Ransomware Attacks Have Gone Stratospheric: Report


Positive Technologies on Wednesday released a report that indicates ransomware attacks have reached “stratospheric levels.”

Researchers into the Q2 2021 cybersecurity threatscape also point out the evolution in attack strategies and a rise in malware created to target Unix-based systems. Many different versions of Unix exist, and they share similarities. The most popular varieties are Sun Solaris, GNU/Linux, and Mac OS X.

The report finds that ransomware assaults now account for 69 percent of all malware attacks. That is among the most disturbing findings. The research also reveals that the volume of attacks on governmental institutions soared in 2021, from 12 percent in Q1 to 20 percent in Q2.

Positive Technologies’ Expert Security Center, which focuses on threat intelligence, during the quarter discovered the emergence of B-JDUN, a new Remote Access Trojan or RAT used in attacks on energy companies. Researchers also found Tomiris, new malware that comes with functions for gaining persistence and can send encrypted information about the workstation to an attacker-controlled server.

The research found only a minor rise of 0.3 percent in overall attacks from the previous quarter. This slowdown was expected as companies took greater measures to secure the network perimeter and remote access systems during the global pandemic and the growth of a dispersed workforce.

However, researchers warned that the rise in ransomware attacks in particular — a 45 percent jump in the month of April alone — should cause grave concern. The researchers also note a growing pattern of malware specifically designed to penetrate Unix systems.

“We’ve got used to the idea that attackers distributing malware pose a danger to Windows-based systems,” said Yana Yurakova, information security analyst at Positive Technologies. “Now we see a stronger trend of malware for attacks on Unix systems, virtualization tools, and orchestrators. More and more companies, including larger corporations, now use Unix-based software, and that is why attackers are turning their attention to these systems.”

Tactics Against Retailers

The cybersecurity threat landscape for the retail industry has changed. Researchers observed a decrease in the number of MageCart attacks where transaction data is hijacked during checkout at an online store. However, that was countered with an increase in the share of ransomware attacks.

The report reveals that 69 percent of all malware attacks targeting organizations involved ransomware distributors, a 30 percent jump over the same quarter in 2020.

Ransomware attacks on retailers accounted for 95 percent of all attacks using malware. This is likely because previous attacks in this industry mostly targeted data, such as payment details, personal information, and user credentials.

Now, attackers pursue financial gains more directly through ransom demands. The volume of social engineering attacks targeting retail this year also increased, from 36 percent in Q1 to 53 percent in Q2.

Other Findings

Positive Technologies identified a ban by Dark Web forums on the publication of posts regarding ransomware operators’ partner programs. This indicates that soon these ‘partners’ may no longer have a distinct role, researchers said. Instead, ransomware operators themselves could take over the task of assembling and supervising teams of distributors.

Seven out of 10 malware attacks in Q2 this year involved ransomware distributors, with an increase of 30 percentage points compared to Q2 2020’s share of only 39 percent. The most common targets were governmental, medical, industrial companies, and scientific and educational institutions.

Email remains the main method attackers use to spread malware in attacks on organizations (58 percent). However, Positive Technologies’ researchers found that the percentage of websites used to distribute malware in organizations increased from two percent to eight percent.

For example, spyware distributors used this method to target programmers who work with Node.js. The malware imitated the Browserify component in the npm registry.

Malware Attacks on Individuals

Attackers used malware in 60 percent of attacks on individuals. Most often, attackers distributed banking trojans (30 percent of attacks involving other malware), RATs (29 percent), and spyware (27 percent). Ransomware attacks account for only nine percent of attacks involving other malware, according to the report.

For example, a popular attack tool against individuals is the distribution of NitroRansomware. Attackers spread this malware under the guise of a tool for generating free gift codes for Nitro, a Discord add-on.

After launching, the malware collects data from the browser and encrypts the files in the victim’s system. To get a decryptor, the victim must purchase a gift code for activating Nitro and give it to the criminals.

Researchers also noticed a large number of attacks on QNAP network drives. QNAP’s network attached storage (NAS) that runs on Linux are systems that consist of one or more hard drives that are constantly connected to the internet. The QNAP becomes a backup “hub” or storage unit for important files and media such as photos, videos, and music.

Virtual Systems Hit, Too

Positive Technologies warned earlier this year that many attackers were targeting virtual infrastructure. In Q2, the company reported ransomware operators joined such attacks.

REvil, RansomExx (Defray), Mespinoza, GoGoogle, DarkSide, Hellokitty, and Babuk Locker are ready to be used in attacks on virtual infrastructure based on VMware ESXi, researchers said.

The report noted that this could be a growing problem for Linux users in business environments. Trend Micro analyzed the new DarkRadiation ransomware in development and found it to be tailored for attacks on Red Hat, CentOS, and Debian Linux.

The malware itself is a bash script that can stop or disable all running Docker containers. Attackers distribute this ransomware using compromised accounts and the SSH protocol.

According to Dirk Schrader, global vice president for security research at New Net Technologies, now part of Netwrix, the motivation for attacking virtualization systems is not to focus on Linux per se.

It is the aspect that ESXi servers are such a valuable target, and that malware developers went that extra mile to add Linux as the origin of many virtualization platforms to their functionality, he added.

VMware ESXi is a bare-metal hypervisor that installs easily to servers and partitions it into multiple virtual machines.

“This welcomes the side effect of being able to attack any Linux machine. A single EXSi 7 server can host up to 1024 VMs in theory. But for the attacker, it is the combination of a number of VMs and their importance that makes each ESXi server a worthy target. Attacking and encrypting a device that runs 30 or so critical services for an organization is promising to yield ransom-paid results,” he told TechNewsWorld.

Fighting Back

Vulcan Cyber on July 29 published its research into cyber-risk remediation initiatives among enterprises. Vulcan surveyed 200 cybersecurity leaders about their cyber hygiene regimens.

The results revealed that seven percent of companies had been impacted by an IT security vulnerability over the last year. Notably, only 33 percent of respondents said their company considered risk-based vulnerability management to be “very important.”

According to Yaniv Bar-Dayan, CEO and co-founder of Vulcan Cyber, a clear and widening gap exists between enterprise vulnerability management programs and the ability of IT security teams to mitigate risk facing their organizations.

“As security vulnerabilities proliferate across digital surfaces, it’s increasingly critical that all enterprise IT security stakeholders make meaningful changes to their cyber hygiene efforts. This should include prioritizing risk-based cybersecurity efforts, increasing collaboration between security and IT teams, updating vulnerability management tooling, and enhancing enterprise risk analytics, particularly in businesses with advanced cloud application programs,” he told TechNewsWorld.

Jack M. Germain

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in Cybersecurity

Technewsworld Channels