service, is a new method of attack.

The malware interrupts more than 80%, including database applications such as Microsoft SQL Server and MySQL, as well as desktop programs such as Office and Steam. It then deletes shadow copies of the files.

HavanaCrypt then places its executable copies in the ProgramData and StartUp folders, makes them hidden system files, and disables the task manager. Malware also uses the QueueUserWorkItem feature in.NET to combine threats to other payloads and encryption threads.

HavanaCrypt collects the following information about the system:

• number of cores; processor
• chip identifier and name;
• manufacturer and name; motherboard
• Product number and BIOS.

Data are sent to the C2 of the server attacker, which is the IP address of the Microsoft web hosting service. This avoids detection. To generate random keys, HavanaCrypt uses the CryptoRandom function passwords in the KeePass Password Safe manager, adding the extension. "Havana" ​​k encrypted files. {{quote 'HavanaCrypt also encrypts the text file "foo.txt" and does not leave a note demanding a ransom. This may indicate that HavanaCrypt is still under development, the researchers concluded [^[13]

Hive ransomware finally switched to Rust and became more dangerous

The WIndows version of the malware received an "upgrade" that complicated encryption and made Hive even faster and more reliable. This became known on July 8, 2022.

In a recent report, experts from Microsoft the Threat Intelligence Center called Hive one of the fastest-growing ransomware families. In ON the latest update, Hive developers completely changed infrastructure the ransomware. The most important changes were the transition from to GoLang Rust and complicating methods. enciphering

Going to Rust, the malware received several advantages:

• Security by memory, data types and threads;
• Multithreading;
• Resistance to reverse engineering;
• Complete control over low-level resources;
• A wide range of cryptographic libraries.

In addition, the developers added Hive a couple of'useful' features. Now ransomware uses functions that terminate services and processes related to security solutions, and is also able to encrypt its code line by line, as a countermeasure to analysis.

The encryption method of the updated Hive has become much more interesting. Instead of embedding the encrypted key in each encrypted file, the malware generates two sets of keys in memory, uses them, and then writes them with the.key extension to the root directory of the disk.

To determine which of the two keys is used to lock a specific file, the encrypted file is renamed - to it is added the name of the.key file, an underscore and a Base64-encoded string pointing to two different data blocks in the key file. The final result may look like this: C :\myphoto.jpg.l0Zn68cb_-B82BhIaGhI8.

The upgrade of Hive, the end of AstraLocker's ransomware activities and the emergence of RedAlert all suggest that the landscape of cyber threats is constantly changing and information security specialists need to remain on the alert.

One hacker can do as much harm as 10,000 soldiers^[14].

Salaries, vacations, motivation system and human resources department. How one of the world's largest ransomware hackers works

On June 23, 2022, the Russian company Group-IB, specializing in information security, spoke about the activities of the hacker group Conti, which is engaged in the spread of ransomware viruses. Read more here.

Magniber ransomware threatens millions of Windows 11 users

On May 30, 2022, it became known that 360 Security Center analysts discovered another version of Magniber ransomware aimed at systems running Windows 11. According to experts, on May 25, the volume of attacks using Magniber increased significantly. Read more here.

Goodwill extortionists demand victims do three good things

On May 23, 2022, it became cyberextortioners known that his "Robin Hood" appeared on Wednesday. According to CloudSEK specialists, extortion ON attacks of victims and instead of ransom requires a donation to charity.

The ransomware program Goodwill Ransomware requires its victims to transfer money to organizations that help the poor. At the end of May 2022, Goodwill Ransomware attacks victims only in India, Pakistan and some regions of Africa.

CloudSEK researchers discovered this cybersecurity group in March 2022. She seems to have little interest in financial gain, and the main goal is to restore social justice.

In order to obtain a recovery key, encrypted files the victim must complete three tasks. The first task is to transfer money to those in need hospitals who need urgent treatment. The victim must transfer funds, record the entire process of transferring money and further treatment of the patient and send these video and audio files to extortionists.

The second task is to transfer clothes to the poor. As in the first case, the fact of transfer must be recorded, and the materials sent to hackers by e-mail.

The third task is that the victim must bring the hungry children to the Dominos Pizza Hut or KFC pizzeria and pay for their order. Everything should be recorded and sent to hackers.

In addition, the victim must make a publication on the social network (Facebook (recognized as an extremist organization and banned in Russia) or Instagram ( recognized as an extremist organization and banned in Russia)) about how "becoming a victim of the ransomware Goodwill, she became a kind person."

After checking the publications and the evidence sent by the victim to complete all three tasks, the ransomware sends her a file recovery key, password and video instructions for decryption.

Since April 2022, the group has been interested in Indian law enforcement agencies. According to their version, Goodwill is a minor group of hackers from the DPRK.^[15]

The average requested ransom of ransomware operators reached $247,000

Group-IB On May 19, 2022, the company shared a report on one of the dangerous threats to business public sectors and around the world - ransomware. This report, Ransomware 2021-2022, names the most aggressive ransomware operators that have committed the largest number cyber attacks in the world: the LockBit, Conti and Pysa groups. The ransom amounts requested by the attackers reached huge amounts: the average size of the required ransom was $247,000. Russia The number of responses of the Group-IB Digital Forensics Laboratory to ransomware attacks in the first quarter of 2022 increased 4 times compared to the same period in 2021.

After investigating more than 700 attacks in 2021, Group-IB experts found that the main targets of ransomware still fall on North America, Europe, Latin America, and the Asia-Pacific region. Among the sensational incidents of 2021 involving ransomware are attacks on the Toshiba concern, the American pipeline system Colonial Pipeline, the largest meat producer JBS Foods, and the IT giant Kaseya. The record for greed was set by ransomware from Hive: they demanded a ransom of $240 million from the German holding MediaMarkt. The average downtime of the attacked company in 2021 increased from 18 days to 22 days.

In 2021, the number of ransomware attacks on Russian companies increased by more than 200%. The most active in Russia were the ransomware operators Dharma, Crylock, Thanos. But the Russian-speaking group OldGremlin, although in 2021 it noticeably reduced its activity - hackers conducted only one mass newsletter (for comparison: in 2020 there were 10 of them), but the attack was so successful that it fed the'gremlins' all year. For example, for one of the victims, extortionists demanded a record amount for Russia for decrypting data - 250 million rubles.

Recently, ransomware has been aimed in Russia exclusively at large businesses - from 5,000 employees - from industries constructions,,. insurance agro-industrial complex

The latest trend, according to the study "Ransomware 2021-2022," was a fade into the background enciphering as a tool of pressure on the victim. Now the victim companies are extorted, threatening to put them confidential data in the public domain on the so-called DLS (Dedicated Leak Site). In 2021, the vast majority of ransomware used this method - 63%.

As Group-IB noted in the Hi-Tech Crime Trends H2 2020/H1 2021 report, the use of DLS by ransomware to pressure the victim to pay ransom under the threat of making the stolen data public peaked in 2021. The number of new DLS has more than doubled - from 13 to 28, with the number of companies posted over the year increasing by an unprecedented 935% - from 229 victims to 2,371. At the same time, the attackers began to achieve their goals much faster: if earlier the average time spent by ransomware in the victim's network was 13 days, then in 2021 it was reduced to 9.

Another trend in 2021 was the "rebranding": ransomware groups changed their names. Ransomware operators began to use this "marketing" tool in response to increased attention to them from researchers and law enforcement agencies. After DarkSide and REvil disappeared from public space, a player appeared on the stage - BlackMatter, then he was replaced by BlackCat. A little earlier, in the spring, the DoppelPaymer group renamed its ransomware to Grief (Pay OR Grief).

As in 2020, the most common way to gain initial access to the network of companies was to compromise public RDP servers. This attack vector accounts for almost half (47%) of all incidents investigated - many of the employees still worked remotely. Phishing is in second place (26%), public applications are in third place (21%).

In 2021, some ransomware operators began to "work" in 0-day (English zero day) - unresolved or not yet identified vulnerabilities that attackers exploit. Thus, REvil partners attacked thousands of Kaseya customers, exploiting 0-day vulnerabilities servers in VSA. Another example is the FIN11 grouping behind the Clop ransomware exploited a number of zero-day vulnerabilities in the outdated files Accessory File Transfer Appliance (FTA).

If in 2020 individual malicious bots (Emotet, Qakbot, IcedID) were assigned to certain participants in ransomware partner programs, then in 2021 the attribution became not so obvious. For example, IcedID was used to gain initial access to the network of companies by several participants in partner ransomware programs - Egregor, REvil, Conti, XingLocker, RansomExx.

But the partners of the Ruyk ransomware used the BazarLoader bot for initial access to the victim's network in a very exotic scheme. It was distributed not only through phishing - sending spam emails about paid subscriptions, but also through vishing. During the telephone conversation, attackers tricked the victim into visiting the fake site and gave instructions on how to download and open the malicious document that BazarLoader downloaded and launched.

The most popular tool among ransomware for post-exploitation was expected to be Cobalt Strike - it was seen in 60% of the ransomware attacks investigated. However, some attackers have begun experimenting with less common frameworks to reduce the likelihood of detection. For example, the TA551 group has experimented with the delivery of malicious software based on the cross-platform Sliver framework.

In 2021, cyber threat No. 1 received a serious rebuff for the first time - arrests of members of criminal groups began, some of the extortionists were forced to lie down or cover their tracks while rebranding, "said Oleg Skulkin, head of the Group-IB Digital Forensics Laboratory. - However, despite some concern from the cybercriminal community, attacks by representatives of other partner programs continue - so it's too early to talk about the decline of ransomware. Almost 70% of the incidents that our Laboratory is working on investigating are ransomware attacks, and we believe this trend will continue into the current year.

An emergency regime has been declared in Costa Rica due to a large-scale hacker attack. Ministries cannot work

On May 12, 2022, the Costa Rican government declared a state of emergency after ransomware hackers damaged the computer networks of several government agencies, including the Ministry of Finance. Read more here.

Experts have calculated the speed of encryption of files of ten ransomware families

On March 24, 2022, it became known that the company's researchers Splunk conducted an experiment during which they tested ten ransomware programs in order to establish how they should be and cipher files how quickly to respond to them. attacks

Ransomware is malware that lists files and directories on a compromised machine, selects the appropriate ones for encryption, and then encrypts, which makes them inaccessible without an appropriate decryption key.

The speed of encryption of ransomware files ON is of great importance for threat response commands. The faster it can be detected, the less damage it will cause, data and there will be less to recover.

Splunk researchers conducted 400 tests using ten different ransomware families, ten programs in each family, on four different hostsWindows 10 and Windows Server 2019 with different performance.

During testing, experts determined the encryption speed of 98,561 files with a total volume of 53 GB using various tools such as Windows logging, Windows Perfmon statistics, Microsoft Sysmon, Zeek and stoQ.

The total average time for all one hundred ransomware on test installations was 42 minutes 52 seconds. However, as shown in the table below, some samples deviated significantly from this median value.

One of the rather fast and dangerous was the LockBit ransomware family, which managed to encrypt all files in an average of just 5 minutes 50 seconds. A representative of the family encrypted files at a speed of 25 thousand per minute.

Previously, Avaddon ransomware encrypted files in 13 minutes, REvil in 24 minutes, and BlackMatter Darkside in 45 minutes. And the ransomware Conti lags behind them - it took him almost an hour to encrypt 53 GB of data. Among the laggards were also Maze and PYSA, which took as much as two hours.^[16]

LokiLocker ransomware is equipped with viper functions

The ransomware ON LokiLocker is equipped with viper functions. This became known on March 17, 2022.

The malware attacks users around the world, but there are the most victims in Eastern Europe and Asia.

The supposedly developed the Iranian hackers LokiLocker ransomware was first discovered in mid-August 2021. As the researchers note, it should not be confused with the old Locky ransomware or LokiBot infostiler. The malware has similar features to the LockBit ransomware (registry values file , ransom name), but it is not similar to being its direct "heir."

LokiLocker is distributed according to the ransomware-as-a-service (RaaS) business model in a very narrow circle of carefully selected partners.

Researchers are still trying to determine the origin of LokiLocker. The built-in debug line is written in English with almost no errors typical of programs written by Russian or Chinese hackers. Some of LokiLocker's earliest partners have usernames registered exclusively on Iranian hacker channels. In addition, it contains a list of countries in which users cannot be attacked, and one of them is Iran.

The malware is written in.NET and is protected using the NETGuard commercial tool.

