Cybercriminals ignore individuals, focus on holding the enterprise to ransom

More threat actors than ever are spending their time and effort on forcing businesses to pay up through encryption ransomware.
Written by Charlie Osborne, Contributing Writer
(Image: ZDNet)

Attackers in their droves are turning away from schemes that target individuals in favor of launching ransomware attacks against businesses.

Anton Ivanov, senior security researcher of Kaspersky's anti-ransom unit, told attendees at the Kaspersky Security Analyst Summit on Tuesday that this "alarming" trend includes a heavy focus on financial organizations as an attacker's most-wanted set of targets.

At the summit, the Kaspersky researcher said that the average private user is no longer of much interest to cyberattackers; rather, the lure of a successful ransomware attack levied against a business potentially able to pay far more in ransom payments is now a far more attractive prospect.

According to Ivanov, at least eight separate groups of cybercriminals involved in encryption ransomware development and distribution have been identified, and these attackers are now primarily launching attacks at banks and financial institutions, despite a history of campaigns against the general public.

Once ransomware infects a system through phishing campaigns, spear phishing, or malicious downloads, the malicious code will set to work encrypting drives. A landing page is then thrown up, threatening to delete files entirely or refusing to decrypt files until a ransom -- most often in the cryptocurrency Bitcoin -- is paid.

In many cases, the ransom demand will usually amount to between a few hundred or few thousand dollars. However, Ivanov says the firm has come across payment demands made by the eight identified groups which amount to over half a million dollars.

The eight groups include PetrWrap authors, the Mamba group and six other sects known for attacking corporate targets -- but were known in the past for focusing on mostly private users.

By switching to the corporate arena, the potential financial reward -- no matter how illegal -- increases exponentially. For the average consumer, a demand for half a million dollars isn't going to be possible, and so ransomware operators gain nothing.

However, these high prices may not be such a steep charge for corporations looking to restore access to critical systems as they enter into damage control mode.

"A successful ransomware attack against a company can easily stop its business processes for hours or even days, making owners of affected companies more likely to pay the ransom," Ivanov says.

In general, the groups utilize similar tactics. A company or financial institution is targeted through spear phishing campaigns or vulnerable servers, persistence is established on networks, and valuable corporate assets are identified and encrypted before a ransom is issued.

However, the eight do have some unique features. The Mamba group, for example, uses its own encryptor malware which is based on the open-source software DiskCryptor. Once a foothold in a corporate network is established, the installer is encrypted across it by the way of a legal, legitimate utility for Windows remote control -- which may escape the notice of IT administrators.

PetrWrap, however, uses a different set of tools to target organizations with ransomware. The group tends to focus on major companies that have a large number of network nodes that can be compromised in order to improve network persistence.

The cybercriminals have been known for lurking in a vulnerable network for up to six months at a time.

"We should all be aware that the threat of targeted ransomware attacks on businesses is rising, bringing tangible financial losses," Ivanov says. "The trend is alarming as ransomware actors start their crusade for new and more profitable victims."

"There are many more potential ransomware targets in the wild, with attacks resulting in even more disastrous consequences," Ivanov adds.

Kaspersky recommends that businesses enforce strict, frequent backup policies, utilize security solutions with behavior-based detection technologies (which are potentially able to detect new and unknown ransomware samples by watching the malware family's behavioral aspects), and train staff to detect phishing campaigns and malicious links and downloads.

The "No More Ransom" project is a collaborative effort between companies including Kaspersky and Intel, as well as European law enforcement agencies to give victims of ransomware a source to turn to in the efforts to rid themselves of infection. The project's "Crypto Sheriff" tool can be used to determine what kind of ransomware is in play, as well as ways to remove it.

Disclosure: The trip to St. Maarten was sponsored by Kaspersky.

VIDEO: Russia's Fancy Bear hackers steal athletes' medical records again

10 things you didn't know about the Dark Web

Editorial standards