Ransomware Roundup: System-Changing Malware Dominates Headlines

As we head into the unofficial start of summer, it doesn’t look like the criminal groups running ransomware programs are planning on taking any time to rest. Ransomware grabbed the infosec headlines last week, with a new report revealing that its presence has increased more in the past year than in the past years combined.

Here’s a roundup of notable ransomware stories you might have missed.

DBIR finds ransomware has increased by double digits

Verizon Business’s annual Data Breach Investigation Report (DBIR) is out and confirms what many CISOs already know: ransomware continues to plague businesses. Ransomware-related breach cases increased by 13%, an increase greater than the past 5 years combined.

Analysts reviewed 23,896 security incidents between November 1, 2020 and October 31, 2021 for the report. Of these, 5,212 were confirmed violations.

“As criminals seek to exploit increasingly sophisticated forms of malware, it is ransomware that continues to prove particularly effective in exploiting and monetizing unlawful access to private information,” Verizon Business said in a statement. announcement of the results.

As Rick Holland (@rickholland), a security veteran and CISO of Digital Shadows, noted on Twitter, “25% of all breaches are ransomware related. #DBIR And that’s exactly what’s being reported. Real number much higher in my opinion.

Andy Jabbour (@andyjabbour), an analyst at security firm Gate15, referring to the ransomware section of the report tweeted: “This section is the perfect sequel to last year’s discovery of #Ransomware on the rise dramatically … This trend has continued with *** an increase of almost 13% this year*** (an increase as large as the last five years combined). »

GoodWill Hunts Victims With Malware

In a new version of the ransomware, researchers from CloudSek claim that a ransomware group is using the malware to raise money for charity. The so-called GoodWill ransomware group asks the victims to perform a charitable act in exchange for the decryption key.

“The Robin Hood-like group compels its victims to donate to the poor and provides financial assistance to patients in need,” researchers say in a blog post about the malware.

Once infected, victims can “choose” which charitable deed to perform in exchange for the key. Choices include:

  • Donate new clothes to the homeless, record the action and post it on social media.
  • Take five less fortunate kids to Dominos, Pizza Hut or KFC for a treat, take photos and videos and post them on social media.
  • Provide financial assistance to anyone who needs urgent medical care but cannot afford it, at a nearby hospital, record audio and share it with operators.

Whether based on good intentions or not, infosec and legal professionals say not to give in to these demands.

“Goodwill ransomware encrypts all files and asks the victim to pay in acts of kindness (instead of money) to get it back. Don’t. Keep a good backup,” tweeted Courtney Troutman and Emily Worle , who tweet under the @SCBar_PMAP handle.

Cheerscrypt ransomware is not so festive

Trend Micro researchers say they have observed a Linux-based ransomware family called Cheerscrypt that targets VMware’s ESXi servers. Researchers say the ransomware uses the now common tactic of double extortion, which not only forces victims to pay a ransom, but also steals data and threatens to leak it if victims don’t pay.

The researchers conclude their blog by noting that ESXi is widely used in enterprise settings for server virtualization and is a popular target for ransomware attacks.

“Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups as a way to quickly spread ransomware to many devices,” they say.

REvil is back…maybe

Akamai researchers say the infamous ransomware group known as REvil could be playing games with systems again. REvil first became known as the gang responsible for the Kaseya and JBS ransomware attacks in 2021. Russian officials claimed to have taken down REvil in March, but last week Akamai’s Security Intelligence Response Team (SIRT) was called in to help with what it called a Layer 7 attack on a hotel guest by a group claiming to be REvil.

Akamai SIRT member Larry Cashdollar reports that the group launched a coordinated DDoS attack. The attack was not a ransomware attack but instead included a 554-byte message demanding payment in Bitcoin in order to stop the attack. Whether or not this is REvil, or a copycat group, is still under investigation.

“When a threat group changes its techniques, it may be a possible pivot to a new business model, the result of a drastic skill change, a schism within the group, or an unaffiliated copycat trying to leverage the hype of this group to facilitate money for myopic and emotionally reactive victims,” ​​he wrote. “REvil may be testing the waters of DDoS extortion as a profitable business model, but we think it’s more likely that we’ll see the scare tactics associated with previous DDoS extortion campaigns recycled for a new round of campaigns.”

This article first appeared in the Socialized Security Bulletin. Subscribe today!

Copyright © 2022 IDG Communications, Inc.

Comments are closed.