Ransomware: a painful start for 2021

In 2020, after reviewing the press and monitoring hidden websites where cybercriminals flaunt their victims like trophies, LeMagIT had identified nearly 1,630 ransomware attacks worldwide. And for the first quarter of 2021, 615 have already been recorded.

The increase in the threat was most noticeable last September and November, largely because of the aggressiveness displayed by the Conti and Egregor ransomware operators. 300 victims were identified for each of those two months. In November and December of last year, the threat had very slightly decreased to around 230 victims. February and March 2021 displayed similar figures, which is about twice as many as in August or July 2020. If attackers keep their momentum, they seem to be well on their way to break a new and grim record.

The data from the ‘cybermalveillance.gouv.fr’ platform is hardly more encouraging, as it received 228 requests for assistance in January, 288 in February, and 235 in March. The mark of 200 requests per month was reached last November. Since then, the volume of requests on the platform has remained the same, at a much higher level than in October or September 2020. Sometimes, success costs a king’s ransom…

In-depth attacks

For their part, the attackers are not short of investment to amplify the damage they cause and increase their pressure on the victims. On several occasions, we have observed attacks on backup systems, falling victims to Babuk, Conti, or Revil. An excessive reliance on the Active Directory domain is often to blame. In other words, after getting hold of a domain controller, the attacker could gain access to and sabotage the backup systems.

But that’s not all. An increasing number of attackers are deliberately targeting virtualised environments. This is, for instance, what the Darkside and RansomExx ransomware operators have been doing for several months. But at the end of January, the creators of Babuk introduced a new module for the Unix/Linux operating systems, designed for VMware ESXi hosts and network-attached storage (NAS) systems. As for Conti, it seems to be focusing on vCenter servers.

But recently, Fabian Wosar, from Emsisoft, warned that Babuk’s decryption tool for Linux systems and ESXi hosts does not really work… Or rather, it is not secure, because sometimes files that appear to be encrypted are not. The decryption tool destroys these files.

With extra leverage

At the same time, ransomware operators seem to consider that the threat of disclosing or selling stolen data from their victims is no longer enough to convince them in sufficient numbers. According to our monitoring of the activities of several groups, around 28% of the victims give in to blackmail.

Last year, several actors started to call their victims or their victims’ partners or clients. But Revil made it official in March by clearly announcing that it now offers call centre services to increase pressure on organisations affected by its Sodinokibi ransomware.

And the use of distributed denial-of-service (DDoS) attacks seems likely to increase. The SunCrypt operators had introduced it last year. Revil says it is now offering it on network layers 3 and 7, after having tested it against Acer and Honeywell. The same applies to Avaddon, which has been offering it free of charge since 8 April — along with a phone call service. Darkside has been offering DDoS attacks on layers 3 and 7 against its affiliates’ victims since 14 April.

A legal battle with limited effect

The first quarter was also marked by operations against cybercriminals. At the end of January, Europol announced that it had dealt a major blow to Emotet. Indeed, since then, no malicious spam bearing its signature has been registered. But the new generation is there, in particular IcedID and Qakbot.

Also in late January, the FBI  announced the arrest of a Canadian affiliate of the NetWalker ransomware operators, along with the seizure of their hidden web server in Bulgaria. A few weeks later, Ukrainian and French law enforcement forces conducted a large-scale operation against cybercriminals involved in operations related to the Egregor ransomware.

Unfortunately, these last two operations seem to have only cut the heads of hydra-like organisations, since the most dangerous actors, i.e. those who actually launch the attacks and deploy the ransomware in return for a share of the eventual ransom payment, are essentially still at large. And they have plenty of alternatives to Egregor and NetWalker. Moreover, the intensity of cybercriminal activity in February and March, and even early April, tends to confirm transfers.

Find the rest of this article by clicking here!