The attackers' new strategy: sensitive publications. Cyber criminals are increasingly attacking selected companies and industries as part of targeted campaigns. Sensitive data is no longer just encrypted - instead, it is threatened that it will be published on the Internet. This is what Kaspersky Ransomware 2.0 says.
Current ransomware attacks show that cyber criminals are changing their strategy: They are moving away from pure encryption to targeted attacks with the threat of disclosing confidential data if the required ransom is not paid. This is the conclusion the Kaspersky experts come to after analyzing the two ransomware families Ragnar Locker and Egregor.
New ransomware attack strategies
Compromises with ransom demands, so-called ransomware attacks, are generally among the attack scenarios that have to be taken seriously. Not only can they disrupt critical business processes, but they can also lead to massive financial losses, and in some cases even to the bankruptcy of the organization concerned through fines and legal actions. Attacks such as the one launched by WannaCry are estimated to have caused more than $ 4 billion in financial losses. However, newer ransomware campaigns are changing their modus operandi: They threaten to reveal stolen company information. Two well-known representatives of this new type of ransomware: Ragnar Locker and Egregor
Approach by Ragnar Locker and Egregor
Ragnar Locker was discovered in 2019 but only gained prominence in the first half of 2020 when large corporations were targeted. Attacks are highly targeted, with each malicious activity tailored to the intended victim. In doing so, confidential information of the companies that refuse to pay is published on the cybercriminals' Wall of Shame page. If the victim communicates with the attackers and then refuses to pay, that chat will also be published. The main targets are companies in the USA from different industries. Last July, Ragnar Locker announced that it had joined the Maze ransomware cartel. This means that there has since been an exchange of stolen information and concrete collaboration between the two. Maze has become one of the most well-known ransomware families in 2020.
The victim only has 72 hours
Egregor was first discovered last September. The malware uses many identical tactics and shares code similarities with Maze. It is usually implemented by breaking into the network; Once the target company's data has been filtered out, the victim is given 72 hours to pay the ransom before the stolen information is released. If the affected organization refuses to pay, the attackers publish the name and links to download the confidential company data on their leak page.
The attack radius of Egregor is much larger than that of Ragnar Locker. The cybercriminals behind this ransomware have targeted victims across North America, Europe and parts of the APAC region.
Ransomware 2.0 on the rise
“We are witnessing the rise of ransomware 2.0, which means attacks are becoming more targeted and the focus is no longer just on encrypting sensitive data, but on the concept of publishing it online,” comments Dmitry Bestuzhev, Head of Global Research and Analysis Team (GReAT) Latin America at Kaspersky. Not only does this jeopardize a company's reputation, but it also creates the risk of lawsuits if the published data violates regulations like HIPAA (Health Insurance Portability and Accountability Act) or GDPR. So there is more at stake than just a financial loss."
"As a result, organizations can no longer view ransomware threats in a one-dimensional way as just one type of malware," adds Fedor Sinitsyn, security researcher at Kaspersky. “In fact, ransomware is often just the last stage of network compromise. By the time ransomware runs, the attacker has already scoured the entire network, identified sensitive data, and extracted it. It is important that organizations implement the full range of cybersecurity best practices. Early detection of cyber attacks, before the attackers reach their intended target, can save companies a lot of money.”
More on this at SecureList at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/