ENTERPRISES WARNED: Ransomware remains to be the biggest cyberthreat

- Advertisement -

INFORMATION security officers need to set up stronger defenses as two notorious ransomware families–REvil and JSWorm– continue to proliferate in the Asia Pacific region.

Though 2020 is considered by cybersecurity expert Kaspersky as the year of “Ransomware 2.0” in the region, this announcement also brings with it the anticipated attacks on enterprises that will continue. In a virtual press briefing with an international media forum, Kaspersky cyber detectives explained how “targeted ransomware” wreak havoc on information systems, grabbing important data and shutting down operations, either holding hostage or blackmailing victims.

The cybersecurity provider identifies “Ransomware 2.0” as groups that moved from simply entrapping to exfiltrating data, coupled with blackmailing. Data exfiltration–the unauthorized transfer of data from a computer, usually remotely using malware, and is usually initiated with social engineering tactics.

- Advertisement -

Calling 2020 “a most productive year for “Ransomware 2.0” in the region,” confirms the breadth and depth of the attempts at infiltration and how successful attacks mean significant monetary loss and damaging reputation.

“2020 was the most productive year for ransomware families who moved from hostaging data to exfiltrating data, coupled with blackmailing. In APAC, we noticed an interesting re-emergence of two highly-active groups, REvil and JSWorm. Both resurfaced as the pandemic rages in the region last year and we see no signs of them stopping anytime soon,” Alexey Shulmin, Lead Malware Analyst at Kaspersky said.

Learning from the lessons of the 2020 ransomware experiences will better prepare information security officers in enterprises against attacks.

“There is a pattern that we can follow to be able to detect and stop ransomware,” Fedor Sinitsyn, Senior Malware Analyst at Kaspersky said during the press conference, highlighting how expert monitoring discovered how the REvil ransomware group has actively spread their malicious arms from the Asia Pacific (APAC) to the world.

It was July 2019 when Kaspersky first wrote about REvil ransomware. Also known as Sodinokibi and Sodin, this group initially distributed itself through an Oracle Weblogic vulnerability and carried out attacks on MSP providers.

While the activities of REvil peaked in August of 2019 with 289 potential victims, Kaspersky telemetry monitored lesser detections until July 2020. From targeting only 44 Kaspersky users globally last June 2020, the ransomware group accelerated its attacks. As a result, Kaspersky solutions protected 877 users in July from this threat, logging an 1893 percent increase in a span of just one month.

“Back in 2019, most of their victims were only from APAC — particularly in Taiwan, Hong Kong, and South Korea. But last year, Kaspersky detected their presence in almost all countries and territories. It is safe to say that during their “silent months”, REvil creators took their time to improve their arsenal, their method of targeting victims, and their network’s reach,” adds Shulmin.

One thing was unchanged, though. APAC remained one of the top targets for REvil.

Out of 1,764 Kaspersky users targeted by the group in 2020, 635 (36 percent) of these companies were from the region. Brazil, however, logged the most number of users almost infected with this threat followed by Vietnam, South Africa, China, and India.

Based on the data published by the threat actors on their data leak site, Kaspersky experts were also able to categorize the group’s targets into several general industry classes. The biggest chunk of their targets in terms of industry falls under engineering and manufacturing (30 percent). This is followed by banking and finance (14 percent) and professional and consumer services (9 percent). Legal, IT and telecommunications, and food and beverage industries received equal attention at 7 percent.

The other persistent ransomware, JSWorm also entered the ransomware landscape in 2019. However, the geographical distribution of its initial victims was more varied. During its first months, it was detected across the globe — in North and South America (Brazil, Argentina, USA), in Middle East and Africa (South Africa, Turkey, Iran), in Europe (Italy, France, Germany), and in APAC (Vietnam).

The number of JSWorm victims is relatively lower compared with REvil but it is clear that this ransomware family is gaining ground. Most notably, experts from Kaspersky noticed a shift in the group’s attention towards the APAC region. China emerged as the country with the most number of KSN users almost infected by JSWorm globally, followed by USA, Vietnam, Mexico, and Russia. More than one-third (39 percent) of all the enterprises and individuals this group has targeted last year were also located in APAC.

When it comes to target industries, it is clear that this ransomware family eyes critical infrastructure and major sectors across the world. Nearly half (41 percent) of JSWorm attacks were targeted against companies under engineering and manufacturing industry. energy and utilities (10 percent), finance (10 percent), professional and consumer services (10 percent), transportation (7 percent), and healthcare (7 percent) were also at the top of their list.

This is based on the data published by the threat actors on their data leak site.

To thwart ransomware, Kaspersky recommends the following actions. 1) keep OS and software patched and up to date; 2) train all employees on cybersecurity best practices while they work remotely; 3) only use secure technologies for remote connection, 4) carry out a security assessment on your network, 5) use endpoint security with behavior detection and automatic file rollback, such as Kaspersky Endpoint Security for Business, finally and probably most important, 6) never follow demands of the criminals, contact law enforcement, CERT, security vendors.

Author

- Advertisement -

Share post: