Security Week 20: Ransomware Myths
The most important thing to know about such groups is that they are complex and do not work autonomously. It will not be possible to get rid of this threat, even if the organizers of a separate campaign are found and arrested. The ecosystem will stop working only if it loses its income, that is, when the affected people stop paying the ransom. The study provides examples of recruiting new organizations and identifies typical roles: credential vendors, malware developers, analysts responsible for cryptocurrency laundering.
The most relevant myth, which is refuted in the article, is the assertion that the targets of attacks are selected in advance. In fact, they are found randomly. Most often, the owners of botnets and brokers who sell access to compromised computers and servers post information about potential victims, and the goals are determined “based on availability.” There is an important recommendation for IT security personnel here: you need to timely detect individual incidents related to penetration into the protected perimeter or malware infection. There may be a time lag between this first call and a full-scale attack to avoid serious consequences.
The study details the activities of two large ransomware groups, REvil and Babuk. Among other things, there is more aggressive pressure on potential victims, motivating them to pay the ransom faster. For this purpose, websites with examples of stolen data are created on the darknet, and information about leaks is “leaked” in the media. Conversely, victim support is improved to facilitate the “customer experience” – for example, a separate chat is created to communicate with ransomware. In the previous publications Kaspersky Lab experts on the topic of “custom” ransomware have noted a decrease in the number of large-scale attacks. The new report shows where the attention of cybercriminals has shifted and details the transformation of criminal operations into a complex and ramified business.
What else happened:
The attack on the operator of the Colonial Pipeline in the United States resulted in a brief interruption in the supply of oil products on the country’s east coast, sparked panic at gas stations and is likely to lead to further changes in the measures to combat cybercrime. There were many publications about this attack last week, but not all information has been confirmed. Here are the most interesting articles:
– Analysis activities of the group DarkSide, which claimed responsibility for the attack, from Brian Krebs (Brian Krebs). Earlier on Twitter, he either jokingly or seriously pointed out an obvious fact about malicious encryption programs with Russian-language roots: they avoid a system with a Cyrillic layout.