As interconnectivity transforms the world into a global village, cyber attacks are expected to increase. According to reports, the end of last year saw an increase in the average amount of payments made to ransom attackers, as several organizations were forced to pay millions of dollars to have their files released by malware attackers.
In addition to the fact that the current pandemic has made many people and businesses vulnerable to attack, the idea that cryptocurrency is an anonymous and untraceable method of payment has led many ransom attackers to demand payment in Bitcoin (BTC) and other altcoins
Most recently, a report released on June 23 by the cyber security company Fox-IT revealed that a malware group called Evil Corp has gone on a rampage with new ransom software that requires its victims to pay a million dollars in Bitcoin.
The report also revealed that groups such as Evil Corp create ransom software that targets database services, cloud environments and file servers with the intent of disabling or disrupting backup applications on a company’s infrastructure. On June 28, cyber security firm Symantec reported that it had blocked an attack by Evil Corp that targeted some 30 U.S. companies demanding payment from Bitcoin.
These attempted attacks are only the most recent examples of the escalating threat posed by ransom software attacks. Below are some of the most malicious ransoms that require encrypted payment.
WastedLocker is the latest ransom software created by Evil Corp, a group that has been active since 2007 and is considered one of the deadliest cyber crime teams. After the indictment of two alleged members of the group, Igor Turashev and Maksim Yakubets, in connection with the banking Trojans Bugat/Dridex and Zeus, Evil Corp has reportedly scaled down its activity.
However, researchers now believe that from May 2020, the group resumed its attacks, with WastedLocker malware as its latest creation. The malware was named “WastedLocker” because of the filename created by the malware, which adds an abbreviation of the victim’s name to the word “wasted”
By disabling and disrupting backup applications, database services and cloud environments, WastedLocker prevents its victims from recovering their files for a longer period of time, even if an offline backup configuration exists. In cases where an organization does not have offline backup systems, recovery can be prevented indefinitely
The researchers note, however, that unlike other ransom operators who disclose victim information, Evil Corp did not threaten to publish victim information to avoid drawing public attention to it.
DoppelPaymer is ransom software designed to encrypt the files of its target, preventing them from accessing the files and then encouraging the victim to pay a ransom to decrypt the files. Used by a cyber crime group called INDRIK SPIDER, DoppelPaymer malware is a form of BitPaymer ransom software and was first discovered in 2019 by CrowdStrike, a company specializing in access point protection
Recently, the ransom software was used in an attack on the city of Torrance, California. Over 200 GB of data was stolen, with attackers demanding a ransom of 100 Bitcoin
Other reports reveal that the same malware was used to attack the Alabama State City computer system. Attackers threatened to publish the private data of citizens online unless they were paid $300,000 in Bitcoin. The attack took place after warnings from a Wisconsin-based cyber security company. A cybersecurity expert analyzing the case said that the attack that brought down the city’s e-mail system was made possible by the username of a computer belonging to the city’s information systems manager.
Chainalysis data shows that DoppelPaymer malware is responsible for one of the largest payments, one of only two to have reached the $100,000 mark.
According to a report by cyber security provider Check Point, the Dridex malware entered the top 10 malware list for the first time in March 2020 after first appearing in 2011. The malware, also known as Bugat and Cridex, specialises in the theft of bank identification information using a system of macros on Microsoft Word
However, new variants of the malware go beyond Microsoft Word and now target the entire Windows platform. Researchers note that malware can be lucrative for criminals because of its sophistication, and is now being used as a downloader of ransom software.
Although last year saw the dismantling of a botnet linked to Dridex, experts believe that such successes are often short-lived, as other criminal groups may take over the malware and use it for other attacks. However, the current global pandemic has further intensified the use of malware such as Dridex, which is easily executed by e-mail phishing attacks, as more and more people have to stay at home and work from home.
Another malware that has resurfaced as a result of the coronavirus pandemic is Ryuk Ransomware, which is known to target hospitals. On March 27, a spokesperson for a UK-based IT security company confirmed that despite the global pandemic, Ryuk Ransomware is still being used to target hospitals. Like most cyber-attacks, Ryuk malware is distributed via spam emails or geolocated download functions.
The Ryuk malware is a variant of Hermes, which is linked to the SWIFT attack in October 2017. It is believed that attackers using Ryuk since August have removed more than 700 Bitcoin from 52 transactions
While the ransom software landscape continues to be cluttered with new malicious solutions, cybercriminal groups such as the REvil (Sodinokibi) ransom software gang seem to have evolved with the times, becoming more sophisticated in their operations. The REvil Gang operates as a RaaS (Ransomware-as-a-Service) and creates strains of malware that it sells to other criminal groups
A report by the KPN security team reveals that REvil malware has infected more than 150,000 unique computers worldwide. However, these infections only occurred from a sample of 148 strains of the REvil ransom software. Each strain of REvil ransom software is deployed according to the company’s network infrastructure to increase the chances of infection.
Recently, the notorious REvil ransomware gang launched an auction to sell stolen data to companies unable to pay the ransom, with prices starting at $50,000 payable in Monero (XMR). For privacy reasons, the REvil gang switched from requesting payment in Bitcoin to Monero, a privacy-focused cryptographic currency.
The REvil gang, one of the most active and aggressive ransom software operators, mainly targets businesses, encrypting their files and charging them astronomical fees averaging about $260,000.
On May 27, Microsoft’s security team revealed in a series of tweets information about a new ransom software called “Pony Final”, which uses brute force to access its target network infrastructure in order to deploy the ransom software.
Unlike most malware that uses phishing links and emails to trick the user into launching the payload, PonyFinal is distributed using a combination of a Java runtime environment and MSI files that deliver the malware with a payload that is manually activated by the attacker. Like Ryuk, PonyFinal is mainly used to attack healthcare facilities as part of the COVID-19 crisis.
Despite the general increase in the number of cyber attacks, experts believe that there is a decrease in the number of successful attacks because for most companies, software ransom attacks in the context of a global pandemic are proving to be a death blow, making them unable to pay the ransom
This is according to a report published on 21 April by the malware lab Emsisoft, which reveals a significant drop in the number of successful ransom software attacks in the United States. Similarly, a chain analysis report published in April found a significant decrease in ransom payments since the intensification of the coronavirus pandemic in the United States and Europe
So it appears that despite the growing number of attacks, victims are not paying the ransom, leaving criminal groups like REvil with no option but to auction off the stolen data. It is also likely that the call to work from home has paradoxically posed a new challenge to hackers. In an interview with Cointelegraph, Brett Callow, Threat Analyst at Emsisoft, said
“It’s very obvious to ransom attackers that they have a potentially valuable target when they hit a corporate workstation. However, it’s less obvious to hit a personal device that an employee uses for remote work and is only intermittently connected to company resources.”