Connect with us

Market Research

New Research Reveals Top Industries Hit by Ransomware

Published

on

The new desk research by NordLocker has discovered which industries are the most popular targets for ransomware gangs to launch their attacks against. After a thorough analysis of 1,200 companies hit by 10 infamous ransomware gangs in 2020 and 2021, 35 of the most victimized industries were identified.

“The latest statistics indicate that a worrying 37% of companies worldwide became victims of ransomware in 2020,” says Oliver Noble, a cybersecurity expert at NordLocker, an encrypted cloud service provider. “From Campari Group in the Food & Beverage industry to Baltimore County public schools in the Education sector, both of which became victims of ransomware last year, no business or institution can feel safe. Our analysis presents the scope of recent ransomware hacks as well as indicates which industries need to stay particularly cautious.”

Top industries hit by ransomware
NordLocker’s analysis reveals that Construction is the top industry hit by ransomware (93 victimized companies), followed by Manufacturing (86). Finance (69 ransomware cases), Healthcare (65), Education (63), Technology & IT (62), Logistics & transportation (59), Automotive (56), Municipal services (52), and Legal (49) are business areas that make the list of the top 10 industries most targeted by ransomware gangs.

Among the hacked companies discovered by NordLocker’s research, there were not only large organizations, such as a global hotel chain, an automotive conglomerate, or a world-wide clothing brand, but also small family-owned and operated businesses like an Italian restaurant or a local dental clinic.

“It is surprising how many companies still undervalue cybersecurity for granted, ‘inviting’ hackers to exploit their vulnerabilities,” says Oliver Noble. “When successfully attacked, companies get all their employee data, customer details, client agreements, patents, and other valuable business information inaccessible and threatened to be stolen, leaked, or destroyed for good. To avoid the doomsday, i.e. having business operations put to a standstill, damaged reputation, loss of clients, tiresome legal battles, and huge fines, some organizations are left with no choice but to pay ransom to get the decryption key.”

However, not many businesses can afford paying hackers off. It is estimated that the average total cost of recovery from ransomware has more than doubled from around $761K in 2020 to $1.85M in 2021. And the most worrying fact is that paying a ransom doesn’t guarantee that you will get back what’s been taken away. There’s also no guarantee your business won’t get attacked again.

Most affected countries
The analysis has found that the top five countries where businesses get attacked most are the US (732 cases), UK (74), Canada (62), France (58), and Germany (39).

According to Oliver Noble, most ransomware gangs come from the post-Soviet states, which still maintain their unfriendliness towards the US and seek to cause harm to both its private and public sectors. On the other hand, French and German economies are dominated by industrial businesses, such as manufacturing, chemical, and automotive. Those industries still tend to take cybersecurity for granted and usually lack robust protection, thus, become easy and lucrative targets for hackers..

Most prolific ransomware operators
The study by NordLocker has analyzed 10 ransomware gang websites. The most prolific ransomware family is Conti, with 450 attacks under their name. REvil (210 hacks), DopplePaymer (200), and PYSA (188) are also among the most famous and active cybercrime groups that harass businesses.

Image

“Internationally operating law enforcement groups work hard to shut ransomware infrastructure down,” says Oliver Noble. “Just last week it was reported that a joint operation put REvil’s servers offline. However, the Russian Ransomware-as-a-Service gang is expected to re-emerge. Ransomware is no longer what only skilled hackers are capable of. Any paying user, aka affiliate with little technical knowledge, can use the subscription-based model to employ already-developed tools to execute ransomware attacks against businesses.”

Cyber Security

Malware Exploits Microsoft’s e-Signature Verification to Target 2,000+ Victims in 111 Countries, and Counting

Published

on

Check Point Research (CPR) has seen a new malware campaign exploiting Microsoft’s digital signature verification to steal sensitive information of victims. Named ZLoader, the malware is a banking trojan that uses web injection to steal cookies, passwords, and any sensitive information. ZLoader has been known to deliver ransomware in the past and came unto CISA’s radar in September 2021 as a threat in the distribution of Conti ransomware. During the same month, Microsoft said ZLoader operators were buying Google keyword ads to distribute various malware strains, including Ryuk ransomware. Today, CPR is publishing a report that details the resurgence of ZLoader in a campaign that has taken over 2,000 victims in 111 countries. CPR has attributed the campaign to the cybercriminal group MalSmoke.

Infection Chain

  1. The attack begins with the installation of a legitimate remote management program   pretending to be a Java installation
  2. After this installation, the attacker has full access to the system and is able to upload/download files and also run scripts, so the attacker uploads and runs a few scripts that download more scripts that run mshta.exe with file appContast.dll as the parameter
  3. The file appContast.dll is signed by Microsoft, even though more information has been added to the end of the file
  4. The added information downloads and runs the final Zloader payload, stealing user credentials and private information from victims

Victims
So far, CPR has documented 2170 unique victims. Most victims reside in the United States, followed by Canada and India.

