Wednesday, August 10, 2022

Ransomware by the numbers – This Week in Ransomware for the week ending Sunday, July 24, 2022

Ransomware the number one threat  

Ransomware was identified as the number one threat that businesses are now facing, according to respondents in a recent report from Palo Alto Networks Unit 42. The report notes:

84 per cent of IT teams saw ransomware as representing a significant or very significant risk. Other threats posed included: unpatched vulnerabilities and firmware attacks on laptops (83 per cent), data leakage (82 per cent), account/device takeover (81 per cent), targeted attacks and man-in-the-middle attacks (79 per cent), IoT threats (77 per cent), and printer firmware attacks (76 per cent).”

The report notes three trends in ransomware:

  1. Victim shaming is on the rise, with over 35 gangs using a variety of methods ranging from “leak sites” to threats of exposure on social media. This strategy is less than two years old but seems to be part of the mainstream of ransomware attacks.
  2. Ransomware as a Service is also growing, which fuels a large potential growth in the number of attackers. It allows specialized groups or gangs to develop the software and even to have the infrastructure to take payments and leak data, but allows almost anyone with even limited resources and technical skills to mount an attack.
  3. Ransomware attackers are exploiting zero day vulnerabilities more and more. The report notes 42 different zero day vulnerabilities in major exploits in 2021. Since a zero day vulnerability is one that a vendor has not identified or provided a patch for, the sophistication of the research that these groups are doing is impressive and threatening.

The full report can be downloaded at this link (registration required).

Three user responses – Apathy, Frustration and Circumvention 

If an engaged and educated user population is one of the greatest defences against ransomware, the statistics from a report from HP Wolf Security paint a dismal picture. The stats are organized into three categories – apathy, frustration, and circumvention.

One statistic alone should set off alarm bells. One third of those surveyed admitted to attempts to circumvent security. That is, however, only one of many alarming numbers in the report:

Apathy

  • 39 per cent of office workers surveyed aged 18-24 were unsure of the existing data security policies in place at their work
  • 36 per cent of office workers surveyed had been given training on how to protect their home network
  • 54 per cent of office workers surveyed aged 18-24 were more worried about deadlines than exposing the business to a data breach

Frustration

  • 48 per cent of office workers surveyed aged 18-24 thought security policies are a hindrance
  • 37 per cent of office workers surveyed said security policies and technologies are too restrictive
  • 48 per cent of office workers surveyed said security measures result in a lot of wasted time

Circumvention

  • 31 per cent of office workers surveyed aged 18-24 had tried to circumvent security

We know that most cybersecurity breaches require an action or an omission or a mistake on the part of an employee. That has led to much greater emphasis on employee training. Unfortunately, despite all of those efforts, little progress appears to have been made. According to these results, employees view cybersecurity as an impediment and not a protection for their business.

The number of new ransomware variants is climbing

 The number of new variants in ransomware is growing at an alarming rate.  Last week we discussed new variants, including Lilith and omega, as well as some “upgrades” to existing variants. This week, two new major ransomware threats were identified.

One, called Luna, is part of a new trend of ransomware that can encrypt devices running several operating systems – Windows, Linux and ESXi systems.

Discovered by Kaspersky security researchers via a dark web ransomware forum ad spotted by the company’s Darknet Threat Intelligence active monitoring system, Luna ransomware appears to be specifically tailored to be used only by Russian-speaking threat actors. That, and the name “Luna” which is Russian for “moon”, makes it likely that this has been developed and spread from Russia.

While the researchers noted that this variant appears to be still “under development”, with what they termed “limited capabilities”, the cross-platform nature of this ransomware presents a new type of threat.

The group developed their software in Rust, which enables it to port to multiple platforms with very little change to the source code. The researchers noted that “both the Linux and ESXi samples are compiled using the same source code with some minor changes from the Windows version. The rest of the code has no significant changes from the Windows version.”

Using a cross-platform language not only makes it more easily spread, but may enable it to evade automated static code analysis.

Kaspersky says there is very little data on what victims, if any, have been encrypted using Luna ransomware, given that the group has just been discovered and its activity is still being monitored.

Holy Ghost

The Hacker News published a piece on a North Korean group that has been linked to ransomware attacks targeting small businesses since September 2021.

The group calls itself H0lyGh0st after the ransomware of the same name. It was identified by the Microsoft Threat Intelligence Center and classified as DEV-0530 under new and developing threats. It aims primarily at small-to-midsize businesses including manufacturing, banks and financial organizations, schools, and even other segments like event and meeting planning companies.

The group is reputed to try to not only encrypt data, but to threaten companies with release of data on social media.

Holy Ghost is looking for amounts between 1.2 and 5 bitcoins, placing the average ransom somewhere between US$30,000 and US$50,000. It’s an amount that would be possible for a small business to pay. Whether this pricing strategy will work is an open question, as researchers couldn’t identify any payments made to the organization’s cryptocurrency wallet.

Their dark web portal mirrors messaging from an earlier ransomware called Goodwill, in that it says it is to “close the gap between the rich and poor” and “help the poor and starving people.”

The group is active and growing, and researchers have identified four variants of the H0lyGh0st ransomware.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Jim Love
Jim Lovehttp://www.changethegame.ca
I've been in IT and business for over 30 years. I worked my way up, literally from the mail room and I've done every job from mail clerk to CEO. Today I'm CIO and Chief Digital Officer of IT World Canada - Canada's leader in ICT publishing and digital marketing.

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.