The most common ransomware and how to protect yourself from it



[ad_1]

Ransomware attacks are a major problem for businesses and organizations around the world.

According to the Sophos Ransomware Status Report 2020, 51% of organizations were affected by ransomware attacks in the past year.

73% of these attacks resulted in the successful encryption of the organization’s data, the report states.

It found that 94% of organizations that had their data encrypted recovered it, and nearly twice as many organizations did so through backups rather than paying a ransom.

In its IT Threat Evolution Report for Q1 2020, Kaspersky’s SecureList stressed that there is no reason to expect the frequency of ransomware attacks to decrease.

He also pointed out that more ransomware attacks complement encryption with data theft.

“To date, this tactic has been adopted by distributors of ransomware families, including Maze, REvil / Sodinokibi, DoppelPaymer, and JSWorm / Nemty / Nefilim,” SecureList said.

“If the victim refuses to pay the ransom for decryption (because, say, the data was recovered from a backup), the attackers threaten to put the stolen confidential information into the public domain.”

He noted that while many of these threats are empty, some ransomware programs have created websites that will post this data.

It also provided the 10 most common families of ransomware Trojans, with WannaCry topping the list and accounting for nearly one in five infections.

Common Ransomware Trojan Families
Classification Name Verdicts Percentage of all victims
one I want to cry Trojan-Ransom.Win32.Wanna 19.03%
two [Generic verdict] Trojan-Ransom.Win32.Gen 16.71%
3 [Generic verdict] Trojan-Ransom.Win32.Phny 16.22%
4 GandCrab Trojan-Ransom.Win32.GandCrypt 7.73%
5 Stop Trojan-Ransom.Win32.Stop 6.62%
6 [Generic verdict] Trojan-Ransom.Win32.Encoder 4.28%
7 [Generic verdict] Trojan-Ransom.Win32.Crypren 4.15%
8 PolyRansom / VirLock Virus.Win32.PolyRansom; Trojan-Ransom.Win32.PolyRansom 2.96%
9 Crysis / Dharma Trojan-Ransom.Win32.Crusis 2.02%
10 [Generic verdict] Trojan-Ransom.Win32.Generic 1.56%

No company is safe

In 2020, numerous ransomware attacks have affected major organizations and businesses.

Recently, Garmin It was the victim of a major ransomware attack that forced several of its services to go offline for several days.

The incident is believed to have been caused by WastedLocker ransomware, which is enacted by the Russian hacking group Evil Corp.

Evil Corp chief Maksim Yakubets is the subject of a $ 5 million FBI bounty and is believed to be behind several other major attacks on American companies and the American banking system, with attacks on the latter causing more than $ 100 million in financial damages. .

Garmin reportedly paid out a ransom worth millions of dollars through a third party: ransomware trading company Arete Incident Response (Arete IR).

Arete IR was reportedly Garmin’s second choice after the first choice refused to negotiate the ransom payment for fear of violating sanctions imposed by the US government.

In response to the attack, Mimecast’s head of electronic crime, Carl Wearn, said that to minimize the threat of ransomware attacks, organizations must implement resilience measures to preserve the usual situation in case the worst happens.

“Non-network backups and a backup email and archive process must become standard security measures if organizations want to significantly mitigate ransomware threats,” Wearn said.

“This particular attack is also concerning because of the type of data that could be lost, including location and personal health data.”

State sponsored groups are joining the party

However, ransomware attacks are not only enacted by independent entities.

Kaspersky analysis has found that North Korean state-sponsored advanced persistent threat (APT) group Lazarus is operating its own ransomware.

“Lazarus’s move to create and distribute ransomware signifies a change in strategy and indicates a willingness to enter the great pursuit of financial gain, which is highly unusual among state-sponsored APT groups,” Kaspersky said.

Kaspersky referenced two separate investigations related to VHD ransomware that took place between March and May 2020.

The first incident, which occurred in Europe, did not give many clues as to who carried out the attack.

However, Kaspersky noted that the dissemination techniques were similar to those used by APT groups, which is what kept his research team curious.

“In addition, the attack did not conform to the usual modus operandi of the well-known big game groups. Furthermore, the fact that a very limited number of VHD ransomware samples were available, along with very few public references, indicated that this family of ransomware might not be widely marketed on dark market forums, as is often the case, “he said. Kaspersky.

Kaspersky said the second incident provided a “complete picture of the infection chain” and helped researchers link the ransomware strain to Lazarus.

“While it is obvious that the group cannot match the efficiency of other cyber criminal gangs with this hit-and-run approach to targeted ransomware, the fact that it has resorted to these types of attacks is concerning,” Kaspersky said.

“The global threat of ransomware is big enough and often has significant financial implications for victim organizations to the point of bankruptcy.”

How to protect your organization

To reduce the risk of exposure to ransomware, Kaspersky offered the following recommendations:

  • Use updated versions of OS and applications.
  • Use a VPN to ensure remote access to company resources.
  • Use a modern endpoint security solution with behavior detection support and a remediation engine that enables automatic file rollback and a host of other technologies to stay protected from ransomware.
  • Improve cybersecurity education for employees.
  • Use a reliable data backup scheme or solution.

Mimecast’s director of electronic crime, Carl Wearn, provided the following advice:

  • Individual users can help by being aware of the potential for insecure attachments, but they should also be careful to click on received email links in any communication, as criminals are increasingly using URL links rather than attachments based. In files to infect networks.
  • It is also imperative that remote work software, such as VPNs and any servers, stay up-to-date on patches, as open source reports indicate that ransomware threat actors are increasingly targeting protocols for Windows Remote Desktop (RDP) and vulnerabilities to initiate compromise. .
  • Since the most complex threats are often caused by a secondary infection, organizations must also pay close attention to their network traffic patterns and data logs to identify any potential compromises.
  • There is a potentially short window of opportunity to remediate any initial dropper infection and thus prevent further insertion of ransomware.

Now Read: Garmin Shut Down Services After Alleged Ransomware Attack



[ad_2]