Early versions of LokiLocker were distributed through hacked brute-force hacking tools, including PayPal BruteCheck, Spotify BruteChecker, PiaVNP Brute Checker from ACTEAM, and FPSN Checker from Angeal. Probably, the malware spread through these tools when it was in beta testing.

Like other ransomware, LokiLocker encrypts the attacked systems and gives the victim time to pay the ransom. If the ransom is not paid after the allotted period, the malware can erase all data from hard drives, except for system files. In addition, he will try to overwrite the main boot record to disable the system^[17].

2021

The number of companies that paid more than $1 million to ransomware hackers has increased 3 times

According to a study by a INFORMATION SECURITY solution developer, in Sophos 2021, about 66% of organizations were subjected to a ransomware attack ON , compared to 37% in 2020. And 65% of these attacks were successful in terms enciphering data of their victims, compared with 54% in 2020, the report said.

According to the British cybersecurity company, the average ransom paid by organizations for the most significant attacks using ransom software has grown almost fivefold and amounted to just over $800 thousand, and the number of organizations that paid a ransom of $1 million or more has tripled by the end of 2021 and reached 11%.

Chester Wisniewski, chief scientist at Sophos, says the cost of ransomware not only continues to rise, but a growing number of victims decide to pay even when they have other options.

46% of those surveyed who reported that their data had been blocked as a result of the attack said they paid a ransom to get their data back, and 26% said they paid a ransom, although they could have recovered it on their own using backups.

There may be several reasons for this, Wisniewski said, including incomplete backups or a desire to keep company data from being shared online.

{{quote 'Organizations don't know what attackers could have done, such as adding backdoors, copying passwords and more, Wisniewski said in a statement. If organizations do not thoroughly clean up the recovered data, they will end up with all this potentially toxic material on their network and could be reattacked. }} In addition, after a ransomware virus attack, there is often an urgent need to restore performance as quickly as possible, and restoring from backups can often be complex and time-consuming, Wisniewski said. But while paying cybercriminals for a decryption key can be a tempting idea, it's also risky.^[18]

The average ransom payment for ransomware attacks has reached a new record - $541 thousand

On March 30, 2022, the information security company Palo Alto Networks published a study according to which in 2021 the amount of ransom payments when using ransomware ON reached new records, as cybercriminals increasingly turned to "leak sites" in where Darknet they forced victims to pay money, threatening to release confidential data.

According to the report, the average ransom amount demanded by ransomware increased 144% in 2021 to $2.2 million, and the average payment amount increased 78% to $541,010. The most affected industries are professional and legal services, construction, wholesale and retail, healthcare and manufacturing.

"In 2021, ransomware attacks interfered with the day-to-day activities that people around the world take for granted - from buying groceries and gasoline for our vehicles to calling emergency services in the event of an emergency and receiving medical attention," it said.

The most active was the Conti ransomware group, which accounts for more than 1 in 5 cases reviewed by Unit 42 consultants in 2021. REvil, also known as Sodinokibi, came in second with 7.1%, followed by Hello Kitty and Phobos (4.8% each). Conti also posted the names of 511 organizations on its leak site on the Dark Web, the largest number of any group.

The report describes the growth of the cyber-power ecosystem in 2021 with 35 new ransomware gangs. Criminal gangs are investing their profits in creating easy-to-use attack tools that are increasingly exploiting zero-day vulnerabilities.

According to a study by Palo Alto Networks, the number of victims whose data was posted on leak sites increased by 85% in 2021, to 2566 organizations. 60% of victims of data breach sites were in the Americas, followed by 31% in Europe, the Middle East and Africa, and 9% in the Asia-Pacific region.^[19]

Industrial enterprises have become the main target of cybercriminals

On February 23, 2022, IBM Security presented the annual X-Force Threat Intelligence Index, which sheds light on the cumulative damage to business from ransomware and vulnerabilities in 2021 amid targeted attacks on industrial enterprises as the main target of attackers amid the worsening crisis in global supply chains. The most common type of cyber attacks over the past year has been phishing, but IBM Security X- Force experts have noted a 33% increase in the number of attacks related to the use of vulnerabilities in non-updated software. In 2021, these vulnerabilities became the main gateway for the penetration of ransomware, accounting for 44% of the total number of attacks using such programs.

According to the company, the 2022 report details how, during 2021, attackers tried to destroy the foundation of global supply chains through ransomware attacks on industrial facilities. According to the results of 2021, companies from the industry (23%) became the main target of attacks, displacing the financial services and insurance sector from dominant positions. By increasing the number of attacks on industrial enterprises, attackers hoped to create a "domino effect" that would disrupt the lower links of supply chains and force organizations to pay a ransom to fraudsters. 47% of attacks on industrial enterprises were caused by vulnerabilities that the victim companies had not yet had time or could not fix. This once again underscores the need to treat vulnerability management as a priority.

The IBM Security X- Force Threat Intelligence Index 2022 report outlines attack trends and patterns detected and analyzed by IBM Security specialists based on data collected by incident detection devices from billions of sources (such as workstations and network devices), incident response experience, phishing investigation, etc., and information provided by Intezer.

Key findings from the 2022 report:

• Groups of cybercriminals are not afraid of liquidation. At the end of 2021, ransomware remains the most common method of attack, while there are no signs of weakening these groups, despite active efforts to eliminate them. According to a 2022 report, the cybercriminal group exists for an average of 17 months before it ceases operations or is renamed.
• Vulnerabilities are the biggest evil for business. The X-Force report indicates that in 2021, uncorrected vulnerabilities became the cause of 50% of attacks on enterprises in Europe, the Middle East and Africa. This only confirms that fixing vulnerabilities is a difficult task for enterprises.
• Alarming signs of cybercrisis in the cloud. Cybercriminals are laying the groundwork for cloud attacks, with a 2022 report showing a 146% increase in other code for Linux attacks and a shift in the attack vector towards Docker, which could make it easier to use clouds to commit malicious actions.

Cybercriminals usually chase money. Now their goal is blackmail using ransomware. Companies must realize that vulnerabilities drive them into a dead end, as fraudsters can exploit these vulnerabilities to their advantage. This problem goes beyond the conventional threat system. Against the background of a constant increase in the perimeter of attacks, enterprises should assume the presence of threats instead of relying on fixing already known vulnerabilities in their environments, as well as implement a zero-trust strategy to better manage vulnerabilities. noted Charles Henderson, Head of IBM X-Force

In response to the intensification of law enforcement agencies to eliminate hacker groups, cybercriminals can implement their own plans to resume activities. X-Force analysis shows that the average duration of cybercriminal groups before they are eliminated or renamed is 17 months. For example, the hacker group REvil, responsible for 37% of all ransomware attacks in 2021, lasted four years thanks to the "rebranding," so the likelihood of its reappearance cannot be ruled out, despite the elimination by the efforts of several countries in mid-2021.

Slowing down criminal activity, thanks to law enforcement agencies, also increases the costs of attackers to "rebrand" or restore infrastructure. To adapt to other "rules of the game," organizations need to be mindful of the importance of upgrading their infrastructure for secure storage, whether in the local or cloud. This will help enterprises simplify the management, control and protection of applications and data, as well as eliminate the leverage of attackers in the event of a system breach, complicating access to critical data in hybrid cloud environments.

The X-Force report notes that in 2021 a record high number of vulnerabilities was recorded, while in production process management systems their number is growing by 50% annually. Despite the fact that over 146 thousand vulnerabilities have been discovered over the past decade, the pace of digital transformation of organizations has accelerated quite recently, mainly due to the pandemic. This suggests that issues in vulnerability management have not yet reached their peak.

At the same time, the method of conducting attacks based on the exploitation of vulnerabilities is gaining popularity. X-Force specialists found that over the previous year, the number of such attacks increased by 33%. Among the most commonly used vulnerabilities are two vulnerabilities found in popular enterprise applications (Microsoft Exchange, Apache Log4J Library). Scaling digital infrastructures can exacerbate the vulnerability management challenge for enterprises. And such companies may not be able to meet audit and regulatory compliance requirements, so it is important to assume threats and implement a zero-trust strategy to protect the enterprise architecture.

In 2021, X-Force discovered that attackers are increasingly shifting the vector of attacks towards containers such as Docker, the most common environment of the executable container environment (according to Red Hat). Attackers know that containers are popular in organizations, so they make even greater efforts to develop malware that covers several platforms at once and can be used as a launch pad for hacking other infrastructure components.

The 2022 report also issued a warning regarding the constant influx of investment from cybercriminals in unique, previously unknown malware to attack Linux. Data provided by Intezer shows a 146% increase in the number of Linux ransomware containing updated code. As attackers steadily search for ways to scale up attacks through cloud environments, enterprises should focus on optimizing the transparency of their hybrid infrastructure. Hybrid cloud environments based on interoperability and open standards can help organizations detect blind spots and speed up and automate security responses.

Additional findings contained in the 2022 report:

• Asia is leading in the number of attacks - in 2021, more than 25% of attacks detected by IBM were directed at Asian countries. This is more than in any other region of the world. The target of 60% of attacks in Asia was financial institutions and industrial enterprises.
• Internet scammers in touch - phishing has become the most popular type of cyber attack in 2021. During protection testing by X-Force Red experts, it was found that the effectiveness of phishing campaigns combined with phone calls has tripled.

The number of ransomware virus attacks in the world increased by 105%

On February 17, 2022, the information security company SonicWall published a study according to which in 2021 the total number of ransomware attacks more than doubled - by 105% compared to 2020, when growth was measured at 62% compared to 2019. If we compare with 2019, then in 2021 the number of ransomware attacks more than tripled, which means an increase of 231% in two years.

According to experts, the popularity of ransomware among cybercriminals is only growing because it is "a place where there is money."

If you are going to monetize an attack and want to get the maximum risk-reward ratio, then this will be ransomware. And with the advent of services for providing ransom software as a service, the barrier to entry has become very, very low, - said Dmitry Airapetov, vice president for architecture of the SonicWal platform.

According to SonicWall, in 2021, the United States again became the largest target for ransomware attacks: the country accounted for about 68% of attacks. However, in other countries, the growth rate of the number of such attacks was higher: in Germany and the UK in 2021, the number of attacks increased by 3256%, and in the UK - by 227%, compared with 98% growth in the United States.

In terms of ransomware types, SonicWall found Ryuk to be number 1 again. However, in 2021, this type accounted for a smaller proportion of attacks on ransom programs (30% of attacks) than in 2020, when Ryuk was used in 36% of attacks.

Richard Hickman of the company's Unit 42 research group Palo Alto Networks said in 2021 that behind the Ryuk viruses Conti is the same grouping, which is considered "one of the most ruthless" in the buyout industry. Conti's ransom attacks included a devastating attack on health care Ireland service in May 2021.

Increasingly, ransom attacks include the disclosure of stolen data to the public, according to a CrowdStrike report released in early February 2022. Data breaches related to buyout programs rose 82% in 2021 compared to 2020. According to their report, the average ransom amount in 2021 increased by 36% to $6.1 million.^[20]

Linux systems are attacked by ransomware and crypto-jacking

On February 18, 2022, the company VMware shared the results of a threat study malware based on Linux Exposing Malware in Linux-Based Multi-Cloud Environments. Linux, as the most common, cloudy operating system is a major component of the digital infrastructure and therefore is often targeted by attackers to penetrate a multi-cloud environment. Most malware protection solutions ON are mainly focused on protecting devices based on. This Windows leaves many public and private clouds vulnerable to attacks targeting Linux-based workloads.

Among the main takeaways that describe scenarios for using malicious programs by cybercriminals to attack Linux:

• Ransomware is increasingly targeting servers used to deploy workloads in virtualized environments;
• 89% of method attacks cryptojacking use libraries associated cryptominer with XMRig;
• More than half of users of the Cobalt Strike framework can be cybercriminals or at least use Cobalt Strike illegally.

Cybercriminals are expanding their activities and adding malware to their arsenal, the purpose of which is Linux-based operating systems, in order to achieve maximum effect with minimal effort, said Giovanni Vigna, senior director of security threat analysis at VMware. - Hacking one server can bring attackers great profit and provide access to the main target without having to attack the end device. Attackers attack both public and private cloud environments. Unfortunately, existing malware countermeasures are mainly aimed at eliminating threats to Windows servers, so many clouds become vulnerable to attacks, the main purpose of which is a Linux-based OS.

