COMMENT
We should all be
aware that the
threat of targeted
ransomware
attacks on
businesses is
rising, bringing
tangible financial
losses.
K
aspersky Lab’s researchers
have discovered an emerging
and alarming trend: more and
more cybercriminals are turning their
attention from attacks against private
users to targeted ransomware attacks
against businesses. At least eight
groups of cybercriminals involved in
encryption ransomware development
and distribution have been identified.
The attacks have primarily hit financial
organizations worldwide. Kaspersky
Lab’s experts have encountered cases
where payment demands amounted
to over half a million dollars.
The eight identified groups include
PetrWrap authors, who have attacked
financial organizations worldwide,
the infamous Mamba group, and
six unnamed groups also targeting
corporate users. It is worth noting
that these six groups were previously
involved in attacks targeting mostly
private users and used affiliate
program models. Now, they have
refocused their efforts on corporate
networks. According to Kaspersky
Lab’s researchers, the reason for the
trend is clear – criminals consider
targeted ransomware attacks against
businesses potentially more profitable
than mass attacks against private
users. A successful ransomware attack
against a company can easily stop
its business processes for hours or
even days, making owners of affected
companies more likely to pay the
ransom.
24
INTELLIGENTCIO
In general, the tactics, techniques
and procedures used by these groups
are very similar. They infect the
targeted organization with malware
through vulnerable servers or spear
phishing emails. Then they establish
persistence in the victim’s network
and identify the valuable corporate
resources to encrypt, subsequently
demanding a ransom in exchange
for decryption. In addition to their
similarities, some groups have their
own unique features.
For instance, the Mamba group
uses its own encryptor malware,
based on the open source software
DiskCryptor. Once the attackers gain
a foothold in the network, they install
the encryptor across it, using a legal
utility for Windows remote control.
This approach makes the actions
less suspicious for security officers of
the targeted organization. Kaspersky
Lab’s researchers have encountered
cases where the ransom amounted
up to one bitcoin (around $1,000
to the end of March 2017) per one
endpoint decryption.
Another unique example of tools used
in targeted ransomware attacks comes
from PetrWrap. This group mainly
targets major companies that have
many network nodes. The criminals
carefully select targets for each attack
that can last for some time: PetrWrap
has been persistent in a network for up
to 6 months.
www.intelligentcio.com