Ransomware vs. Business: Kaspersky Lab researchers have discovered an emerging and worrying trend: more and more digital criminals are turning their attention from attacks on individuals to attacks with ransomware programs targeting businesses.
At least eight groups of digital criminals related to the development and dissemination of an encrypted ransomware program have been identified. The attacks have primarily hit financial institutions worldwide. Kaspersky Lab experts have recorded cases where cash claims are estimated at more than half a million dollars.
The eight recognized groups include PetrWrap's creators who have attacked financial institutions worldwide, the notorious Mamba group and six other unfamiliar groups targeting mainly corporate users. It is worth mentioning that these six groups have until recently been involved in attacks primarily targeting individuals and using identical programs. They have now redirected their efforts into corporate networks. According to Kaspersky Lab researchers, the reason for this trend is clear - criminals believe that attacks with ransomware programs against businesses have prospects for higher profits in relation to massive attacks on individuals. A successful ransomware attack against a company can easily put an end to the orderly functioning of the business for hours and even days, making the owners of the attacked companies more likely candidates to pay ransom.
More generally the tactics, techniques and procedures used by these groups have quite a lot in common data. «Μολύνουν» το στοχοποιημένο οργανισμό με malicious λογισμικό μέσω ευάλωτων servers ή διαδίδοντας phishing email. Έπειτα, τα εγκαθιστούν επίμονα στο δίκτυο των θυμάτων και αναγνωρίζουν τους ευάλωτους εταιρικούς πόρους για να τους κρυπτογραφήσουν. Ακολούθως, σε αντάλλαγμα ζητούν λύτρα για την αποκρυπτογράφηση. Εκτός από τις ομοιότητές τους, μερικές από τις ομάδες διαθέτουν και τα δικά τους γνωρίσματα και χαρακτηριστικά.
Για παράδειγμα, η ομάδα Mamba χρησιμοποιεί το δικό της κακόβουλο λογισμικό κρυπτογράφησης, με βάση το λογισμικό ανοικτού κώδικα, DiskCryptor. Μόλις οι επιτιθέμενοι αποκτήσουν access στο δίκτυο, εγκαθιστούν το encryptor πάνω σε αυτό, χρησιμοποιώντας ένα νόμιμο βοηθητικό πρόγραμμα απομακρυσμένου ελέγχου για τα Windows. Η προσέγγιση αυτή καθιστά τις ενέργειες λιγότερο καχύποπτες για το προσωπικό ασφαλείας του οργανισμού – στόχου. Οι ερευνητές της Kaspersky Lab έχουν συναντήσει περιπτώσεις όπου τα λύτρα έχουν φτάσει σε ύψος μέχρι και ενός bitcoin (περίπου $1.000 έως τα τέλη Μαρτίου 2017) ανά ένα τερματικό σημείο αποκρυπτογράφησης.
Yet another unique example of the tools used in targeted ransomware attacks is PetrWrap. This group targets mainly large companies that have a large number of network nodes. The criminals carefully selected for each attack targets that last for some time: PetrWrap has persisted in a network up to 6 months.
"We all need to know that the threat of targeted ransomware attacks on businesses is growing, leading to tangible financial losses. The trend is worrying, as ransomware operators have begun their "crusade" for new and more lucrative victims. "There are many more potential ransomware targets that circulate freely, with attacks having even more devastating consequences." said Anton Ivanov, Senior Security Researcher, Kaspersky Lab's Anti-Ransom.
To protect organizations from such attacks, Kaspersky Lab's security experts advise:
- Make secure and timely backups of your data so that they can be used to restore original files after a data loss incident.
- Use a security solution with behavioral-based detection technologies. These technologies can "catch" malicious software, including ransomware programs, seeing how it works during the attack on the system and makes it possible to detect new and even unknown samples of ransomware.
- Visit No More Ransom, a joint initiative to help victims of ransomware programs recover their encrypted data without having to pay criminals.
- Check the installed software, not only at the endpoints, but also on all nodes and servers on the network and keep it up to date.
- Perform a security audit of the control network (ie, a security audit, penetration testing, gap analysis) to identify and eliminate any security gaps. Review external and third party security policies if they have direct access to the control network.
- Request External Information: Information from trusted providers helps organizations anticipate future attacks against the company.
- Train your employees, with special emphasis on functional and technical staff and in their awareness of recent threats and attacks.
- Providing protection inside and outside the perimeter. A proper security strategy must allocate significant resources to attack detection and response in order to prevent an attack before it becomes critical objects.
For more information on targeted Ransomware attacks, you can read blogpost on the Securelist.com website.