Successful ransomware attacks on the cloud can be disastrous for security systems. Ransomware attacks on services deployed in cloud environments are often combined data breaches with - this is how a dual extortion scheme is implemented. Ransomware has evolved to attack/exploit hosts used to deploy workloads in virtualized environments. Attackers are now looking for the most valuable assets in cloud environments to inflict maximum damage. Examples of this are the ransomware of the Defray777 family, which ciphered data is, and servers ESXi the ransomware of DarkSide Colonial Pipeline the family, which damaged the company's networks, which caused a shortage of gasoline throughout the territory. USA

Cybercriminals aimed at making a quick profit often hunt for cryptocurrency using one of two approaches to attack:
1) implement malware to steal from online wallets;
2) monetize stolen cycles of the central processor for (cryptocurrency mining the so-called "cryptojacking"). Most of these attacks focus on Monero (or XMR) currency mining - 89% of crypto-jacking attacks use libraries related to XMRig. That is why, when files XMRig-specific libraries and modules are found in binary Linux, this indicates malicious activity for cryptomining.

To establish control and stay in the environment, attackers seek to install a software bookmark into the hacked system, which will give them partial control over the device. Malware, websites, and remote access tools can be injected into the system. One of the main software bookmarks is Cobalt Strike, a commercial intruder penetration test tool, and Linux-based Red Team and Vermilion Strike tools.

From February 2020 to November 2021, VMware Threat Analysis detected more than 14,000 active Cobalt Strike Team servers on the network. The total percentage of Cobalt Strike client IDs hacked and uploaded to the network is 56%, that is, more than half of the users of the Cobalt Strike framework can be cybercriminals or at least use Cobalt Strike illegally. The fact that remote access tools such as Cobalt Strike and Vermilion Strike have become massively used by cybercriminals poses a serious threat to companies.

Our study showed that more and more ransomware families are moving into the category of Linux-based malware, there is a possibility of attacks that can exploit vulnerabilities, Log4j said Brian Baskin, threat research manager at VMware. - The findings of our report can be used to better understand the nature of Linux-based malware and contain the growing threat posed by ransomware, cryptominers, and remote access programs for multi-cloud environments. As attacks targeting the cloud continue to evolve, organizations should adhere to the Zero Trust concept of securing the entire infrastructure.

During the study, the VMware Threat Analysis Department used static and dynamic methods to characterize various malware families found on Linux-based systems based on a carefully selected set of data associated with Linux binaries. All of them are in the public domain - it can be obtained using VirusTotal or various websites of major Linux distributions. VMware specialists have collected more than 11,000 benign samples from several Linux distributions, in particular Ubuntu, Debian, Mint, Fedora, CentOS and Kali. Then the TAU unit collected a set of samples for two classes of threats - ransomware and cryptominers. Finally, malicious binary ELF files from VirusTotal were collected, which were used as a test package of malicious data. All data were collected for the period June-November 2021.

The number of data breaches due to ransomware viruses in the world soared by 82%

In 2021, those data breaches related to ransomware viruses increased by 82% compared to 2020. Such cyber security CrowdStrike data were presented by the American company in mid-February 2022. More. here

Ransomware dominated all threats

On February 1, 2022, Cisco Talos spoke about the main events in the cybersecurity market in 2021.

Ransomware dominated all threats in 2021. Two trends were observed in their use: an increase in the number of attackers and an increase in the use of commercially available open source products and programs. Read more here.

The number of detected ransomware viruses increased by 26%, to 157

On January 26, 2022, a study was published, according to which 32 new families of ransomware viruses were identified in 2021, which is 26% more than a year earlier. Their total number reached 157.

The report was prepared by security developers Ivanti and Cyware in conjunction with the CVE Cyber ​ ​ Security Works numbering center. It is made up of several data sources, including Ivanti and CSW, public threat databases, as well as threat researchers and pentester groups.

The analysis revealed 65 new vulnerabilities related to ransomware in 2021, a total of 288. More than a third (37%) of the vulnerabilities that appeared were found on shadow websites and as a result were re-exploited. In addition, more than half (56%) of older CVEs are still regularly operated.

The report also highlights that many zero-day vulnerabilities were exploited before they were published in the US National Vulnerability Database (NVD). These include those used to compromise Kaseya (CVE-2021-30116) and the infamous Log4Shell bug (CVE-2021-44228).

The ransomware-as-a-service (RaaS) model helps democratize this type of activity in the cybercriminal underground. Especially dangerous are the exploit-as-a-service offerings, which allow attackers to rent zero-day exploits from their developers.

Ransomware is increasingly sophisticated and its attacks are increasingly effective. These threat actors are increasingly using automated toolkits to exploit vulnerabilities and penetrate more deeply into compromised networks. They are also expanding their targets and launching more attacks on critical sectors, disrupting daily life and causing unprecedented damage, "stated Ivanti, Senior Vice President of Security Products Srinivas Mukkamala.

Organizations need to be extra vigilant and fix cyber security vulnerabilities without delay. This requires using a combination of risk-based prioritization of vulnerabilities and automated patch analytics to identify and prioritize vulnerability weaknesses and then accelerate remediation, he added.[21]

Attack on one of the world's largest shipping companies Swire Pacific Offshore

On November 26, 2021, shipping company Swire Pacific Offshore (SPO) announced a data breach after falling victim to a cyber attack. Both commercial information and personal data of employees were stolen. Read more here.

Growth in damage from ransomware attacks to $325 million

According to Cybercrime magazine, the global damage from ransomware will reach $20 billion by the end of 2021, while back in 2015 this figure was $325 million - Attacks viruses extortionists for enterprises in the world occur every 11 seconds. The pandemic played an important role in this, coronavirus which provoked a sharp increase in the use of online services. This became known on November 23, 2021. More. here

Ransomware virus blocks public transport operator's IT systems

In early November 2021, information appeared that the ransomware virus attack violated the activities of the Toronto Public Transport Agency in Canada - Toronto Transit Commission (TTC). Also, the cyber attack disabled several systems used by both drivers and passengers. At the time of writing, none of the gangs distributing ransomware had claimed responsibility for the incident. Read more here.

Check Point Software: $40 million is a record ransom for hackers

According to a Check Point Software technology company, the $40 million information security ransom paid CNA Financial by the insurance company in 2021 to hackers has become the largest in the history of attacks. viruses extortioners Experts reported this in early November 2021.

According to Bloomberg, the attackers initially demanded $60 million, and after lengthy negotiations they agreed to a reduced of $20 million. According to information security specialists, the Phoenix virus used to attack CNA Financial was created on the basis of the Hades malware. This virus was developed by the hacker group Evil Corp. Read more here.

Hackers launched a cyber attack around the world through a hole in corporate software BQE Software

At the end of October 2021, information appeared that hackers began to hack companies using a ransomware virus, exploiting a vulnerability in the BillQuick Web Suite accounting and billing system developed by BQE Software. This was reported by Huntress, a threat research company. Read more here.

IDC: One in three companies in the world faced ransomware viruses

At the end of October 2021, IDC analysts published a study in which they reported that more than a third of companies around the world in 2020-2021. were attacked by ransomware viruses or hacked, which blocked access to IT systems or data.

The largest number of incidents related to ransomware viruses (Ransomware) was recorded in the production and financial industries, and the smallest in the industries, transport communications and utilities and media. Companies that became victims often faced repeated cases of attacks.

Ransomware viruses have become the enemy of the day; the threat, first feared on Pennsylvania Avenue and then feared on Wall Street, has now become a talking point on Main Street. As the greed of cyber fraudsters fueled, ransomware viruses became more sophisticated, constantly updated, increasing their privacy, thereby actively evading detection, seizing data and using multifaceted extortion. Welcome to the dark side of digital transformation!, "said IDC Software Vice President of Cybersecurity Products Frank Dickson.

The main findings of the study include the following:

• The incident rate was markedly lower for companies located in the United States at 7%, compared to a global rate of 37%;
• The largest number of incidents related to ransomware viruses was recorded in the production and financial industries, and the smallest in the transport, communications and utilities/media industries;
• Only 13% of organizations reported that they survived the attack/hacking with ransomware viruses and did not pay the ransom;
• Although the average buyback amount was almost $250 thousand, several large buyouts in the amount of more than $1 million distorted the overall average.

Increasing awareness of ransom extortion incidents has prompted various companies to take a range of responses. These include verification and certification of security and data protection/recovery practices with partners and suppliers, periodic stress testing of cybercrime response procedures, and increased exchange of threat information with other organizations and/or government agencies. The increased awareness of the incidents also prompted requests from boards to review security practices and procedures for responding to ransomware viruses.^[22]

Two-thirds of organizations were subjected to at least one ransomware attack

The company Fortinet on October 11, 2021 shared the results of the 2021 Global State of Ransomware Report. The survey shows that most organizations are more concerned about ransomware than other cyber threats. However, while most organizations surveyed indicated that they were prepared to do so: to the attacks implement employee cyber training, conduct risk assessments, and, insurance cyber security there is a clear gap in what many respondents see as key security solutions and technologies that can best protect against the most common methods of penetration into their networks.

Ransomware rose 1,070% year-on-year, according to a recent report by FortiGuard Labs Global Threat Landscape. Unsurprisingly, organizations have cited the changing threat landscape as one of the main challenges in preventing ransomware attacks. As evidenced by our ransomware survey, there is a huge opportunity to implement technology solutions such as segmentation, SD-WAN, ZTNA, as well as SEG and EDR to protect against such threats and provide the access methods most often mentioned by respondents. The large number of attacks demonstrates the urgent need for organizations to protect their data from the latest ransomware attacks on networks, endpoints, and clouds. The good news is that companies are recognizing the value of a platform approach to ransomware protection, said John Maddison, first vice president of product and solutions marketing at Fortinet.

Judging by technologies considered extremely important, among which the most popular are Secure Web Gateway, VPN and Network Access Control, organizations are most worried about remote employees and devices. Although ZTNA is a young technology, it should be considered a replacement for traditional VPN technology. However, the greatest concern was the low significance of segmentation (31%). It is a critical technology solution that prevents intranet intranet intranet intranets from moving laterally to gain access to important to data and intellectual property. Similarly, UEBA and the sandbox play a critical role in identifying intrusions and new strains of harmful programs, but both are lower on the list. Another surprise was the perception of the importance of gateway security at email 33%, given what phishing is reportedly a common method of intruder penetration.

Organizations' greatest concern about the ransomware attack was caused by the risk of data loss, as well as performance degradation and disruption. In addition, 84% of organizations reported having an incident response plan, and cybersecurity insurance was part of 57% of those plans. As for the payment of ransom in the event of an attack, for 49% of organizations the procedure is to directly pay the ransom, and for another 25% - depending on how expensive the ransom is. Of the quarter who paid the ransom, most, but not all, got their data back.

While concerns about ransomware have been fairly persistent across the board, countries there have been some differences in the regions. Respondents from countries (EMEA 95%), (Latin America 98%) and APJ (Asia-Pacific/) (Japan 98%) were only slightly more concerned about such attacks than their counterparts from (92 North America %). All regions consider data loss to be the main risk associated with a ransomware attack, along with concerns that they will not be able to withstand increasingly sophisticated threats. In the Asia-Pacific region, in particular, the main problem is the lack of awareness and training of users. Respondents in Asia-Pacific and Latin America were more likely than others to be victims of such attacks in the past (78%), compared with 59% in and 58% North America in EMEA. Phishing was a common vector of attacks everywhere, while in Asia-Pacific and Latin America, the main vectors of attacks were remote desktop protocol (RDP) exploits and open vulnerable ports.

Almost all respondents believe that operational threat intelligence through integrated security or platform solutions is critical to preventing ransomware attacks, and see value in artificial intelligence (AI) -based behavioral factor detection capabilities.

While almost everyone surveyed believes they are moderately prepared and plan to invest in cyber awareness training for employees, it is clear from the survey that organizations need to recognize the value of investing in technologies such as advanced email protection, segmentation, and sandbox, in addition to the core NGFW, SWG, and EDR technologies, to detect, prevent, and limit ransomware. It is important that organizations review and evaluate these risk mitigation solutions, given the tactics and methods of dealing with such threats. The most advanced organizations will adopt a platform approach to a ransomware strategy that provides essential capabilities that are fully integrated with operational threat information. They must also be designed to interact as a single system and be enhanced with artificial intelligence and machine learning to better detect and respond to ransomware threats.

The report is based on a global survey of IT executives that aims to better understand how organizations treat the threat of ransomware, how they currently defend against it, and how they plan to defend against it in the future.

