Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/15/2019
04:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Targeted Ransomware Attacks Show No Signs of Abating

Criminals are becoming more sophisticated and targeted in going after enterprise organizations, a new Q2/Q3 report finds.

There's little sign that cybercriminals are about to let up on ransomware attacks anytime soon. If anything, they appear to be honing their tactics for even more dangerous and disruptive attacks on enterprise organizations over the short term.

Emsisoft recently analyzed threat data from the second and third quarters of this year and found ransomware attacks have become more focused and targeted. The success some attackers have had in extorting ransoms from enterprise targets appears to have spawned more concerted efforts by others to do the same.

"While the total number of ransomware attacks has declined, there has been a significant increase in the number of high-impact attacks targeting companies and public entities," says Fabian Wosar, CTO at Emsisoft. 

Like other businesses, criminal enterprises typically tend to adopt strategies that will produce the greatest returns. For the moment, enterprise ransomware attacks appear to be one of them. "Ransoming critical business data is more profitable than spray-and-spray attacks against home users," Wosar says.

The most visible example of the trend was Sodinokibi, a ransomware-as-a-service threat used by multiple groups in targeted attacks on various major organizations in Q2 and Q3. The malware is believed to be the work of the same group behind GandCrab, a now largely inactive ransomware strain that is estimated to have netted its distributors some $2 billion in less than two years.

Sodinokibi first surfaced in April 2019 and accounted for 4.5% of all ransomware detections in Emsisoft's study. The malware is extremely evasive and includes advanced techniques to avoid detection by security tools, Emsisoft said. Attackers have used multiple methods to distribute the malware, including via phishing emails, by exploiting a security bug in Oracle's WebLogic software, and through compromised managed service providers.

Most initial Sodinokibi attacks involved targets in Asia. But in recent months the ransomware strain has been deployed against targets in Europe and the US as well. The most high-profile of these was a series of coordinated attacks on 22 local governments in Texas that disrupted critical services, including payment processing and ID-card printing in several of the affected cities. None of the victims paid the demanded ransom.

Another ransomware sample that caused considerable havoc for enterprise organizations in Q2 and Q3 was Ryuk, according to Emsisoft. Like Sodinokibi, Ryuk was used in multiple damaging attacks on local governments, including one against Riviera Beach, Florida, which netted the attackers $600,000, and another against Lake City, Florida, where the threat actors walked away with $460,000.

Emsisoft detected significantly larger volumes of attack traffic associated with other ransomware strains. The most commonly reported ransomware strain in the previous two quarters, for instance, was STOP, aka DJVU, which accounted for 56% of all submissions. The malware, which targets home users, first surfaced in 2018 and currently has more than a dozen variants. Victims are typically asked to pay the equivalent of about $490 in Bitcoin to get their data back.

Other high-volume strains included one called Dharma targeting businesses, which accounted for 12% of all ransomware attacks in the previous two quarters; Phobos, a tool used in targeted attacks on schools with 8.9% of all ransomware traffic; and GlobeImposter 2.0 (6.5%).

"While Dharma and Phobos are more commonly used than Ryuk and Sodinokibi, the latter have a higher profile because they're the malware of choice in attacks that are publicly disclosed — namely, attacks on state and municipal government, schools, and hospitals," Wosar says.

Emsisoft's analysis showed that US organizations are among the most heavily targeted in ransomware attacks. Some 13.5% of all ransomware submissions between April and the end of September were from the US. Hundreds of local government agencies, schools, and public entities in the country were hit in ransomware attacks during the period under review, Emsisoft says. Only Indonesia, with 17.1%, and India, with 15%, had more attacks in Q2 and Q3 this year.

Disruptive Attacks Increase
Emsisoft's report is consistent with those from others about an increase in targeted ransomware attacks on enterprise organizations. Some vendors have reported evidence of attackers gaining access to target networks and then lurking in them for weeks to identify high-value systems to attack.

The trend prompted the FBI to issue an alert earlier this month warning of high-impact ransomware attacks threatening US businesses and other organizations.

"Since early 2018, the incidence of broad, indiscriminant ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly," the FBI warned, citing complaints it has received from victims. While state and local government entities have borne the brunt, threat actors have actively targeted organizations in other sectors as well, including healthcare, industrial, and transportation, the agency noted.

The FBI has advised organizations not to pay a ransom to get encrypted data back. But there are signs that attackers, in turn, are finding new ways to force victims to comply.

FireEye earlier this month reported an increase in incidents where attackers are infecting hundreds of machines across a victim's network — instead of just high-value ones — to maximize disruption and leave them with little choice but to pay.

"Ransom demands vary enormously, with the average being in the region of $30,000," Wosar notes. But recovery and business interruption costs can be substantially higher. "The largest publicly disclosed ransom demand so far this year has been the $5.3 million that the city of New Bedford [Massachusetts] was asked to pay," he adds.

Related Content:

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Is Zero Trust the Best Answer to the COVID-19 Lockdown?
Dan Blum, Cybersecurity & Risk Management Strategist,  5/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13458
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There are CSRF issues with the log-clear controller action.
CVE-2020-13459
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There is stored XSS in the Bulk Resize action.
CVE-2020-13442
PUBLISHED: 2020-05-25
A Remote code execution vulnerability exists in DEXT5Upload in DEXT5 through 2.7.1402870. An attacker can upload a PHP file via dext5handler.jsp handler because the uploaded file is stored under dext5uploadeddata/.
CVE-2020-5537
PUBLISHED: 2020-05-25
Cybozu Desktop for Windows 2.0.23 to 2.2.40 allows remote code execution via unspecified vectors.
CVE-2020-13438
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has an invalid read in jfif_encode in jfif.c.