Cybersecurity solutions provider Kaspersky disclosed that cybercriminals have evolved into “targeted ransomware” which usually carries out attacks that cause huge financial and reputation losses to companies. Referred to as Ransomware 2.0, this new variant pushes threats that go beyond keeping company’s or organization’s data hostage.
According to Sandra Lee, head of channels-APAC at Kaspersky, in terms of various threats lurking into the digital world recently, ransomware is one of the most prevalent and serious type of threats that impact business operations. She also said that these adversary groups are now exploiting the increasingly valued digital reputation of target organizations, forcing them to pay hefty ransom amount.
Kaspersky, in its research, found out that at least 61 organizations from the APAC region had fallen prey to Ransomware 2.0 in 2020. This and trends – where criminals use malware to encrypt data and hold it for ransom – over the past couple of years have indicated that cybercriminals are shifting their focus to a more targeted attacks against specific organizations and industries.
With goals of encrypting data and exfiltrate all sensitive data, Ransomware 2.0 is now on the rise. Alexey Shulmin, lead malware analyst at Kaspersky, cited 2020 as the most productive year for ransomware families which moved from taking data hostage and infiltrate data. If data was attacked by Ransomware 2.0, there is no chance to avoid any damage; even if you can restore your files, you have no chance to get stolen data back.
As enterprises and government organizations ramped up the digital customization efforts, the exposure to several threats increases while new highly-active threat variants emerge such as REvil and JSWorm ransomware.
REvil Ransomware
Initially appeared in the ransomware landscape in April 2019, REvil distributed itself through an Oracle Weblogic’s vulnerability and carried out attacks on MSP providers. Also known as Sodinokibi and Sodin, its activities first peaked in August 2019 with 289 potential victims. Kaspersky, however, monitored lesser threat detections in July 2020, resulting to the protection of 877 Kaspersky users globally.
APAC remained one of REvil’s top targets. Most of its victims in 2019 were from the region, particularly Taiwan, Hong Kong, and South Korea. In 2020, out of 1,764 Kaspersky users targeted by the group, 635 or 36% of these were from APAC. However, Kaspersky detected their presence in almost all countries and territories last year. REvil creators took their time to improve their arsenal, method of targeting victims, and network reach during their silent months.
By industries, the biggest targets are engineering and manufacturing at 30%, followed by finance (14%), professional and consumer services (9%), and legal, IT and telecommunications, and food and beverage (at 7% each).
JSWorm Ransomware
Like REvil, JSWorm also entered the ransomware landscape in 2019. Its activity peaked in March 2020 but the number of its victims is relatively low and the geographical distribution of its initial victims was very varied. During its first months, it was detected across the globe – in North and South America (Brazil, Argentina, USA), in Middle East and Africa (South Africa, Turkey, Iran), in Europe (Italy, France, Germany), and in APAC (Vietnam).
The number of JSWorm victims is relatively lower compared with REvil but it is clear that this ransomware family is gaining ground. Overall, Kaspersky solutions have blocked attempts against 230 users globally, a 752% increase compared with 2019’s 27 users almost infected with this threat.
Kaspersky security experts noticed a shift of the group’s attention towards the APAC region. China emerged as the country with the most number of Kaspersky users almost infected by JSWorm globally, followed by USA, Vietnam, Mexico, and Russia. APAC remained as one of the main targets of JSWorm as more than one-third or 39% of enterprises and individuals targeted last year were located in the region.
JSWorm targets critical infrastructure and major sectors across the world. Nearly half or 41% of JSWorm attacks were targeted against companies under engineering and manufacturing industries, energy and utilities (10%), finance (10%), professional and consumer services (10%), transportation (7%), and healthcare (7%).
Meanwhile, to stay safe and protected against Ransomware 2.0, Kaspersky recommends enterprises and organizations to do the following:
- Keep your OS and software patched and up to date.
- Train all employees on cybersecurity best practices while they work remotely
- Only use secure technologies for remote connection
- Carry out a security assessment on your network
- Use endpoint security with behavior detection and automatic file rollback such as Kaspersky Endpoint Security for Business
- Never follow demands of the criminals. Do not fight alone – contact Law Enforcement, CERT, security vendors like Kaspersky
- Follow the latest trends via premium threat intelligence subscriptions, like Kaspersky APT Intelligence Service
- Know your enemy, identify new undetected malware on premise with Kaspersky Threat Attribution Engine