The survey was conducted in August 2021 with the participation of 455 company leaders from small, as well as medium and large organizations around the world. The survey participants are leaders in the field of IT and security from 24 different countries, representing almost all industries, including the public sector.

A member of a hacker group who lured $150 million with ransomware viruses was detained in Ukraine

In early October 2021, law enforcement agencies of Ukraine reported the detention of a hacker who, by his criminal actions, caused damage to foreign companies totaling $150 million. Read more here.

Ransomware virus attack on South African Justice Ministry

In September 2021, it became known about the ransomware virus attack on the Ministry of Justice and Constitutional Development of South Africa (DOJCD). Hackers are demanding a ransom of 50 bitcoins from the department in exchange for restoring access to hacked systems. Read more here.

Ransomware operators' business could change

Experts suggest that soon ransomware operators ON may abandon partners in the "industry," as the latter harm their "impeccable reputation." As the analysis showed, in the second quarter of 2021, all records for the number of attacks used were broken: encoders their share was 69% of all attacks used. HVE This was reported on September 14, 2021 in. Positive Technologies

"The largest number of ransomware attacks (45%) occurred in April," said Yana Yurakova, information security analyst at Positive Technologies. - In early May, however, attackers attacked the largest U.S. pipeline system, the Colonial Pipeline, and D.C. police, attracting the attention of law enforcement. These incidents affected the activity of ransomware operators and distributors. Already in June, the number of attacks involving them halved. Some of them even made changes to their partner programs, adding restrictions on the industry of the attacked enterprise, such as REvil operators. "

Positive Technologies experts especially noted the frequent disputes on the forums in the dark web on the business of ransomware operators. So, some forum participants believe that extortionists need to stop their current activities, since it causes too much damage and negatively affects the activities of shadow market participants, and find another way to earn money.

"In our opinion, ransomware operators who made noise will not be able to abandon such a profitable business and in the near future they will only go to the bottom so that the hype around them subsides and they can determine new principles of operation," commented Vadim Solovyov, head of the information security threat analysis group Positive Technologies.

As reported in the study, a ban on the publication of posts on the topic of partner programs of ransomware operators has recently appeared on forums on the darkweb. Experts believe that soon the structure of this business may change. One of the scenarios for such changes may be the disappearance of the so-called partners as a separate role: their tasks will be taken over by ransomware operators themselves, who will collect teams of distributors and oversee them directly, and not through an intermediary, and more actively attract access miners to their attack chains.

Weekly ransomware activity increased 10 times over the year

The company, Fortinet a representative in the field of global integrated and automated solutions for security, on cyber security August 30, 2021 shared the results of the semi-annual study FortiGuard Labs Global Threat Landscape Report. Data threats received in the first half of 2021 indicate a significant increase in the volume and complexity attacks directed at individuals, organizations and more. critical infrastructure The expanding attack surface - a hybrid workforce and learners in and out of the perimeter of a traditional network - remains the target of intruders. Timely cooperation and development of partnerships between law enforcement agencies, as well as state private companies, will provide an opportunity to disrupt the ecosystem of cybercriminals in the second half of 2021. Read a detailed review of the report, as well as some important findings, on our blog. The following are the findings of the study for the first half of 2021:

1) Ransomware is about more than just getting money: data FortiGuard Labs shows that the average weekly activity of ransomware in June 2021 was more than ten times higher than the level recorded a year ago. This shows consistent and generally steady growth throughout the year. The attacks have hurt the supply chains of a host of organizations, in particular critical sectors, and affected daily life, productivity trade and more than ever before. telecommunication The organizations of the sector were most persecuted, followed by the government, managed security service providers automobile , and the manufacturing sectors.

In addition, some ransomware operators have shifted their strategy from downloading via email to focusing on gaining and selling initial access to corporate networks, further demonstrating the ongoing evolution of ransomware as a service (RaaS) fueling cybercrime. The key finding is that ransomware remains a clear and present danger to all organizations, regardless of industry and size. Organizations need to take a proactive approach to real-time endpoint protection, discovery, and automatic response solutions to secure their environments, along with a zero-trust, network segmentation, and encryption approach.

2) One in four organizations found: harmful advertizing a rating of the prevalence of the most frequently detected malware by their families shows an increase in the number of malicious advertising (malvertising) social engineering using and scareware. More than one in four organizations identified attempts to distribute malicious ads or scareware, including Cryxos. Although, most likely, a large number of detections are combined with other similar campaigns, JavaScript which can be considered malicious advertising. Hybrid work reality has undoubtedly pushed cybercriminals into this tactic - using it to bully and extort. So that a person does not become a victim of scareware and malicious advertising, it is more important than ever to educate him and increase awareness of such approaches.

3) Trends botnets show that attackers are building forces to the limit: tracking the prevalence of botnet detection showed a surge in activity. At the beginning of the year, 35% of organizations detected botnet activity in one form or another, and after six months this figure was 51%. Responsible for the overall surge in activity in June. TrickBot It originally appeared on the cybercriminal scene as, bank trojan but has since evolved into a complex and multi-stage toolkit that supports a range of illegal activities. Mirai was the most common overall; it overtook Gh0st in early 2020 and has operated until 2021 since then. Mirai continues to replenish its arsenal with cyber weapons, but it is likely that Mirai's dominance, at least in part, is still due to criminals' desire to exploit Internet devices of things () IoT used by people working or studying at home. Also noticeable is the activity of the Gh0st, a remote access botnet that allows attackers to completely control the infected system, capture live broadcasts from a webcam and microphone, or download. More files than a year after the start remote work and shift of training, cyber adversaries continue to use our evolving daily habits for their own purposes. To protect networks and applications, organizations need zero-trust access approaches that provide the lowest access privileges to protect against IoT endpoints and devices from intrusion into the network.

4) The fight against cybercrime is bearing fruit: In the field of cybersecurity, not every action has an immediate or lasting effect, but several events in 2021 indicate positive changes precisely for defenders. In June, TrickBot's original developer was indicted on numerous charges. In addition, the coordinated destruction of Emotet, as well as actions to curb the operations of ransomware Egregor, NetWalker and Cl0p, represent a significant boost from cyber defenders, including world governments and law enforcement, aimed at combating cybercrime. In addition, the attention that some attacks attracted led several ransomware operators to announce the termination of their activities. FortiGuard Labs data indicates a slowdown in threat activity after Emotet is destroyed. Activity associated with the TrickBot and Ryuk variants persisted after the Emotet botnet was shut down, but volume declined. It's a reminder of how difficult it is to eliminate adversary cyber threats or supply chains right away, but these events are important achievements no matter what.

5) Defensive evasion methods and escalation of cybercriminals' privileges: Studying threat data at a higher resolution makes it possible to draw valuable conclusions about how attack methods are developing. The FortiGuard Labs laboratory analyzed the specific functionality inherent in detected malware, tested samples to trace what result was assumed by cyber opponents. As a result, a list of negative actions that a malicious ON could take if the attack payload were performed in target environments was compiled. This shows that cyber adversaries sought to elevate privileges, bypass security systems, lateral movement around internal systems to leak and compromised data, among other methods. For example, 55% of observed privilege elevation functions used hooking, and 40% used process implementation. From this it can be concluded that defenders pay special attention to the tactics of evading protection and escalation of privileges. While these methods are not new, organizations will be better protected from future attacks by arming themselves with this timely knowledge. Integrated and artificial intelligence-based (AI AI) platform approaches based on rapid information threat intelligence are essential for protection across the board, as well as identifying and addressing the changing threats that organizations face in real-time.

We have seen an increase in the number of effective and disruptive, affecting cyber attacks thousands of organisations in a single incident. This creates an important tipping point in the war with. cyber crime Everyone plays an important role in strengthening the chain of defeat. To destroy the supply chains of cybercriminals, the priority should be to unite forces through cooperation. Sharing data and partnership can provide a more effective response and more accurate prediction of future methods to deter enemy efforts. Ongoing training on issues, cyber security as well as on-base prevention, detection and response technologies integrated into artificial intelligence endpoints, networks and, clouds remain vital to countering cyber adversaries, said Derek Mankey, head of security analytics and Global Threat Alliances, FortiGuard Labs.

While government and law enforcement have taken action on cybercrime in the past, the first half of 2021 could be a game changer in terms of future developments. Effective action against cybercriminals requires comprehensive collaboration with industry vendors, threat intelligence organizations, and other global partner organizations to consolidate real-time threat resources and information. However, automatic threat detection and artificial intelligence are still essential for organizations to respond to real-time attacks and mitigate them with high speed and scalability at all levels. In addition, training users on cybersecurity is as important as ever. Everyone needs regular training in how to ensure the safety of individual employees and the organization.

Hackers blocked the systems of the IT company Kaseya and demanded a ransom of $70 million

In early July 2021, Kaseya was subjected to a cyber attack, which was allegedly carried out by REvil hackers. As a result of the hacker attack, not only REvil systems were infected, but also hundreds of clients in at least 17 countries. Attackers demand a ransom of $70 million. Read more here.

Irish Ministry of Health shut down IT systems after ransomware virus attack

On May 14, 2021, the Irish National Health Service was forced to temporarily disable its IT system due to a hacker attack. It is known that hackers used ransomware. Read more here.

Growth in average company spending on recovery from ransomware virus attacks to $1.85 million

According to a study published by Sophos the information security company at the end of April 2021, the average business spending on recovery after attacks viruses the global losses more than doubled on an annualized basis. By the beginning of 2020, they amounted to $761,106, and a year later - $1.85 million. The average ransom to the organizers of such attacks that block the operation of computers exceeded $170 thousand.

According to a Sophos report, only 8% of companies were able to fully recover lost data after being hacked using ransomware viruses. 29% of organizations managed to recover no more than half of the information.

For its analysis, Sophos surveyed about 5,400 IT executives from midsize companies in 30 countries in Europe, the Americas, Asia-Pacific and Central Asia, the Middle East and Africa. 37% of respondents reported experienced attacks by ransomware, while a year earlier this share was 51%. The number of companies whose data was encrypted as a result of such cyber attacks also decreased - from 73% to 54% of the total number of organizations covered by the study.

An obvious reduction in the number of organizations affected by ransomware is good news, but it is overshadowed by a change in attacker behavior, at least in part, says the chief scientist. Sophos Chester Wisniewski. - We've seen cybercriminals move from large-scale, routine, automated attacks to more targeted attacks that involve tracking manual typing on the keyboard. Although there are fewer attacks, the likelihood of damage from these increasingly complex targeted attacks has now become much higher.

Companies began to pay more often ransom to the organizers of ransomware attacks: by the beginning of 2021, their share increased to 32% from 26% in 2020. 10 companies surveyed paid more than $1 million.^[23]

Device maker for IoT Sierra Wireless stops factories due to ransomware virus attack

At the end of March 2021, the Canadian manufacturer of devices for the Internet of Things (IoT) Sierra Wireless stopped production after being the victim of a ransomware attack. The attack also disrupted internal operations and the company's website ceased operations. Read more here.

2020

Ransomware virus distributors' revenues estimated at $400 million

The US National Security Council calculated that the income of hackers around the world who used ransomware viruses in 2020 amounted to $400 million. The data was published on the White House website in October 2021.

Ransomware virus incidents have disrupted critical services and businesses around the world, affecting schools, banks, government agencies, rescue services, hospitals, energy companies, transportation and food industry businesses. Viruses attacked organizations of any size, regardless of their location. Global economic losses from malware are significant, experts say.

The administration of US President Joe Biden is making purposeful comprehensive efforts to combat this threat. The work is organized in the following areas:

• Destruction of infrastructure and actors distributing ransomware: ON The administration will use every opportunity U.S. governments to destroy participants, organizers, networks and financial infrastructure of ransomware viruses;

• Building resilience to counter ransomware virus attacks: The administration has called on the private sector to increase investment and focus on cyber defense to counter this threat. The administration also identified expected thresholds cyber security for critical infrastructure and introduced cybersecurity requirements for critical infrastructure; transport

• Combating abuse of virtual currency to launder ransom payments: Virtual currency is subject to the same anti-money laundering and counter-terrorism financing controls (AML/CFT) that apply to fiat currency and these controls, these laws must be enforced.