Attribution
CPR believes that the cybercriminals behind the campaign are Malsmoke, given a few similarities with previous campaigns.

Disclosure
CPR updated Microsoft and Atera of its findings.

Kobi Eisenkraft, Malware Researcher at Check Point Software said, “People need to know that they can’t immediately trust a file’s digital signature. What we found was a new ZLoader campaign exploiting Microsoft’s digital signature verification to steal sensitive information from users. We first began seeing evidence of the new campaign around November 2021. The attackers, whom we attribute to MalSmoke, are after the theft of user credentials and private information from victims. So far, we’ve counted north of 2,000 victims in 111 countries and counting. All in all, it seems like the Zloader campaign authors put great effort into defense evasion and are still updating their methods on a weekly basis. I strongly urge users to apply Microsoft’s update for strict Authenticode verification, It is not applied by default”

Safety Tips

  1. Apply Microsoft’s update for strict Authenticode verification. It is not applied by default.
  2. Do not install programs from unknown sources or sites.
  3. Do not press on links or open unfamiliar attachments that you get by mail.
Continue Reading

Cyber Security

New Survey Shows Growing Crisis of Trust with Microsoft and Legacy IT Vendors

Published

on

CrowdStrike has announced the release of the 2021 CrowdStrike Global Security Attitude Survey, conducted by independent research firm Vanson Bourne. The report highlights ransomware payout demands and extortion fees are massively increasing, while trust in legacy IT vendors have dipped and organizations are in fact getting slower at detecting cybersecurity incidents.

“The survey presents an alarming picture of the modern threat landscape, demonstrating that adversaries continue to exploit organizations around the world and circumvent outdated technologies. Today’s threat environment is costing businesses around the world millions of dollars and causing additional fallout,” said Michael Sentonas, chief technology officer at CrowdStrike. “The evolving remote workplace is surely accentuating challenges for businesses as legacy software like Microsoft struggles to keep up in today’s accelerated digital world.”

“This presents a clear clarion call that businesses need to change the way they operate and evaluate more stringently the suppliers they work with,” added Sentonas. “The threat landscape continues to evolve at a frightening pace and it’s obvious that modern organizations need a cloud-native, holistic end-to-end platform approach to tackle and remediate threats in a swift manner.”

Recent attacks such as Sunburst and Kaseya have once again brought supply chain attacks to the forefront as evidenced by 63% of respondents admitting their organization is losing trust in legacy vendors, like Microsoft, due to frequent security incidents against these previously trusted technology suppliers.

The issue is so widespread that more than 3 out of every 4 respondents (77%) have suffered a supply chain attack. It’s clear that swift action and newer technologies will be required by businesses looking to increase their cyber resiliency.

  • 45% of respondents had experienced at least one supply chain attack in the past 12 months.
  • 64% of respondents cannot claim that all their software suppliers have been vetted in the last 12 months
  • 84% of respondents are fearful of supply chain attacks becoming one of the biggest cybersecurity threats in the next three years

Survey data indicates that ransomware attacks are continuing to prove effective, with average ransomware payments increasing 62.7% in 2021 (from $1.1 million in 2020 to $1.79 million in 2021). Not only that, organizations are almost universally getting hit with “double extortion,” when threat actors not only demand a ransom to decrypt data, they additionally threaten to leak or sell the data unless the victims pays more money. Survey data shows that 96% of organizations that paid a ransom were forced to pay additional extortion fees, costing businesses on average $792,493. Additional notable findings include the following:

  • 66% of respondents’ organizations suffered at least one ransomware attack in the past 12 months
  • More than half (57%) of businesses did not have a comprehensive ransomware defense strategy in place
  • The average ransomware payment was $1.34 million in EMEA and $2.35 million in APAC and $1.55 million in the US
  • The average ransom payment increased by 63% in 2021 to $1.79 million (USD), compared to $1.10 million (USD) in 2020. CrowdStrike Intelligence has observed the average ransom demand from attackers is $6 million. While attackers aren’t getting quite the amounts they are seeking, they are still earning massive payouts. CrowdStrike attributes this to companies understanding both the threat and their exposure, and their ability to negotiate with attackers.

CrowdStrike encourages organizations to strive to meet the 1-10-60 rule, where security teams demonstrate the ability to detect threats within the first minute of an intrusion, investigate and understand the threat within 10 minutes, and contain and eradicate the threat within 60 minutes. In today’s remote-first digital world, organizations continue to face massive challenges in detecting security incidents, as evidenced by eye-opening survey data.

