Ransomware actors focus on targeted attacks against businesses
Experts have encountered cases where payment demands amounted to over half-a-million US dollars
Kaspersky Lab’s researchers have discovered an emerging and alarming trend: more and more cybercriminals are turning their attention from attacks against private users to targeted ransomware attacks against businesses. At least eight groups of cybercriminals involved in encryption ransomware development and distribution have been identified.
The attacks have primarily hit financial organisations worldwide. Kaspersky Lab’s experts have encountered cases where payment demands amounted to over half a million dollars. The eight identified groups include PetrWrap authors, who have attacked financial organisations worldwide, the infamous Mamba group, and six unnamed groups also targeting corporate users.
According to Kaspersky Lab’s researchers criminals consider targeted ransomware attacks against businesses potentially more profitable than mass attacks against private users. A successful ransomware attack against a company can stop its business processes for hours or even days, making owners of affected companies more likely to pay. They infect the targeted organisation with malware through vulnerable servers or spear phishing emails. Then they establish persistence in the victim’s network and identify the valuable corporate resources to encrypt, subsequently demanding a ransom in exchange for decryption. For instance, the Mamba group uses its own encryptor malware, based on the open source software DiskCryptor. Once the attackers gain a foothold in the network, they install the encryptor across it, using a legal utility for Windows remote control. This approach makes the actions less suspicious for security officers of the targeted organisation.
Kaspersky Lab’s researchers have encountered cases where the ransom amounted up to one bitcoin (around $1,000 to the end of March 2017) per one endpoint decryption.
In order to protect organisations from such attacks, Kaspersky Lab security experts advise the following:
a. Conduct proper and timely backup of your data so it can be used to restore original files after a data loss event.
b. Use a security solution with behavior based detection technologies. These technologies can catch malware, including ransomware, by watching how it operates on the attacked system and making it possible to detect fresh and yet unknown samples of ransomware.
c. Visit The “No More Ransom” website, a joint initiative with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.
d. Audit installed software, not only on endpoints, but also on all nodes and servers in the network and keep it updated.
e. Conduct a security assessment of the control network (i.e. a security audit, penetration testing, gap analysis) to identify and remove any security loopholes.
f. Request external intelligence: intelligence from reputable vendors helps organisations to predict future attacks on the company.
g. Train your employees, paying special attention to operational and engineering staff and their awareness of recent threats and attacks.
h. Provide protection inside and outside the perimeter.