• Use international collaboration to break down the ransomware virus ecosystem and eliminate safe harbors for criminals using the computer virus:

According to Check Point Research, in the 12-month period that began in October 2020, the number of companies facing ransomware attacks worldwide has increased by 57%, and since the beginning of 2021, the number of such attacks has been growing by 9% monthly. According to statistics AI-startup Deep Instinct, the total number of ransomware attacks increased by 435% in 2020. With the help of this type of viruses, hackers managed to stop the work of 560 medical centers, 1.6 thousand schools and colleges, as well as more than 1.3 thousand other organizations, says information security company Emsisoft.^[24]

50% of retailers in the world faced attacks by cyber drivers

In mid-August 2021, a report by the analytical firm Sophos was released, according to which in 2020 about 44% of retail enterprises suffered from ransomware attacks. More than half of those affected (54%) reported that cybercriminals managed to encrypt their data.

The tactics of retailers whose data turned out to be encrypted were different: 32% paid a ransom to return their data, with an average ransom size of $147.8 thousand, and 56% used backups to restore data. However, a study by Sophos also showed that companies that paid the ransom received only 67% of their data on average, that is, a third of the stolen information remained inaccessible. Only 9% of organizations that paid the ransom received all their encrypted data back.

The average bill for eliminating ransomware attacks in this sector (taking into account downtime, wages, device costs, lost opportunities, paid ransom, etc.) amounted to $1.97 million.

Sophos also found that retail organizations were particularly vulnerable to a new kind of attack, where ransomware operators do not encrypt files, but simply threaten to leak extracted information to the Internet if the ransom is not paid on time. Attacks of this type were noted by 12% of victims of ransomware viruses.

The relatively high percentage of attacks on retail organizations is not so surprising. Companies in the service industry store information that is regulated by strict data protection laws, and attackers willingly exploit the victim's fear of leak this data, which threatens fines and damage to the brand's reputation, said Chester Wisniewski, chief scientist at Sophos[25]

Ransomware viruses lured $350 million - Chainalysis

In early February 2021, the analytical company Chainalysis released a report according to which in 2020 hackers received at least $350 million when using ransomware viruses. The company obtained this data by tracking transactions to blockchain addresses related to ransomware attacks.

However, Chainalysis clarified that its estimate indicates only a minimum amount, the true numbers are still unknown, since victims do not always prefer to openly talk about the ransomware attacks and subsequent payments.

According to Chainalysis, in 2020, payments due to ransomware attacks accounted for 7% of all funds received by "criminal" cryptocurrency addresses. The figures are up 311 per cent on 2019 and analysts at Chainalysis believe the sharp rise is due to new viruses "dramatically increasing profits." According to the company, the largest buyouts were received by ransomware virus groups such as Ryuk, Maze, Doppelpaymer, Networker, Conti and REvil (also known as Sodinokibi). However, other viruses such as Snatch, Defray777 (RansomExx) and Dharma have also generated a profit estimated at millions of dollars for hackers.

Chainalysis assumes that ransomware viruses are used by fewer attackers than originally thought, with many of these groups constantly changing RaaS ("ransomware as a service"), tempted by better offers.

Chainalysis also said that a group of five exchange portals receives 82% of all funds from ransomware in 2020. Law enforcement agencies can use this information to interrupt the flow of money laundering operations received by hackers.^[26]

Ransomware virus attack on French IT company Sopra Steria

At the end of November 2020, the French IT giant Sopra Steria admitted that the October ransomware virus attack would cost the company tens of millions of dollars. The company said the attack would negatively affect its gross profit for 2020, reducing it by between €40m and €50m. At the same time, about 30 million euros of losses will be covered by special insurance, the company noted. Read more here.

Damage from ransomware viruses in the world exceeds $1 billion a year

The damage from ransomware viruses in the world exceeds $1 billion a year. Such data were released on November 25, 2020 by Group-IB, a company specializing in preventing cyber attacks.

According to experts, the amount mentioned is the minimum. The real damage can be several times greater, since often affected companies prefer to hush up the incident by paying ransomware, or the attack is not accompanied by the publication of data from the network of victims, the study says.

The most popular targets of ransomware were companies from the United States: they accounted for about 60% of all known attacks. The share of attacks in European countries was about 20%, about 10% fell on the countries of the Americas (with the exception of the United States) and Asia (7%).

The five industries that are most often attacked by ransomware include:

• production (94 victims);
• retail (51 victims);
• state institutions (39 victims);
• health care (38 victims);
• construction (30 victims).

Maze and REvil are named the most dangerous ransomware - from the end of 2019 to the end of November 2020, they account for more than 50% of successful attacks. They are followed by Ryuk, NetWalker, DoppelPaymer.

According to Group-IB estimates, over the past year, by the end of November 2020, more than 500 public ransomware attacks on companies in more than 45 countries are publicly known.

The study notes that private and public partner programs have become the catalyst for the growth of attacks on such viruses, which has led to a dangerous symbiosis of ransomware with attackers who specialize in compromising corporate networks. Another reason for their growth is that cybersecurity tools used by companies "skip" ransomware, not coping with detecting and blocking threats at an early stage. Ransomware operators redeem access and attack the victim.^[27]

Over $1 billion - total damage from "ransomware"

The company, an Group-IB international company specializing in prevention, cyber attacks investigated key changes in the field cybercrime in the world and on November 25, 2020 shared its forecasts for the development of cyber threats for 2021. Analysts summarize: the greatest financial damage was recorded as a result of attacks by viruses decryptors. The result of a difficult period world economies for was the heyday of the market for the sale of access to compromised networks of companies. At the same time, the volume of the stolen goods market has more than doubled. In the bank cards race against pro-government hacker groups, new players appeared, and those who were considered to have left the stage resumed attacking actions.

According to the Hi-Tech Crime Trends 2020-2021 report, a new wave of ransomware has swept the end of 2019 and all of 2020. Most ransomware has focused on attacks by commercial and public sector companies. The victim of such attacks can be any company, regardless of the scale and industry, the main criterion for attackers is financial benefit. At the same time, in the absence of the necessary technical tools and data recovery capabilities, the ransomware attack can lead not only to downtime, but also to a complete shutdown of the organization.

In total, over the past year, more than 500 public ransomware attacks on companies in more than 45 countries are publicly known. The lower limit of the total damage from the actions of ransomware, according to Group-IB estimates, is more than one billion dollars ($ 1 005 186 000). However, the real damage is many times higher: often affected companies prefer to hush up the incident by paying ransomware, or the attack is not accompanied by the publication of data from the victim's network.

The most popular targets of ransomware were companies from the United States: they accounted for about 60% of all known attacks. The share of attacks in Europe was about 20%. About 10% fell on the countries of North and South America (with the exception of the USA) and Asia (7%). The top 5 most attacked industries include manufacturing (94 victims), retail (51 victims), government agencies (39 victims), health care (38 victims), construction (30 victims).

The most dangerous ransomware since the end of 2019 are Maze and REvil - they account for more than 50% of successful attacks. Ryuk, NetWalker, DoppelPaymer are in the second tier.

Private and public partner programs gave an incentive for the heyday of the ransomware era, which led to a dangerous symbiosis of ransomware with attackers who specialize in compromising corporate networks. Ransomware operators redeem access and attack the victim. After she pays the ransom, a percentage of this amount is received by the partner. Researchers distinguish such vectors of network hacking as malicious mailings, selection passwords to remote access interfaces (RDP,,) SSH VPN (malware for example, loaders), as well as the use of new types (boat networks brute-force botnet), the purpose of which is distributed password selection from a large number of infected devices, including. servers

According to Group-IB, since the end of 2019, ransomware has adopted the following equipment: before encryption, they copy all the information of the victim company to their servers for the purpose of further blackmail. If the victim does not pay the ransom, she will not only lose the data, but will also see it in the public domain. In June 2020, REvil began holding auctions where stolen data acted as lots.

The Hi-Tech Crime Trends 2020-2021 report provides recommendations for countering attacks on ransomware, both in terms of technological measures for information security services and in terms of increasing the expertise of cybersecurity teams in order to combat this threat.

Other Group-IB findings collected as part of the Hi-Tech Crime Trends 2020-2021 report can be found in the TAdviser specialist articles:

• The outgoing year has shown that increasingly espionage is being replaced by active attempts to destroy infrastructure. The arsenal of attackers is actively replenished with tools for attacks on physically isolated networks of critical infrastructure. Read more - here.
• The volume of access to corporate networks of companies sold on darknet forums increases annually, but the peak was in 2020. It is quite difficult to assess the total volume of the market for the sale of access in the underground: attackers often do not publish prices, and transactions take place "in private." Read more - here.
• The volume of the carding market for the study period increased by 116% - from $880 million to $1.9 billion - compared to 2019. High growth rates are characteristic of both text data (number, expiration date, holder name, address, CVV) and dumps (contents of magnetic strips of cards). Read more here.

• During the analyzed period, 118% more phishing resources were identified and blocked than before. Analysts explain this growth for several reasons, the main of which is the pandemic. Read more - here.

In general, the Hi-Tech Crime Trends 2020-2021 report explores various aspects of the functioning of the cyber-criminal industry, analyzes attacks and predicts a change in the ladschaft of threats for various sectors of the economy: financial, telecommunications, retail, production, power. The authors of the report also analyze campaigns deployed against critical infrastructure facilities, which are increasingly becoming a target for special services of different states.

Hi-Tech Crime Trends 2020-2021 is intended for risk management experts, strategic task planners in the field of cybersecurity, representatives of boards of directors responsible for digital transformation and investing in the protection of information systems. For Chief information officers, cybersecurity team leaders, SOC analysts, incident responders, the Group-IB report is a hands-on guide to strategic and tactical planning, offering analytical tools that help adjust and customize corporate and government network security systems.

Hi-Tech Crime Trends 2020-2021 forecasts and recommendations are aimed at reducing financial losses and downtime of infrastructure, as well as taking preventive measures to counter targeted attacks, espionage and cyber terrorist operations.

Ransomware virus attack on Software AG

On October 10, 2020, it became known that the German technology company Software AG was subjected to a large-scale ransomware virus attack. Hackers demanded a ransom of $23 million after stealing employee data, as well as company documents. Read more here.

Ransomware virus attack on German hospital

In mid-September 2020, it became known that a person was killed for the first time due to an ransomware virus attack. After a cyber attack on a German hospital using a ransomware program, patients had to be urgently transferred to another medical facility. During transportation, one of the patients died. Read more here.

Ransomware virus attack on Chile's BancoEstado

In early September 2020, BancoEstado, one of Chile's three largest banks, was forced to close all branches after a ransomware virus attack. Details of the attack were not released, but a source close to the investigation said the bank's internal network was infected with the REvil (Sodinokibi) virus. Read more here.

Ransomware virus attack on Ukrainian IT company SoftServe

In early September 2020, it became known about the ransomware virus attack on SoftServe. As a result of the cyber attack, the systems of one of the largest Ukrainian IT systems failed. Read more here.

Theft of data of the Spanish Adif as a result of an attack by hackers REvil

On July 25, 2020, it became known about the ransomware virus attack on the Spanish railway state-owned company Adif, whose tasks include managing the railway infrastructure and charging operators. The attack stole 800GB of data. Read more here.

Orange Business Services data theft as a result of Nefilim hacker attack

On July 16, 2020, it became known about the ransomware virus attack on Orange systems. The attackers managed to steal customer data. Read more here.

ATM maker Diebold Nixdorf attacked by ransomware virus

On May 11, 2020, it became known about a ransomware virus attack on Diebold Nixdorf, which led to a malfunction of some of the company's systems. Read more here.

Ransomware virus attacked Fresenius and caused production malfunction

In early May 2020, it became known that the ransomware virus attacked the Fresenius Group and infected at least one of the company's IT systems. Read more here.

French construction giant Bouygues Construction targeted by ransomware virus

In early February 2020, Bouygues Construction, one of France's largest construction companies, confirmed that it was the victim of a ransomware virus found on the company's internal network on January 30. Read more here

2019

Group-IB named the top 3 ransomware of the year

On June 2, 2020, it became known that attacks the number of ransomware viruses in 2019 increased by 40% compared to 2018, while the size of the average required ransom skyrocketed, according to a published study Group-IB , Ransomware: Methods of Ransomware Attacks. According to to data computer the Group-IB Forensic Laboratory, the families, Ryuk DoppelPaymer and REvil, became the most "greedy" ransomware. Since the tactics and tools of ransomware operators have evolved to complex techniques that previously distinguished primarily - hacker APT groups, and their goals have shifted to the corporate sector, 2020 may set an anti-record for the number of attacks and the amount of damage.