  • On average, respondents estimated it would take 146 hours to detect a cybersecurity incident, from 117 hours in 2020.
  • Once detected, it takes organizations 11 hours to triage, investigate and understand a security incident and 16 hours to contain and remediate one
  • 69% of respondents said that their organization suffered an incident because of staff working remotely

In the 2021 Threat Hunting Report, CrowdStrike’s Falcon OverWatch reported that eCrime threat actors are able to move laterally across an organization’s network in an average of 92 minutes. This paints a sharp contrast between the capabilities of today’s swift attackers and defenders who are increasingly slowed down by high volumes of alerts and tools that lack integrated workflows. Only CrowdStrike provides customers with the powerful fusion of world-class technology combined with elite threat hunting and human expertise that is mandatory to see and stop today’s most sophisticated threats.

Continue Reading

Market Research

Ransomware, Initial Access Brokers, Carding – Group-IB Presents Report on Trending Crimes

Published

on

Group-IB has presented its research into global cyber threats in the report Hi-Tech Crime Trends 2021/2022 at its annual threat hunting and intelligence conference, CyberCrimeCon’21. In the report, which explores cybercrime developments in H2 2020–H1 2021, Group-IB researchers analyze the increasing complexity of the global threat landscape and highlight the ever-growing role of alliances between threat actors. The trend manifests itself in partnerships between ransomware operators and initial access brokers under the Ransomware-as-a-Service model. Scammers also band together in clans to automate and streamline fraudulent operations. Conversely, individual cybercrimes such as carding are in decline for the first time in a while.

For the 10th consecutive year, the Hi-Tech Crime Trends report analyzes the various aspects of the cybercriminal industry’s operations, examines attacks, and provides forecasts for the threat landscape for various sectors. For the first time, the report was divided into five major volumes, all with a different focus: ransomware, the sale of access to corporate networks, cyber warfare, threats to the financial sector, and phishing and scams. The forecasts and recommendations outlined in Hi-Tech Crime Trends 2020-2021 seek to prevent damage and downtime for companies worldwide.

Unwanted guests: over 1,000 accesses to corporate networks were offered for sale in the darknet
One of the underlying trends in the cybercrime arena is a sharp increase in the number of offers to sell access to compromised corporate networks. The market of corporate initial access grew by almost 16% in H2 2020–H1 2021, from $6,189,388 to $7,165,387. The number of offers to sell access to companies almost tripled over the review period: from 362 to 1,099. This exclusive data was obtained by Group-IB’s Threat Intelligence & Attribution system, which gathers even deleted information from cybercriminal underground forums.

This segment of the cybercriminal underground has a relatively low entry barrier. Poor corporate cyber risk management combined with the fact that tools for conducting attacks against corporate networks are widely available both contributed to a record-breaking rise in the number of initial access brokers. In H2 2019–H1 2020, the Group-IB Threat Intelligence team detected only 86 active brokers. In H2 2020–H1 2021, however, this number skyrocketed to 262, with 229 new players joining the roster.

Most companies affected belonged to manufacturing (9% of all companies), education (9%), financial services (9%), healthcare (7%), and commerce (7%). In the review period, the number of industries exploited by initial access brokers surged from 20 to 35, which indicates that cybercriminals are becoming aware of the variety of potential victims.

The geography of initial access brokers’ operations has also expanded. In H2 2020–H1 2021, the number of countries where cybercriminals broke into corporate networks increased from 42 to 68. US-based companies are the most popular among sellers of access to compromised networks — they account for 30% of all victim companies in H2 2020–H1 2021, followed by France (5%), and the UK (4%).

In the Middle East alone, the total cost of all the accesses to the region’s companies available in the underground rose by 37% in the review period and totaled $247,836. Most of the accesses on the sale belonged to organizations from the United Arab Emirates (24%), which was followed by Israel (13%) and Turkey (13%), and Saudi Arabia (12%), and Iran (12%).

One of the main driving forces for initial access market growth is the steep increase in the number of ransomware attacks. Initial access brokers remove the need for ransomware operators to break into corporate networks on their own.

Lock, Lock Who’s There? Corporansom
The unholy alliance of initial access brokers and ransomware operators as part of Ransomware-as-as-a-Service (RaaS) affiliate programs has led to the rise of the ransomware empire. In total, data relating to 2,371 companies were released on DLSs (Data Leak Sites) over H2 2020–H1 2021. This is an increase of an unprecedented 935% compared to the previous review period when data relating to 229 victims was made public.

Thanks to the Threat Intelligence & Attribution system, Group-IB researchers were able to trace how the ransomware empire has evolved since it appeared. Group-IB’s team analyzed private Ransomware affiliate programs, DLSs where they post exfiltrated data belonging to victims who refused to pay the ransom, and the most aggressive ransomware strains.

