sb-as logo
Story image

More than just malware, ransomware 2.0 hits businesses hard

Cyber criminals are shifting their focus from encrypting data to publishing confidential information online, according to new findings from Kaspersky researchers.

Through a recent analysis of two notable ransomware families: Ragnar Locker and Egregor, Kaspersky uncovered a cyber threat trend that has emerged in recent years.

The researchers state that widespread ransomware attacks, where criminals use malware to encrypt your data and hold it for ransom, is being replaced by more targeted attacks against specific companies and industries.

In these more targeted campaigns, attackers don’t only threaten to encrypt data but publish confidential information online.

In general, ransomware attacks are considered one of the more serious types of threats facing companies, Kaspersky states.

Not only can they disrupt critical business operations, but they can also lead to massive financial losses and, in some cases, even bankruptcy due to fines and lawsuits incurred as a result of violating laws and regulations, the researchers state.

For example, the WannaCry attacks are estimated to have caused more than $4 billion in financial losses.

However, newer ransomware campaigns are modifying their modus operandi - they’re threatening to take stolen company information public, Kaspersky states.

Ragnar Locker and Egregor are two well-known ransomware families practicing this new method of extortion.

Ragnar Locker was first discovered in 2019, but it didn’t become well-known until the first half of 2020 when it was seen attacking large organisations.

Attacks are highly targeted with each sample specifically tailored to the intended victim, and those who refuse to pay have their confidential data published in the 'Wall of Shame' section of their leak's site.

If the victim chats with the attackers and then refuses to pay, this chat is also published.

The primary targets are companies in the United States across different industries.

This past July, Ragnar Locker stated that it had joined the Maze ransomware cartel, meaning the two will share stolen information and collaborate, Kaspersky states.

Maze has become one of the most notorious ransomware families in 2020, according to the researchers.

Egregor is much newer than Ragnar Locker - it was first discovered in September 2020. However, it uses many of the same tactics, and it also shares code similarities with Maze.

The malware is typically dropped by breaching the network, once the target’s data has been exfiltrated, gives the victim 72 hours to pay the ransom before the stolen information goes public.

If the victims refuse to pay, the attackers publish the names of the victims and links to download the confidential company data on their leak's site.

Egregor’s attack radius is much more extensive than Ragnar Locker’s, Kaspersky states.

This ransomware has been seen targeting victims across North America, Europe, and parts of the APAC region, Kaspersky states.

Global Research and Analysis Team (GReAT) head for Latin America, Dmitry Bestuzhev, says, “What we’re seeing right now is the rise of ransomware 2.0.

"By that I mean, attacks are becoming highly targeted and the focus isn’t just on encryption; instead, the extortion process is based around publishing confidential data online.

"Doing so puts not just companies’ reputations at risk, but also opens them up to lawsuits if the published data violates regulations like HIPAA or GDPR. There’s more at stake than just financial losses.”

Kaspersky security expert Fedor Sinitsyn says, “This means organisations need to think about the ransomware threat as more than just a type of malware. In fact, oftentimes, the ransomware is only the final stage of a network breach.

"By the time the ransomware is actually deployed, the attacker has already carried out a network reconnaissance, identified the confidential data and exfiltrated it.

"It’s important that organisations implement the whole range of cybersecurity best practices. Identifying the attack at an early stage, before attackers reach their final goal, can save a lot of money.”

Kaspersky experts recommend various beneficial activities.

Businesses should not expose remote desktop services (such as RDP) to public networks unless absolutely necessary and always use strong passwords for them.

In addition they should always keep software updated on all the devices, keep employees educated, use tools that can automatically detect vulnerabilities and download and install patches, treat unknown emails and messages with caution, and use proven cybersecurity solutions.

Furthermore, Kaspersky states that businesses should focus defense strategies in detecting lateral movements and data exfiltration to the internet, pay special attention to the outgoing traffic to detect cybercriminals connections, backup data regularly, and make sure data can be quickly accessed in an emergency.

Story image
Enterprises underutilising security tools, causing teams to burn out
The report unveiled a lack of meaningful ROI metrics when reporting on security progress, as well as disparate opinions on objectives, tool effectiveness and security awareness amongst the organisation between executives and operations on security teams.More
Story image
rhipe acquires emt Distribution, with aim to expand into enterprise market
The acquisition will enable rhipe to deliver a comprehensive portfolio of end-to-end security capabilities to its partners, the company says.More
Story image
Claroty discovers vulnerabilities in Ovarro TBox RTUs
The vulnerabilities could enable attackers to break into the systems and run code, crash systems, and meddle with configuration files, amongst other malicious actions.More
Story image
Cloud services top threat vector for healthcare industry
"The coronavirus pandemic continues to highlight the unique cybersecurity needs of the healthcare industry, even as it has increased the number of threats these organisations face."More
Story image
Fujitsu, Trend Micro team up to secure private 5G
"We believe that this security solution represents a key technology for applying private 5G to mission-critical areas."More
Story image
IT leaders prioritising automation, Zero Trust and API-based security investments
"The study shows that a cocktail of multiplying threats, the proliferation of hybrid and cloud architectures, blended with a pandemic-fuelled explosion in distributed and remote work has created a perfect storm for network security teams."More