Ransomware vs. Enterprises: Kaspersky Lab researchers have discovered an emerging and worrying trend: more and more digital criminals are shifting their focus from attacks on individuals to ransomware attacks targeting businesses.
At least eight groups of digital criminals related to the development and dissemination of an encrypted ransomware program have been identified. The attacks have primarily hit financial institutions worldwide. Kaspersky Lab experts have recorded cases where cash claims are estimated at more than half a million dollars.
The eight identified groups include the creators of PetrWrap, which has attacked financial institutions worldwide, the infamous Mamba group, and six other groups with an unknown name, which mainly target corporate users. It is worth noting that these six groups were previously involved in attacks that primarily targeted individuals and used identical programs. They have now refocused their efforts on enterprise networks. According to Kaspersky Lab researchers, the reason for this trend is clear – criminals see ransomware attacks against businesses as having higher profit prospects than mass attacks against individuals. A successful ransomware attack against a company can easily bring the business to a standstill for hours or even days, making the owners of the attacked companies more likely candidates to pay a ransom.
More generally the tactics, techniques and procedures used by these groups have quite a lot in common. They "infect" the targeted organization with malware via vulnerable servers or by spreading phishing emails. They then persistently install them on the victims' network and identify vulnerable corporate resources to encrypt them. Next, in return they demand a ransom for the apencryption. Apart from their similarities, some of the groups also have their own traits and characteristics.
For example, the Mamba team uses its own malware, based on the open source software DiskCryptor. Once the attackers gain access to the network, they install the encryptor on it, using a legitimate remote control utility for Windows. This approach makes actions less suspicious for the security staff of the target organization. Kaspersky Lab researchers have encountered cases where ransom has reached up to one bitcoin (approximately $ 1.000 by the end of March 2017) per decryption terminal.
Yet another unique example of the tools used in targeted ransomware attacks is PetrWrap. This group targets mainly large companies that have a large number of network nodes. The criminals carefully selected for each attack targets that last for some time: PetrWrap has persisted in a network up to 6 months.
"We all need to know that the threat of targeted ransomware attacks on businesses is growing, leading to tangible financial losses. The trend is worrying, as ransomware operators have begun their "crusade" for new and more lucrative victims. "There are many more potential ransomware targets that circulate freely, with attacks having even more devastating consequences." said Anton Ivanov, Senior Security Researcher, Kaspersky Lab's Anti-Ransom.
To protect organizations from such attacks, Kaspersky Lab's security experts advise:
- Create appropriate and timely backups of data so that they can be used to restore the original files after a data loss incident.
- Use a security solution with behavioral-based detection technologies. These technologies can "catch" malicious software, including ransomware programs, seeing how it works during the attack on the system and makes it possible to detect new and even unknown samples of ransomware.
- Visit No More Ransom, a joint initiative to help victims of ransomware programs recover their encrypted data without having to pay criminals.
- Check the installed software, not only at the endpoints, but also on all nodes and servers on the network and keep it up to date.
- Perform a security audit of the control network (ie, a security audit, penetration testing, gap analysis) to identify and eliminate any security gaps. Review external and third party security policies if they have direct access to the control network.
- Request External Information: Information from trusted providers helps organizations anticipate future attacks against the company.
- Educate your employees with special emphasis on operational and technical staff and raise awareness of recent threats and attacks.
- Παροχή προστασίας μέσα και έξω από την περίμετρο. Μια σωστή στρατηγική ασφάλειας πρέπει να διαθέτει σημαντικούς πόρους για την ανίχνευση επίθεσης και την απόκριση σε αυτή προκειμένου να εμποδίσει μια επίθεση πριν φτάσει σε κρίσιμης σημασίας objects.
For more information on targeted Ransomware attacks, you can read blogpost on the Securelist.com website.