As reported, after a comparative lull in 2018, in 2019, ransomware viruses tried to take revenge: the number of ransomware attacks increased by 40%. The victims were large targets - municipalities, corporations, medical institutions, and the average size of the required ransom soared from $8,000 in 2018 to $84,000. According to Group-IB, the most aggressive and greedy ransomware in 2019 were the Ryuk, DoppelPaymer and REvil families - their one-time ransom claims reached $800,000.

In 2019, ransomware operators began to use some tactics, techniques and procedures (TTPs) characteristic of APT groups. One of the borrowed techniques was the unloading of data important to the victim before encrypting it. Unlike APT groups using this technique for espionage, ransomware operators unloaded information to increase their chances of getting a ransom. If their demands were not met, they reserved the opportunity to earn money by selling confidential information on the darknet. This method was used by the operators of the REvil, Maze and DoppelPaymer families.

A frequent practice among cybercriminals was the use bank trojans of the network at the stage of primary compromise: in 2019, Group-IB experts recorded the use of a large number of Trojans in ransomware campaigns, including Dridex, Emotet, SDBBot and Trickbot Trojans.

In 2019, most ransomware operators began to use tools that are used by specialists cyber security during penetration tests. Thus, ransomware operators Ryuk, Rev, Maze and DoppelPaymer actively resorted to tools such as Cobalt Strike, CrackMapExec, PowerShell Empire, PoshC2, Metasploit and Koadic, which allowed them not only to conduct reconnaissance in a compromised network, but also gain a foothold in it, gain privileged authentication data and even complete control over. domains Windows

In general, according to experts, in 2019, ransomware operators reached the next level - their actions were no longer limited only. enciphering files More attackers have begun to promote ransomware as a RaaS (Ransomware-as-a-Service) service and lease ransomware in exchange for part of the ransom.

In 2019, phishing emails, infection through external remote access services, primarily through Remote Desktop Protocol (RDP), and drive-by attacks entered the top 3 vectors of primary network compromise from which attacks began.

Phishing emails remained one of the most common vectors of primary compromise, most often the Shade and Ryuk ransomware were hidden in such emails. The campaigns of the financially motivated TA505 group that distributed the Clop ransomware often began with a phishing email containing an infected attachment that, among other things, loaded one of the Trojans (FlawedAmmyy RAT or SDBBot).

In 2019, the number of available servers with an open port of 3389 exceeded 3 million, most of them were located in Brazil, Germany, China, Russia and the United States. Interest in this compromise vector, most often used by operators Dharma and Scarab, was fueled by the discovery of five vulnerabilities in the remote access service, none of which, however, was successfully exploited in ransomware attacks.

In 2019, attackers also often used infected sites to deliver ransomware. After the user ended up on such a site, he was redirected to pages that tried to compromise the user's devices, taking advantage of, for example, vulnerabilities in the browser. The sets of exploits that were most often used in such attacks are RIG EK, Fallout EK and Spelevo EK.

Some attackers, including encryption operators Shade (Troldesh) and STOP, immediately encrypted data on initially compromised devices, while many others, including Ryuk, REvil, DoppelPaymer, Maze and Dharma operators, were not limited to this and collected information about the compromised network, moving deep and compromising entire network infrastructures.

The full list of tactics, techniques and procedures mentioned in the report is given in the table below, which is based on the MITRE ATT&CK matrix - a public knowledge base that collects tactics and techniques for targeted attacks used by various groups of cybercriminals. They are arranged in order from the most popular (highlighted in red) to the least popular (highlighted in green).

In 2019, ransomware operators significantly strengthened their positions, choosing larger goals and increasing their revenues, and there is every reason to believe that in 2020 their results will be even higher. Ransomware operators will continue to expand their victim pool, focusing on large industries that have more resources to satisfy their appetites. The increased activity of ransomware poses a choice for businesses: either invest in their cybersecurity to make their infrastructure inaccessible to cybercriminals, or risk facing a ransom demand to decrypt files and pay for cybersecurity flaws. told Oleg Skulkin, lead specialist at Group-IB Computer Forensics Laboratory

Despite the increased scale of ransomware campaigns, they can be resisted by implementing the necessary precautions. Among other things, they include connecting to servers via RDP only using VPN, creating complex passwords for accounts used to access via RDP, and regularly changing them, limiting the list of IP addresses from which external RDP connections can be initiated, etc.

Ransomware written in PureBasic attacks Windows and Linux servers

On November 18, 2019, it became known that experts from Intzer and IBM X-Force IRIS team published an analysis of the PureLocker ransomware, characterized by a number of atypical features for programs of this kind. The ransomware attacks primarily corporate servers running Windows and Linux.

The programming language in which it is written, PureBasic, is noteworthy. This is far from the most common programming language; on the other hand, it is, firstly, cross-platform, and secondly, oddly enough, many antiviruses struggle to cope with the programs written on it.

The unusual choice provides attackers with a number of advantages, the researchers write. - Antivirus vendors struggle to generate reliable signatures for PureBasic binaries. In addition, PureBasic code is easily ported to Windows, Linux, OS X, which simplifies attacks on various platforms,

PureBasic even supports AmigaOS.

Researchers also attributed its anti-detection mechanisms to atypical features for ransomware.

For example, this malware tries to avoid intercepting the functions of the NTDLL function API by downloading another copy of ntdll.dll and resolving API addresses from it. API interception allows antivirus systems to see what exactly each function that the program calls does, when and with what parameters.

The researchers noted that this is a common technique for avoiding detection, but ransomware uses it very rarely.

In addition, the malware calls the Windows regsrv32.exe utility to "quietly" install the PureLocker library component - no dialog boxes are displayed to the user.

Later, the ransomware checks that regsrv32.exe was actually launched, that the file extension is.dll Or.ocx; in addition, it checks whether 2019 is installed on the car and whether the victim has administrative rights. If at least one condition is not met, the malware is deactivated and does not take any action.

According to experts, this behavior is atypical for ransomware, which usually do not show much selectivity; on the contrary, they seek to infect as many machines as possible.

If the ransomware "suits everything," it begins to encrypt files on the victim's machine using a combination of AES + RSA algorithms, using the RSA key sewn into it. All encrypted files are provided with the.CR1 extension, and the original files are destroyed. Leaving a ransom message, the ransomware file self-destructs.

Here is another surprise: the message from the attackers does not name the ransom amount. Each victim is invited to write to a unique address in the Proton secure mail service for the purpose of negotiations.

Experts believe that PureLocker is only one stage in the complex chain of infection.

When analyzing the code, the researchers found borrowings from the more_eggs backdoor code in PureLocker code, which is offered on the darknet in MaaS format (malware-as-a-service). It is actively used by financial cyber-criminal groups Cobalt Group and FIN6.

Loanwords in the code that indicate communication with the Cobalt Group refer to a specific component that Cobalt uses in its multi-stage attacks - a DLL dropper used to protect against detection and analysis. Experts believe that the developer has more_eggs added another set of malware to the arsenal offered to other cybercriminal groups, providing the previous backdoor with ransomware functionality.

{{quote 'author = believes Anastasia Melnikova, information security expert at SEQ (formerly SEC Consult Services^[28]' The solution is not devoid of even some grace. It is easier to add an "unexpected" function to an existing set and make the malware even more dangerous than writing from scratch a narrowly focused ransomware that can resist detection and analysis. For potential victims, however, this "grace" promises only even greater troubles than before. The ransomware function, apparently, is designed literally to finish off the victim, which attackers manage to rob earlier using their other programs, }}

Ransomware virus attack on Mexican oil company Pemex

On November 11, 2019, Pemex reported a ransomware virus attack on its computers, as a result of which the Mexican state oil and gas group was forced to stop administrative work. Read more here.

Ransomware virus attack on Spanish companies across the country

In early November 2019, targeted attacks virus extortioner disabled two Spanish companies on the same day: the large firm Everis, owned NTT Data Group and operated in the field of IT services and consulting, as well as the radio company Sociedad Española de Radiodifusión (Cadena SER). The hacker attack caused a real panic in, MEDIA as many companies remembered the epidemic. WannaCry A technical specialist at one company admitted to a Spanish television company: "We are ABC in real hysterics." More. here

Ransomware virus attack on South Africa's financial hub

On October 24, 2019, during a targeted cyber attack, hackers hacked into the computer network of the city of Johannesburg (South Africa). They blocked the data of the city administration and promised to return them only after paying the ransom. Read more here.

Johannesburg residents without power due to ransomware virus

On July 25, 2019, residents of the financial capital REPUBLIC OF SOUTH AFRICA Johannesburg were left without electricity due to a ransomware virus, a malware that blocks access to computer systems or files until the hacker's requirement is met. The virus blocked all databases, applications and IT networks of the city's main energy company, City Power leaving almost all of Johannesburg without electricity. More. here

Ransomware virus stops production of aircraft parts at factories in four countries

In mid-June 2019, ASCO Industries, one of the world's largest suppliers of parts for aviation equipment, stopped production at factories in four countries due to a ransomware virus that appeared at a production site in Zaventem, Belgium. Read more here.

2017

Interpol to find out who is behind Bad Rabbit attacks

Group-IB, an international company for the prevention and investigation of cybercrime and high-tech fraud, on November 2, 2017 announced the discovery of digital traces of attackers involved in the attack of the Bad Rabbit ransomware virus, which attacked the editorial offices of a number of federal Russian media and financial organizations, as well as infrastructure facilities in Ukraine (metro, airport, Ministry of Infrastructure).

In accordance with the information exchange agreement recently signed between Interpol and Group-IB, this data was transferred to the special unit of the international police that oversees cybercrime investigations, Interpol Global Complex for Innovation. The agreement implies mutual exchange of information to more effectively counter cybercrime. In particular, organizations will monitor changes in trends in cyberspace, the emergence of new threats and the development of existing ones, as well as the spread of malware.

Based on the results of a technical analysis of the Bad Rabbit ransomware virus, Group-IB experts received information about the source and methods of spreading the malware, analyzed its structure and functions and concluded that Bad Rabbit and the NotPetya virus epidemic, which attacked energy, telecommunications and financial companies in Ukraine in June 2017, are the same group of hackers. During the study, experts discovered digital traces that will identify specific persons involved in this attack. Some of the data from the hacked sites was transferred to a server that was compromised using the same techniques used by the North Korean pro-state hacker group Lazarus. To conduct a full-fledged investigation, the information was transferred to the Interpol division.

In order to effectively combat modern cyber threats, it is necessary to build a public-private partnership, "said Noboru Nakatani, Executive Director of Interpol IGCI. - The agreement signed between Interpol and Group-IB is an important step in organizing the process of providing law enforcement agencies around the world with the information they need to work in a complex landscape and a variety of cyber threats.

Locky ransomware hits 11.5% of organizations worldwide

Check Point Software Technologies recorded a significant increase in Locky attacks in September 2017. According to the Global Threat Impact Index, ransomware hit 11.5% of organizations worldwide.

Locky has not appeared in the top ten most active malware since November 2016, but in September 2017 it rose rapidly, being in second place with the help of the Necurs botnet, which also entered the rating, taking 10th place. These attacks raised Locky by 25 seats, only the RoughTed advertising malware turned out to be higher.

For reference: Locky began rolling out in February 2016 and quickly became one of the world's most active malicious families. It is mainly distributed through spam emails containing a bootloader with malicious macros disguised as a Word or Zip attachment. When users activate these macros - usually under the influence of social engineering - the application downloads and installs malware that encrypts files. The message directs the user to download the Tor browser and opens a web page demanding payment of the ransom in bitcoin. In June 2016, the Necurs botnet released an updated version of Locky, containing an expanded set of methods to bypass detection.

According to Check Point experts, the revival of Locky shows that companies cannot be calm while malware exists. Powerful botnets can breathe "second life" into old variants of malware, allowing them to quickly hit users around the world. The fact that in September 2017, one in ten organizations around the world was hit by at least one type of ransomware suggests that existing malware can be as dangerous as completely new options, the company emphasized.

