Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/15/2019
04:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Targeted Ransomware Attacks Show No Signs of Abating

Criminals are becoming more sophisticated and targeted in going after enterprise organizations, a new Q2/Q3 report finds.

There's little sign that cybercriminals are about to let up on ransomware attacks anytime soon. If anything, they appear to be honing their tactics for even more dangerous and disruptive attacks on enterprise organizations over the short term.

Emsisoft recently analyzed threat data from the second and third quarters of this year and found ransomware attacks have become more focused and targeted. The success some attackers have had in extorting ransoms from enterprise targets appears to have spawned more concerted efforts by others to do the same.

"While the total number of ransomware attacks has declined, there has been a significant increase in the number of high-impact attacks targeting companies and public entities," says Fabian Wosar, CTO at Emsisoft. 

Like other businesses, criminal enterprises typically tend to adopt strategies that will produce the greatest returns. For the moment, enterprise ransomware attacks appear to be one of them. "Ransoming critical business data is more profitable than spray-and-spray attacks against home users," Wosar says.

The most visible example of the trend was Sodinokibi, a ransomware-as-a-service threat used by multiple groups in targeted attacks on various major organizations in Q2 and Q3. The malware is believed to be the work of the same group behind GandCrab, a now largely inactive ransomware strain that is estimated to have netted its distributors some $2 billion in less than two years.

Sodinokibi first surfaced in April 2019 and accounted for 4.5% of all ransomware detections in Emsisoft's study. The malware is extremely evasive and includes advanced techniques to avoid detection by security tools, Emsisoft said. Attackers have used multiple methods to distribute the malware, including via phishing emails, by exploiting a security bug in Oracle's WebLogic software, and through compromised managed service providers.

Most initial Sodinokibi attacks involved targets in Asia. But in recent months the ransomware strain has been deployed against targets in Europe and the US as well. The most high-profile of these was a series of coordinated attacks on 22 local governments in Texas that disrupted critical services, including payment processing and ID-card printing in several of the affected cities. None of the victims paid the demanded ransom.

Another ransomware sample that caused considerable havoc for enterprise organizations in Q2 and Q3 was Ryuk, according to Emsisoft. Like Sodinokibi, Ryuk was used in multiple damaging attacks on local governments, including one against Riviera Beach, Florida, which netted the attackers $600,000, and another against Lake City, Florida, where the threat actors walked away with $460,000.

Emsisoft detected significantly larger volumes of attack traffic associated with other ransomware strains. The most commonly reported ransomware strain in the previous two quarters, for instance, was STOP, aka DJVU, which accounted for 56% of all submissions. The malware, which targets home users, first surfaced in 2018 and currently has more than a dozen variants. Victims are typically asked to pay the equivalent of about $490 in Bitcoin to get their data back.

Other high-volume strains included one called Dharma targeting businesses, which accounted for 12% of all ransomware attacks in the previous two quarters; Phobos, a tool used in targeted attacks on schools with 8.9% of all ransomware traffic; and GlobeImposter 2.0 (6.5%).

"While Dharma and Phobos are more commonly used than Ryuk and Sodinokibi, the latter have a higher profile because they're the malware of choice in attacks that are publicly disclosed — namely, attacks on state and municipal government, schools, and hospitals," Wosar says.

Emsisoft's analysis showed that US organizations are among the most heavily targeted in ransomware attacks. Some 13.5% of all ransomware submissions between April and the end of September were from the US. Hundreds of local government agencies, schools, and public entities in the country were hit in ransomware attacks during the period under review, Emsisoft says. Only Indonesia, with 17.1%, and India, with 15%, had more attacks in Q2 and Q3 this year.

Disruptive Attacks Increase
Emsisoft's report is consistent with those from others about an increase in targeted ransomware attacks on enterprise organizations. Some vendors have reported evidence of attackers gaining access to target networks and then lurking in them for weeks to identify high-value systems to attack.

The trend prompted the FBI to issue an alert earlier this month warning of high-impact ransomware attacks threatening US businesses and other organizations.

"Since early 2018, the incidence of broad, indiscriminant ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly," the FBI warned, citing complaints it has received from victims. While state and local government entities have borne the brunt, threat actors have actively targeted organizations in other sectors as well, including healthcare, industrial, and transportation, the agency noted.

The FBI has advised organizations not to pay a ransom to get encrypted data back. But there are signs that attackers, in turn, are finding new ways to force victims to comply.

FireEye earlier this month reported an increase in incidents where attackers are infecting hundreds of machines across a victim's network — instead of just high-value ones — to maximize disruption and leave them with little choice but to pay.

"Ransom demands vary enormously, with the average being in the region of $30,000," Wosar notes. But recovery and business interruption costs can be substantially higher. "The largest publicly disclosed ransom demand so far this year has been the $5.3 million that the city of New Bedford [Massachusetts] was asked to pay," he adds.

Related Content:

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2079
PUBLISHED: 2019-11-22
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
CVE-2019-11325
PUBLISHED: 2019-11-21
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
CVE-2019-18887
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
CVE-2019-18888
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. T...
CVE-2019-18889
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.