Ransomware vs. Business: Kaspersky Lab researchers have discovered an emerging and worrying trend: more and more digital criminals are turning their attention from attacks on individuals to attacks with ransomware programs targeting businesses.
At least eight groups of digital criminals related to the development and dissemination of an encrypted ransomware program have been identified. The attacks have primarily hit financial institutions worldwide. Kaspersky Lab experts have recorded cases where cash claims are estimated at more than half a million dollars.
The eight recognized groups include the creators of PetrWrap, which has attacked financial institutions worldwide, the infamous Mamba group and six other groups with unknown name, which mainly target enterprise users. It is worth noting that these six groups were previously involved in attacks that primarily targeted individuals and used identical programs. They have now refocused their efforts on enterprise networks. According to Kaspersky Lab researchers, the reason for this trend is clear – criminals see ransomware attacks against businesses as having higher profit prospects than mass attacks against individuals. A successful ransomware attack against a company can easily bring the business to a standstill for hours or even days, making the owners of the attacked companies more likely candidates to pay a ransom.
More generally, the tactics, techniques and procedures used by these groups have several common elements. They "infect" the targeted organization with malicious software via vulnerable servers or phishing email. Then, they are persistently installed in the victims' network and recognize vulnerable corporate resources to encrypt them. Then, in return, they ask for a ransom for decryption. Apart from their similarities, some of the groups have their own features and features.
For example, the Mamba team uses its own encryption malware, based on open source software code, DiskCryptor. Once the attackers gain access to the network, they install the encryptor on it using a legitimate remote control utility for Windows. This approach makes the actions less suspicious to the security personnel of the target organization. Kaspersky Lab researchers have come across cases where ransoms have reached as high as one bitcoin (about $1.000 as of late March 2017) per decryption endpoint.
Yet another unique example of the tools used in targeted ransomware attacks is PetrWrap. This group targets mainly large companies that have a large number of network nodes. The criminals carefully selected for each attack targets that last for some time: PetrWrap has persisted in a network up to 6 months.
"All of us must know that the threat of the targeted attacks with enterprise ransomware is on the rise, bringing tangible financial losses. The trend is alarming, as ransomware operators have begun their “crusade” for new and more profitable victims. There are many more potential ransomware targets on the loose, with attacks having even more devastating consequences.” said Anton Ivanov, Senior Security Researcher, Kaspersky Lab's Anti-Ransom.
To protect organizations from such attacks, Kaspersky Lab's security experts advise:
- Create appropriately and timely copies backup of your data so that it can be used to restore the originals files after a data loss incident.
- Use a security solution with behavioral-based detection technologies. These technologies can "catch" malicious software, including ransomware programs, seeing how it works during the attack on the system and makes it possible to detect new and even unknown samples of ransomware.
- Visit No More Ransom, a joint initiative to help victims of ransomware programs recover their encrypted data without having to pay criminals.
- Check the installed software, not only at the endpoints, but also on all nodes and servers on the network and keep it up to date.
- Perform a security audit of the control network (ie, a security audit, penetration testing, gap analysis) to identify and eliminate any security gaps. Review external and third party security policies if they have direct access to the control network.
- Request External Information: Information from trusted providers helps organizations anticipate future attacks against the company.
- Educate your employees with special emphasis on operational and technical staff and raise awareness of recent threats and attacks.
- Provide protection inside and outside the perimeter. A proper security strategy must have significant resources to detect and respond to an attack in order to prevent an attack before it reaches critical items.
For more information on targeted Ransomware attacks, you can read blogpost on the Securelist.com website.
