Ransomware vs. Enterprises: Kaspersky Lab researchers have discovered an emerging and worrying trend: more and more digital criminals are shifting their focus from attacks on individuals to ransomware attacks targeting businesses.
At least eight groups of digital criminals related to the development and dissemination of an encrypted ransomware program have been identified. The attacks have primarily hit financial institutions worldwide. Kaspersky Lab experts have recorded cases where cash claims are estimated at more than half a million dollars.
The eight recognized groups include PetrWrap's creators who have attacked financial institutions worldwide, the notorious Mamba group and six other unfamiliar groups targeting mainly corporate users. It is worth mentioning that these six groups have until recently been involved in attacks primarily targeting individuals and using identical programs. They have now redirected their efforts into corporate networks. According to Kaspersky Lab researchers, the reason for this trend is clear - criminals believe that attacks with ransomware programs against businesses have prospects for higher profits in relation to massive attacks on individuals. A successful ransomware attack against a company can easily put an end to the orderly functioning of the business for hours and even days, making the owners of the attacked companies more likely candidates to pay ransom.
More generally, the tactics, techniques and procedures used by these groups have several common elements. They "infect" the targeted organization with malicious software via vulnerable servers or phishing email. Then, they are persistently installed in the victims' network and recognize vulnerable corporate resources to encrypt them. Then, in return, they ask for a ransom for decryption. Apart from their similarities, some of the groups have their own features and features.
Για παράδειγμα, η ομάδα Mamba χρησιμοποιεί το δικό της κακόβουλο λογισμικό κρυπτογράφησης, με βάση το λογισμικό ανοικτού κώδικα, DiskCryptor. Μόλις οι επιτιθέμενοι αποκτήσουν πρόσβαση στο δίκτυο, εγκαθιστούν το encryptor πάνω σε αυτό, χρησιμοποιώντας ένα νόμιμο βοηθητικό πρόγραμμα απομακρυσμένου ελέγχου για τα Windows. Η προσέγγιση αυτή καθιστά τις ενέργειες λιγότερο καχύποπτες για το προσωπικό security of the target organization. Kaspersky Lab researchers have come across cases where ransoms have reached as high as one bitcoin (about $1.000 as of late March 2017) per decryption endpoint.
Yet another unique example of the tools used in targeted ransomware attacks is PetrWrap. This group is mainly aimed at large companies that have a large number of network nodes. Criminals have carefully selected targets for each attack that last for a period of time space: PetrWrap has persisted on a network for up to 6 months.
"All of us must know that the threat of the targeted attacks with enterprise ransomware is on the rise, bringing tangible financial losses. The trend is alarming, as ransomware operators have begun their “crusade” for new and more profitable victims. There are many more potential ransomware targets on the loose, with attacks having even more devastating consequences.” said Anton Ivanov, Senior Security Researcher, Kaspersky Lab's Anti-Ransom.
To protect organizations from such attacks, Kaspersky Lab's security experts advise:
- Make secure and timely backups of your data so that they can be used to restore original files after a data loss incident.
- Use a security solution with behavioral-based detection technologies. These technologies can "catch" malicious software, including ransomware programs, seeing how it works during the attack on the system and makes it possible to detect new and even unknown samples of ransomware.
- Visit No More Ransom, a joint initiative to help victims of ransomware programs recover their encrypted data without having to pay criminals.
- Check the installed software, not only at the endpoints, but also on all nodes and servers on the network and keep it up to date.
- Perform a security audit of the control network (ie, a security audit, penetration testing, gap analysis) to identify and eliminate any security gaps. Review external and third party security policies if they have direct access to the control network.
- Request External Information: Information from trusted providers helps organizations anticipate future attacks against the company.
- Educate your employees with special emphasis on operational and technical staff and raise awareness of recent threats and attacks.
- Provide protection inside and outside the perimeter. A proper security strategy must have significant resources to detect and respond to an attack in order to prevent an attack before it reaches critical items.
For more information on targeted Ransomware attacks, you can read blogpost on the Securelist.com website.