Top 10 most active malware September 2017 according to Check Point

1. ↔RoughTed - a large-scale campaign of malicious advertising, used to redirect users to infected sites and download fraudulent programs, exploit whales and ransomware. The malware can be used to attack any type of platform and operating systems; is able to bypass ad blocking.
2. ↑ Locky - ransomware, distributed mainly using spam emails containing a bootloader disguised as a Word or Zip attachment, which then downloads and installs malware that encrypts user files.
3. ↓ Globeimposter is a ransomware disguised as a Globe ransomware ransomware. It was discovered in May 2017 and distributed through spam campaigns, malicious ads and exploit whales. After encryption, the program adds the.crypt extension to each encrypted file.
4. ↑ Conficker is a worm that allows attackers to remotely perform operations on the victim's system and download malware. The infected machine is controlled by a botnet.
5. ↓ Fireball - malware ("browser hijacker"), which replaces the start page without the user's knowledge - Internetbrowser is easily upgraded to a full-featured bootloader. malware
6. ↔ Pushdo is a Trojan that is used to infect the victim's system and then download the Cutwail spam module, as well as download third-party malware.
7. ↔ Zeus is a banking Trojan that, through a Man-in-Browser attack, steals bank card data and victim credentials used to conduct financial transactions.
8. ↑ Rig ek is a set of exploits first discovered in 2014. Contains exploits for Flash, Java, Silverlight and Internet Explorer (browser). The chain of infections begins with a redirection to a landing page (from the English landing page) containing JavaScript, which checks the victim's system for vulnerable plugins and, if found, implements an exploit.
9. ↓ Ramnit is a banking Trojan aimed at stealing bank details, FTP passwords, session cookies and personal information of the victim.
10. ↑ Necurs is a botnet used to distribute malware by spam by e-mail. Mostly seen promoting ransomware and banking Trojans.

HackerDefender - the user rootkit for Windows, which was the third most common malware in August 2017, left the top ten.

Top 3 most active mobile malware according to Check Point

1. Triada is a modular backdoor for Android that gives huge privileges to downloaded malware, as it helps them infiltrate system processes. Triada was also seen spoofing URLs loaded in the browser.
2. Hiddad is a malware for Android that repackages legitimate applications and then implements them in third-party stores. Its main function is to display ads, but it can also access key security settings built into the operating system, allowing an attacker to obtain sensitive user data.
3. Lotoor is a hacker tool that exploits vulnerabilities in Android operating systems to gain root access on hacked mobile devices.

Positive Technologies study

Positive Technologies experts note that in the second quarter of 2017, ransomware-as-a-service services for renting out Trojans continue to gain popularity. The United States and Russia are still the most frequent victims of cyber attacks, but in the second quarter of 2017, more than a quarter of attacks (28%) were large-scale and simultaneously affected dozens of countries and hundreds (in some cases thousands) of companies.

According to Positive Technologies statistics, 67% of the attacks were for direct financial gain. At the same time, more than half of the attacks were widespread and used mainly malicious software.

The WannaCry ransomware virus (WanaCypt0r, WCry) epidemic has shown that you can become a victim of an attack even if you do not open suspicious letters and click on links in them. According to Intel, the total number of infected computers has exceeded 530 thousand. The bitcoin wallets of WannaCry developers received more than 50 BTC ($128,000) from the victims. USA), with total damage to companies amounted to more than a billion dollars.

Another large-scale malicious campaign at the end of June was caused by the NotPetya ransomware (also known as ExPetr, PetrWrap, Petya, Petya.A, etc.). The hallmark of this epidemic was that the criminals' goal was not financial gain, they did not seek to send out a recovery key in exchange for payments. HVE was distributed to disable information systems, destroy files and sabotage. More than 40 victims paid a ransom totaling $10,000. UNITED STATES.

The ransomware as a service trend is gaining momentum. There are new services for renting out Trojans: for example, the distributor Petya or Mischa receives from 25% to 85% of the amount of payments made by victims, and another Trojan ransomware Karmen is sold on the black market for $175.

While some attackers prefer cryptocurrency to receive illegal income (victims of ransomware Trojans are invited to transfer money to bitcoin wallets), others attack cryptocurrency exchanges and their customers' accounts. For example, having accessed the personal data of 31,800 users of the South Korean Bithumb exchange, the attackers were then able to access their accounts. Losses from this attack were estimated at 1 billion won ($890,000 UNITED STATES). In another attack, on Tapizon, attackers gained access to four wallets and in total stole about 3,816 bitcoins ($5.3 million). UNITED STATES).

Analysts note the emergence of new non-standard chains of penetration into the target system. For example, the Cobalt group used arbitrary vulnerable sites as hosting for malware. During targeted attacks, members of the APT10 group first gained access to corporate networks of cloud service providers, and then penetrated the network of victim organizations through trusted channels.

Ransomware virus victims paid more than $25 million since 2014

Google, together with Chainalysis, the University of California San Diego and the Polytechnic Institute of New York University, calculated the amount paid by the victims to the creators of ransomware viruses. This was reported by The Verge^[29].

The researchers analyzed 34 families of ransomware viruses that have been running since 2014. The most income was brought by the Locky ransomware virus, the victims paid the developers more than $7 million. The earnings of the developers of ransomware Cerber amounted to $6.9 million, and CryptXXX - $1.9 million.

Researchers note that the creators of ransomware viruses have learned to bypass antivirus protection. After identifying the malicious application, a signature for the detected malware is added to the antivirus software. However, modern virus samples are able to modify their own binary code, and thus bypass anti-virus protection based on signatures.

Ukrainian users are attacked by a new ransomware posing as WannaCry

At the end of June 2017, Ukrainian users became the object of the fourth campaign in a month and a half to distribute ransomware Trojans. A new ransomware program tries to impersonate the infamous WannaCry, but in fact has nothing to do with it.^[30]

During May-June, three malicious campaigns were noted on the territory of Ukraine: XData, PSCRypt, NotPetya. And now a new program has appeared, which has not yet been named.

It displays a ransom demand identical to what WannaCry displayed, but this is limited by the similarity. As the researchers who analyzed the program point out, it is written in.NET, not C, like WannaCry; its internal structure has nothing to do with the WannaCry structure, and in addition, the program does not use any famous exploits created by the American special services for distribution.

Usually using.NET to create malware is a sign of a low qualification of the programmer. In this case, as a security expert hiding under the nickname MalwareHunter wrote, the authors of the malware are highly competent, and their creation is "perhaps one of the best examples of a ransomware on.NET that we have seen."

The program infects the system through a dropper, which locally unpacks and saves two different files. In one - the ransom demand, in the second - the ransomware itself.

The program controls the control server hidden on the Tor network and starts, apparently, only after receiving a command from it. The Trojan also disables the processes of applications whose files are going to encrypt - this function, as the researcher notes, is unique. ^[31]

In the material Bleeping Computer, the authors pay attention to a strange trend: all four campaigns use software that tries to impersonate something else. For example, XData is actually a slightly redesigned AES-NI ransomware, PSCrypt is a redesigned GlobeImposter that appeared in April this year. NotPetya pretended to be Petya, but turned out to be not a ransomware, but a viper - it was impossible to restore access to files even after the ransom was paid. And now another ransomware that pretends to be something else. What this means and whether all these coincidences are random is a debatable subject.

Korean hosting provider Nayana agreed to pay $1 million to cyber cops

On June 14, 2017, South Korean hosting company Nayana announced that it had agreed to pay a hacker who paralyzed the company's 150 servers, making more than three thousand client websites unavailable.

We have completed negotiations with the hacker and are now preparing money to buy bitcoins in order to restore the operation of encrypted servers, - quotes the words of Nayana CEO Hwan Chilhon (Hwang Chil-hong) edition of The Korea Herald.

Nayana intends to pay about $1.1 million in bitcoins for restoring data to data servers affected by malware ON , a ransomware virus that blocked files stored on computers.

As explained in Nayana, the decision to pay was made to save 3,400 sites of their clients, most of which are small companies and startups.

In an interview with local media, the head of Nayana lamented that the company had no choice but to comply with the requirements.

We understand that we should not pay a ransom, but otherwise the damage will be done to hundreds of thousands of people from the companies that we serve, "he said.

However, experts in the field of information security (information security) believe that by its actions Nayana creates a dangerous precedent. Seeing the success of "colleagues," other attackers can intensify cyber attacks on Korea in pursuit of easy money, information security experts warn.

Nayana's $1.1 million buyout is almost 1,000 times the average amount that victims paid to cyber cops in 2016. According to Symantec, cybercriminals encrypting data using malware on average demanded $1,077 from users.

Nayana has no guarantee that, having received the money, the offender will restore access to the files. If even hackers do not decrypt the data, the company will not be able to do anything, experts say.

Experts called on the Korean authorities to do everything possible to catch the attackers and prevent such attacks in the future.^[32]

Global hacker attack WannaCry May 12

Virus extortioner WannaCry began to spread on May 12, affected 74 countries of the world, more than 45 thousand attempts were made on computers to bring viruses that encrypted all files. Fraudsters demand $600 for decryption. It locks down the computer and demands 300 dollars for unlocking. Tens of thousands of infections were registered in 99 countries, including in, Russia where "" became victims, and Megaphone. MINISTRY OF INTERNAL AFFAIRS In RF IC other countries, telecommunications companies suffered, banks consulting firms. Great Britain The system computers failed. health care

Kaspersky Lab study

According to the observations of Kaspersky Lab specialists, the victims of ransomware are increasingly becoming not private users, but companies and financial institutions: today the companies know at least eight cyber groups engaged in the development of ransomware Trojans to carry out targeted attacks on business. In some cases, the required ransom reaches half a million dollars.

The reason for the transformation is simple, experts say: targeted attacks are potentially more profitable than mass attacks on private users. A successful attack on a company can paralyze its activities for several hours or even days - business owners are simply forced to pay a ransom.

The schemes and tools of intruders are quite universal. All cyber groups first infect the company's network with malware ON through vulnerabilities servers in or phishing emails. Then the attackers strengthen their position in the network and determine the most valuable corporate resources, for the "capture" of which you can get the largest ransom.

However, groups also have unique features: for example, the Mamba Trojan uses free encryption software that is installed on victims' computers through a legal utility for remote control of the Windows system. And the authors of the PetrWrap Trojan are distinguished by a particularly careful choice of victims and long preparation for the attack: their hidden presence on the network reaches six months.

Modified version of Petya ransomware Trojan detected

Kaspersky Lab experts have discovered a Trojan program that uses the well-known Petya ransomware to carry out targeted attacks on business. The Trojan is called PetrWrap, and its main feature is that it uses the original malware without the permission of the developers.

The Petya ransomware discovered by Kaspersky Lab in 2016 is one of the most notable malware distributed under the ransomware-as-a-Service (RaaS) model. The authors distribute it through numerous intermediaries, making part of the profit. In order to avoid unauthorized use of the ransomware, the developers inserted several security mechanisms into its code, but the creators of PetrWrap managed to bypass them. At the same time, the new Trojan uses its own encryption keys instead of those that are used in Petya by default, so the help of the authors of the original ransomware is also not required to decrypt data in the event of a PetrWrap ransom.

PetrWrap developers did not choose Petya by chance. This ransomware family has an almost flawless cryptographic algorithm that is extremely difficult to decipher. In previous versions of the program, a number of errors were found that several times allowed experts to decrypt encoded files, but since then the authors have closed almost all vulnerabilities. In addition, after infecting the device with this ransomware, there is no mention of the malware on the locked screen, which significantly complicates the work of cybersecurity experts.

"We are seeing a very interesting process: cybercriminals began to attack each other. From our point of view, this is a sign of growing competition between different groups. This is partly good, because the more time attackers spend fighting each other, the less organized and effective their attacks themselves will be, "commented Anton Ivanov, senior antivirus analyst at Kaspersky Lab. - In the case of PetrWrap, we are worried about the fact that the ransomware Trojan is used for targeted attacks. This is not the first such case and, unfortunately, probably not the last. We strongly encourage companies to pay maximum attention to protecting network infrastructure from this type of threat, otherwise the consequences can be catastrophic. "

Kaspersky Lab recommends taking a number of measures to protect the organization from targeted attacks. Back up all data that can be used to recover files in the event of an attack. Use a security solution with behavior detection technology. It identifies Trojans of any type by analyzing their actions in the attacked system. This allows you to detect even previously unknown malware. Conduct a comprehensive assessment of network information security (audit, penetration testing, GAP analysis) to detect and close all loopholes that attackers can exploit.

Use external expert assessment: consulting authoritative vendors will help anticipate the vector of future attacks. Conduct cybersecurity training for employees. Special attention should be paid to engineering personnel, their awareness of attacks and threats. Protect both inside the corporate network perimeter and outside. In the right security strategy, significant resources are allocated to detect and respond to attacks before they reach critical targets.