Over the review period, Group-IB analysts identified 21 new Ransomware-as-a-Service (RaaS) affiliate programs, which is a 19% increase compared to the previous period. During the review period, the cybercriminals mastered the use of DLSs, which are used as an additional source of pressure on their victims to make them pay the ransom by threatening to leak their data. In practice, however, victims can still find their data on the DLS even if the ransom is paid. The number of new DLSs more than doubled during the review period and reached 28, compared to 13 in H2 2019–H1 2020.

It is noteworthy that in the first three quarters of this year, ransomware operators released 47-percent more data on the attacked companies than in the entire 2020. Taking into account that cybercriminals release the data on only about 10 percent of their victims, the actual number of ransomware attack victims is dozens more. The number of companies that opt for paying the ransom is estimated at 30%.

Having analyzed ransomware DLS in 2021, Group-IB analysts concluded that Conti became the most aggressive ransomware group, which made public information about 361 victims (16.5% of all victim companies whose data was released on DLS), followed by Lockbit (251), Avaddon (164), REvil (155), and Pysa (118). Last year’s Top 5 was as follows: Maze (259), Egregor (204), Conti (173), REvil (141), and Pysa (123).

Country-wise, most companies whose data was posted on DLSs by ransomware operators in 2021 were based in the United States (968), Canada (110), and France (103), while most organizations affected belonged to the manufacturing (9.6%), real estate (9.5%), and transportation industries (8.2%).

In the Middle Eastern region at least 50 organizations fell prey to ransomware attacks so far in 2021. To compare, in 2020, the data on 27 companies in the Middle Easter region was released on DLS, which is an increase of 85%. In the current year, the majority of publicly known ransomware attack victims in the Middle East originated from Turkey (20%), the United Arab Emirates (18%), Saudi Arabia (18%), Israel (10%), and Iran (6%).

The Scamdemic
Another cohort of cybercriminals actively forging partnerships over the review period were scammers. In recent years, phishing and scam affiliate programs have become highly popular. The research conducted by Group-IB revealed that there are more than 70 phishing and scam affiliate programs. Participants aim to steal money as well as personal and payment data. In the reporting period, the threat actors who took part in such schemes pocketed at least $10 million in total. The average amount stolen by a scam affiliate program member is estimated at $83.

Affiliate programs involve large numbers of participants, have a strict hierarchy, and use complex technical infrastructures to automate fraudulent activities. Phishing and scam affiliate programs actively use Telegram bots that provide participants with ready-to-use scam and phishing pages. This helps scale phishing campaigns and tailor them to banks, popular email services, and other organizations.

Phishing and scam affiliate programs, initially focused on Russia and other CIS countries, recently started their online migration to Europe, America, Asia, and the Middle East. This is exemplified by Classiscam: an automated scam-as-a-service designed to steal money and payment data. Group-IB is aware of at least 71 brands from 36 countries impersonated by affiliate program members. Phishing and scam websites create by affiliate program members most often mimic marketplaces (69.5%), delivery services (17.2%), and carpooling services (12.8%).

Carding: The Joker’s Last Laugh
Over the review period, the carding market dropped by 26%, from $1.9 billion to $1.4 billion compared to the previous period. The decrease can be explained by the lower number of dumps (data stored on the magnetic stripe on bank cards) offered for sale: the number of offers shrank by 17%, from 70 million records to 58 million, due to the infamous card shop Joker’s Stash shutting down. Meanwhile, the average price of a bank card dump fell from $21.88 to $13.84, while the maximum price surged from $500 to $750.

An opposite trend was recorded on the market for the sale of bank card text data (bank card numbers, expiration dates, names of owners, addresses, CVVs): their number soared by 36%, from 28 million records to 38 million, which amongst others can be explained by the higher number of phishing web resources mimicking famous brands during the pandemic. The average price for text data climbed from $12.78 to $15.2, while the maximum price skyrocketed 7-fold: from $150 to an unprecedented $1,000.

The Middle East stuck to the global trend and showed the carding market drop of 49% in the review period: it decreased from $47.6 million in H2 2019 – H1 2020 to $24.4 million in H2 2020 – H1 2021. The total number of bank cards belonging to the bank customers in the Middle East offered for sale over the examined period totaled 1,546,842, which is a 34-percent decline compared to the previous review period, when 2,353,854 bank card records were offered.

This was accompanied by the increase in the average price of text card data from $8.95 to $14.09 and a dramatic drop in the price of a dump from $69.82 to $22.91.

Continue Reading
Advertisement

Follow Us

Trending

Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.