2020, the year of the Ransomware 2.0

05/29/2021 02:18:07 PM

Geographical distribution of companies and individuals in different territories attacked by REvil ransomware in 2020

Kasperksy has declared 2020 as the year of “Ransomware 2.0” in the Asia Pacific (APAC), with two groups – REvil and JSWorm – gaining notoriety in unleashing attacks in the region.

Almost always a “targeted ransomware”, Ransomware 2.0 refers to the groups who moved from hostaging data to exfiltrating data, coupled with blackmailing. The aftermaths of a successful attack include significant monetary loss and damaging reputation loss.

“2020 was the most productive year for ransomware families who moved from hostaging data to exfiltrating data, coupled with blackmailing. In APAC, we noticed an interesting re-emergence of two highly-active groups, REvil and JSWorm. Both resurfaced as the pandemic rages in the region last year and we see no signs of them stopping anytime soon,” said Alexey Shulmin, Lead Malware Analyst at Kaspersky.

REvil – also known as Sodinokibi and Sodin – is a ransomware group that initially distributes itself through an Oracle Weblogic vulnerability and carries attacks on MSP providers.

Kaspersky has written an article about Revil Ransomware in July 2019. It was on the following month, however, when this ransomware group reached its peak with  289 potential victims. The global cybersecurity company, through its telemetry, monitored lesser detections until July 2020. From targeting only 44 Kaspersky users globally last June 2020, the ransomware group accelerated its attacks. As a result, Kaspersky solutions protected 877 users in July from this threat, logging a 1893% increase in a span of just one month.

Expert monitoring also showed how the group has actively spread its malicious arms from the Asia Pacific (APAC) to the world.

“Back in 2019, most of their victims were only from APAC—particularly in Taiwan, Hong Kong, and South Korea. But last year, Kaspersky detected their presence in almost all countries and territories. It is safe to say that during their “silent months”, REvil creators took their time to improve their arsenal, their method of targeting victims, and their network’s reach,” added Shulmin.

And two years since wreaking havoc, one thing remains unchanged – APAC remains one of the top targets for REvil.

Out of 1,764 Kaspersky users targeted by the group in 2020, 635 (36%) of these companies were from the region. Brazil, however, logged as the country with the most number of users almost infected with this threat followed by Vietnam, South Africa, China, and India.

Based on the data published by the threat actors on their data leak site, Kaspersky experts were also able to categorize the group’s targets into several general industry classes. The biggest chunk of their targets in terms of the industry falls under Engineering and Manufacturing (30%). This is followed by Finance (14%) and Professional and Consumer Services (9%). Legal, IT and Telecommunications, and Food and Beverage industries received equal attention at 7%.

Geographical distribution of companies and individuals in different territories attacked by JSWorm ransomware in 2020

JSWorm (aka Nemty, Nefilim, Offwhite, Fusion, Milihpen, etc.)

Like REvil, JSWorm also entered the ransomware landscape in 2019. The geographical distribution of its initial victims, however, was more varied, with countries in North and South America (Brazil, Argentina, USA), in the Middle East and Africa (South Africa, Turkey, Iran), in Europe (Italy, France, Germany), and in APAC (Vietnam) as its targets during its first few months.

The number of JSWorm victims is relatively lower compared with REvil but it is clear that this ransomware family is gaining ground. Overall, Kaspersky solutions have blocked attempts against 230 users globally, still, a 752% increase compared with 2019’s only 27 users almost infected with this type of threat.

Most notably, experts from Kaspersky noticed a shift of the group’s attention towards the APAC region. China emerged as the country with the most number of KSN users almost infected by JSWorm globally, followed by the USA, Vietnam, Mexico, and Russia. More than one-third (39%) of all the enterprises and individuals this group has targeted last year were also located in APAC.

When it comes to target industries, it is clear that this ransomware family eyes critical infrastructure and major sectors across the world. Nearly half (41%) of JSWorm attacks were targeted against companies in the Engineering and Manufacturing industry. Energy and Utilities (10%), Finance (10%), Professional and Consumer Services (10%), Transportation (7%), and Healthcare (7%) were also at the top of their list.

This is based on the data published by the threat actors on their data leak site.

To remain protected against Ransomware 2.0, Kaspersky experts suggest enterprises and organizations the following:

• Keep your OS and software patched and up to date.
• Train all employees on cybersecurity best practices while they work remotely. 
• Only use secure technologies for remote connection.
• Carry out a security assessment on your network.
• Use endpoint security with behavior detection and automatic file rollback, such as Kaspersky Endpoint Security for Business.
• Never follow the demands of the criminals. Do not fight alone - contact Law Enforcement, CERT, security vendors like Kaspersky.
• Follow the latest trends via premium threat intelligence subscriptions, like Kaspersky APT Intelligence Service.
• Know your enemy: identify new undetected malware on-premises with Kaspersky Threat Attribution Engine.

Know more about Ransomware 2.0 on Securelist.com.

Author: slickmaster | © 2021 The SlickMaster's Files