Ransomware Trojans can destroy entire corporations

Entire companies can be destroyed as a result of a ransomware attack - such a bleak forecast is made by Sophos CEO Kris Hagerman. Speaking at the RSA conference in San Francisco, he noted that the scenario in which attackers attack the bank and demand to pay $10 million, otherwise threatening to destroy all files on the organization's servers, today no longer looks fantastic.^[33]

Over the past 12 months, there have already been cases in which organizations have paid ransomware huge sums to return access to their data. For example, a hospital in Los Angeles admitted to paying about $17,000 after its infrastructure was attacked by a ransomware Trojan. Earlier this year, the administration of a community college (also in Los Angeles) paid $28,000 to the attackers.

It's not so difficult to imagine a bank attacked by a ransomware, and then they (the attackers) say: immediately pay $10 million, otherwise your files will be destroyed, says Hagerman. "It can bring companies to their knees. Many organizations have backup problems and not everyone uses the full range of security tools necessary to combat ransomware.

The situation is further complicated by the fact that sites are fruitful on the Web that offer everyone the means to carry out attacks using ransomware Trojans. For example, the Satan service offers for a commission to organize attacks using ransomware to everyone who knows how to use Tor - The Onion Router - no other special technical knowledge is required by the Satan "client."

Today you can be a very successful cybercriminal without knowing anything about the computer code. Hackers also have ROIs. Make it difficult for them to earn money, and they will go looking for other targets or other ways to earn money, "said Hagerman.

Sophos notes 300-400 thousand new malware every day, and each of them can pose a serious threat to commercial companies if they are not sufficiently protected.

According to Hagerman, the only way to protect yourself from attacks is to establish protection in such a way that hackers prefer to look for another victim.

Each attack, which ended with the payment of the required amount to attackers, strengthens them in the consciousness of the profitability of their business, and increases the threat in general, - comments Dmitry Gvozdev, General Director of the Security Monitor company. - And as organizations increasingly affected by ransomware are willing to pay five-figure sums for the return of their data, it's easy to imagine how attackers are demanding millions from a multinational corporation as a ransom.

According to Gvozdev, large personal data leaks from multinationals such as Sony or Yahoo show well how great security flaws are even in those organizations that can afford to provide maximum protection against cyber threats.

Ransomware for Industrial Systems

On February 13, cybersecurity researchers at the Georgia Institute of Technology announced the development of a new, specialized form of ransomware that was purposefully created for industrial systems^[34].

This malware and its resulting attack on a simulated water treatment plant were intended to show how cybercriminals could disable key services that meet our critical needs, such as electrical and water supply, heating, ventilation and air conditioning, or elevator management.

The study was presented at a conference in San Francisco organized by RSA.

The researchers described how they identified a number of common programmable logic controllers (PLCs) often used in industrial plants. By purchasing three different devices, the researchers tested their security levels, including password protection status and exposure to malicious changes.

PLCs were then connected to pumps, pipes and tanks to simulate a water treatment plant. However, instead of chlorine used to disinfect water, the researchers applied iodine and mixed starch into the water.

If the attacker added iodine to the water, it would be painted blue.

A simulated ransomware attack that infects systems in conventional ways through phishing emails and links to malicious sites has shut down and locked critical systems. If a real attacker used a ransomware program to take the station hostage, he could threaten to add a life-threatening amount of chlorine to the water, which could potentially poison entire cities.

The researchers also managed to attack the PLC to close the valves and falsify sensor readings. Studying the availability of these PLCs, the researchers also found 1,400 copies of the same type of PLC that is easy to access over the Internet. Many of these devices were behind corporate firewalls. But this makes them secure only as long as network security is maintained.

Although there have been a few real ransomware attacks against embedded industrial systems so far, we have already seen how such programs were used against hospitals and had dire consequences. In some cases, the size of the required ransom is nothing compared to the harm that would cause the continuation of the attack. With regard to hospitals, this can pose a threat to people's lives, as in the case of taking hostage water supply systems.

2016

Europol, Dutch police, Kaspersky Lab and McAfee launch No More Ransom project to combat ransomware ransomware

In 2016, Europol, Dutch police, Kaspersky Lab and McAfee (Intel Security) announced the creation of the No More Ransom project aimed at combating ransomware ransomware. Gradually, many other organizations joined the project. The site hosts more than two dozen tools with which victims of different ransomware can try to regain access to lost data.^[35] Unfortunately, not all ransomware have vulnerabilities that allow them to be "hacked."

Trend Micro: Cybercriminals made $1bn from ransomware

Trend Micro presented in June 2017 the summary and main conclusions of the Ransomware: Past, Present, and Future report. For more research, see Cyberattacks.

The first ransomware attack was recorded Russia between 2005 and 2006. In the message, hackers demanded 300 dollars USA for returning encrypted files. At the first stage, files with the most common extensions were encrypted:.DOC,.XLS,.JPG,.ZIP,.PDF, etc. Later, varieties of ransomware appeared that could encrypt data on mobile devices and even affect the operation of the main boot record. At the end of 2013, varieties of programs appeared that not only encrypted files, but also began to delete them if the victim refused to pay a ransom, for example, such as CryptoLocker.

The main conclusions of the report and the company's forecasts:

• Ransomware families grew by 752% in 2016.
• In 2016, the average ransom amount for returning access to files was 0.5 − 5 bitcoins.
• Ransomware attacks are becoming more targeted today, and spam is used as the main means of distribution (79%), infection of existing ones or the creation of separate sites/pages on the Internet (20%), as well as sets of exploits.
• The main focus of cybercriminals is shifting - since 2015, the main goal of ransomware is becoming individuals, and business.
• Ransomware is now available as a service. The Ransomware-as-a-service model allows attackers to get even more money.
• When attacking a business, attackers most often encrypt the company's databases, in second place are SQL files.
• In the future, ransomware targeting critical infrastructure as well as industrial enterprise management (ICS) may emerge.

Examples of the largest ransomware attacks in the second half of 2016:

• In September, as a result of a ransomware attack on the municipality of Springfield (Massachusetts, USA), its files were unavailable for 10 days.
• In September, Vesk (UK) paid a ransom of $23,000 to attackers to return access to their files.
• In November, the Madison County Municipality (New York, USA) paid attackers $28,000 to decrypt files.
• In November, due to a ransomware attack on the San Francisco Municipal Transportation Agency, the authorities were forced to make public transport in the city free for a certain time.
• In November, the ransomware encrypted about 33,000 files in the Howard County Municipality system (USA).
• In December, the East Valley Community Health Center in the United States was attacked by a ransomware program, which affected the records of about 65 thousand people. They contained personal information, medical data and insurance data.

In order to minimize possible risks and protect against ransomware, Trend Micro recommends:

• Back up data regularly. At the same time, create three copies, in two formats, one of the copies must be stored without access to the Network.
• Regularly update the software used on devices.
• Provide staff training covering phishing.
• Restrict access to confidential information within the company.
• Do not pay the ransom.
• Use advanced information security solutions that include network monitoring, behavior analysis technologies, vulnerability protection, etc.

Petya ransomware virus

In early April 2016, it became known that the developers of ransomware viruses found a new way to make their victims unhappy. F-Secure, a cybersecurity company, issued^[36] warning on April 4, 2016^[37]a new kind of ransomware virus that blocks the entire computer hard drive instead of simply encrypting files on disk, as other similar computer viruses do .

According to F-Secure, Petya encrypts the MFT of the file system, making [4] it impossible for the operating system to detect the necessary files, thus making the computer completely inoperable. MFT (Master File Table) is a database that stores information about the contents of a volume with the NTFS file system, which is a table whose rows correspond to the files of the volume, and columns to the file attributes.

"The virus sets itself to the Master Disk Boot Record (MBR). But instead of hidden actions, it shows a red screen with instructions on how to restore the system, "wrote F-Secure chief security officer Jarko Terkuloinen

.

Virus ransomware Petya (Petya) is probably developed in Russia

The attack on MFT takes less time than encrypting files on disk, while leading to the same results, Sean Sullivan, F-Secure security consultant, added in comments to Dark Reading.

"Many other crypto ransomware take time and processor power," Sullivan said.

Victims of such attacks, in fact, often report that their computers slow down greatly during the attack. While home users may not know what caused the productivity decline, workers at businesses sometimes have enough time to prevent complete data loss. With Petya, this is no longer an option.

"Petya is able to hit the MFT in a matter of seconds before crashing the system and rebooting. In the conditions of work at the enterprise, there will be no time to call for help

. "

For its victims, Petya presents problems that are uncharacteristic of other ransomware viruses. Since Petya infects MBR, he blocks the entire system completely. Therefore, the victim needs to find another computer with Internet access in order to pay the ransomware and restore access to his compromised system. Although this in itself may not pose a problem for workers in the office, it can cause difficulties for home users, Sullivan said.

Petya also assigns the user the task of independently downloading the Tor browser - The Onion Router to access the hidden link for payment production. "Petya is not trying to provide proxy links for the Tor - The Onion Router service" thereby showing that the authors of the malicious code do not care about the difficulty of installing the Tor browser, or they simply have not yet created this functionality.

To some extent, because victims find it harder to pay the ransomware, Petit's authors may be reducing their chances of making money off it, Sullivan said. As a result, the likelihood that this type of attack will become more widespread will depend on the success of the authors of the virus in profiting from Petit.

"

It will depend on people being able to figure out how to pay. The virus definitely has some advantages in how it infects the system. Therefore, we are likely to see more such activity, but it is too early to say whether this will become common, "Sullivan said

.

News of "Pet" came amid an increased number of^[38] about an increase in ransomware viruses and their attacks in recent months. Many believe that the success of the authors of ransomware viruses attracts more criminals, including organized criminal groups into the sphere of cyber extortion. In recent months, examples of ransomware viruses such as Lockie^[39]TeslaCrypt and Samas have infected a huge number of individual users and organizations, including some large US hospitals .

A large wave of attacks forced the US Department of Homeland Security to issue^[40] warning] in conjunction with the Canadian Cyber ​ ​ Incident Response Center to inform users and organizations about the severity of this threat. Warning, informed users and organizations about the "devastating consequences" of attacks by ransomware viruses.

"Recovery can be a complex process that requires the services of a qualified data recovery professional," the alert said.

To protect against such cyber attacks, individuals and organizations are advised to implement a plan to back up and restore important data and use a whitelist to make sure that only specially authorized applications can run on a computer. Another tip is to keep your software up to date by regularly installing updates and patches, as well as limiting the ability to install and run applications for users.

2012: The beginning of a rapid growth in the use of ransomware

For a long time, attackers could not "try" ransomware as a tool for extorting money from home and corporate users, but when they got a taste, the process went more alive. Since 2012, the number of detected ransomware has begun to grow quite rapidly. At the same time, methods of using various encryption algorithms began to improve.

To work with the first ransomware, additional tools were not required, but to combat the samples of 2012, such a number no longer passed. The most popular encoders of that time are Trojan.Encoder.94/102 and their modifications. In the first case, the data was encrypted with a relatively simple symmetric algorithm, but the 102nd did not encode, but rather broke the data, which made full decoding impossible. But some types of files were restored using the utility created by Doctor Web specialists.

2005-2009: The birth of ransomware

The first viral incident with Trojan.Encoder Trojans was recorded in May 2005. But a simple encryption algorithm did not make it particularly effective - files damaged by the Trojan were easily treated antivirus program. It did not cause much excitement among cybercriminals either - until the summer of 2007, there were less than 10 entries for encoders in the Dr.Web virus database. And all of them also did not require any "special" attitude towards themselves - encrypted files were restored directly by antivirus, without attracting additional utilities.

Until 2009, the appearance of various variations was rather a "pen test" of attackers who were constantly looking for new methods of attacks on PCs and networks. In fact, creating a serious ransomware, the results of which will not be decrypted on the fly or in a very short time, is a non-trivial task. And for lone virus writers, who until recently held the world of malware, it was simply overwhelming. After all, the ransomware Trojan, as the name suggests, encodes files, which means that it is the cryptography skills that its creator needs first.

It is also worth noting the key difference between Trojans and computer viruses. The first are independent applications, not "parasites" clinging to files. This also determines the key point in the behavior of the antivirus and the user in relation to the Trojan. While an infected file can be spared from the virus by receiving a "clean" version of the original, the Trojan cannot be cured, because it itself is a malicious file. Even if this is a legitimate application with "shadow" functionality, it is still intact, its negative effect can only be eliminated by complete removal.

The ransomware Trojan has no distribution mechanisms. Moreover, even once on a computer, he does not is able to activate itself. In fact, the encoder is a regular program that starts working only when the user runs it himself or runs a bootloader script, which will install the Trojan.

Notes