Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
SecureWorks research indicates top ransomware making their way through APAC
Posted on 27-Aug-2016 09:33. | Tags Filed under: News.



SecureWorks Counter Threat Unit (CTU) researchers have tracked the spread of several notorious ransomware families to the Asia-Pacific region, underscoring efforts by some attackers to localise their tools to target multiple geographies.

 

According to the CTU, the current top four ransomware families - Locky, Cerber, CryptXXX and TorrentLocker – are targeting computer users in APAC and have created localised versions of their threats for Japan. Additionally, CryptXXX has developed a localised version for South Korea

 

The top four ransomware families of August 2016 are:

 

  • Locky: It is run by one single group who in turn utilises two main affiliate groups to seed out the ransomware.
  • Cerber: The CTU saw Cerber emerge in February 2016, and the hackers who were using CryptoWall switched over to using Cerber.
  • CryptXXX: TeslaCrypt ransomware developers ceased operations and voluntarily released its decryption keys, but threat actors migrated to CryptXXX (also known as UltraCrypter) and Cerber.
  • TorrentLocker: It is the elder statesman of the ransomware ecosystem and is run by a single hacker group. 

“Unlike other types of malware that are mostly designed to compromise the system covertly, ransomware requires end-user interaction to achieve its goal – collecting ransom,” explained Alex Tilley, Senior Security Researcher, SecureWorks Counter Threat Unit. “This makes localising the threat particularly useful to attackers.”

 

The most prolific families can each be responsible for millions of spam emails, hundreds of thousands of infected systems, and millions of dollars in ransom payments. “Generally, 0.25% to 3.0% of victims elect to pay a ransom to the attackers holding their data hostage. We ascertain the largest operations are making several million dollars per year and the annual losses from all ransomware families combined exceed AU$10 million annually. The cost of business disruption, lost data, and infection remediation due to ransomware likely extends into the hundreds of millions of dollars annually,” said Tilly.

 

This means that attackers need to destroy data on anywhere from 30 to 400 computers for every victim who relents and pays the ransom. The top ransomware families are being spread via malicious spam and exploit kits

 

Additional data collected by the CTU about CryptXXX (from June 6 to July 7, 2016), indicate an increase in commodity ransomware during June, 2016. CTU researchers observed ransom demands of 0.7, 1.2, or 2.4 BTC, with most victims receiving a demand for 1.2 BTC. CTU analysis revealed at least 69 victims who paid ransoms totaling more than 85.6 BTC (approximately $53,500) from June 6 to July 7, 2016.

 

Localisation of tools can take one or all of the following forms: attackers can write ransomware messages in the local language; strategically compromise local websites; deliver the ransomware via spam campaigns in the local language; or provide payment instruments using local bitcoin wallet and exchange market lists.

 

The effort by cyber attackers to localise their weapons highlights the importance of information sharing and situational awareness, as a threat in one geographical region can soon become a threat in another.

 

CTU researchers discovered that the Locky ransomware was being used by threat actors to target computer users in Asia-Pacific during Q12016, the very same time the ransomware was being used to infect victims in North America and EMEA, indicating that the threat actors were targeting multiple countries during the same timeframe.

 

Localisation can happen at different paces. For example, despite the English version of CryptXXX being reported in the region in April 2016, a localised version of the ransomware was not reported in Japan and South Korea until May 2016.

 

In contrast, the CTU team noted that it took nearly a year and a half for a localised version of CryptoLocker to be identified in South Korea after the English version was reported in Hong Kong. This localised version is believed to be the work of a different group. However, in the case of CryptXXX, the CTU suspects that the localised variant that appeared in May is the work of the same threat actors using CryptXXX elsewhere in the region.

 

Any time gap between the discovery of threats in different regions offers an opportunity for other areas to proactively protect themselves against attacks. While “local” malware variants may use different infrastructures and network indicators, such as IPs and domains, countermeasures designed to detect/filter ransomware command and control (C2) packets will be still effective unless significant change in C2 protocol occurs.

 

 

 




comments powered by Disqus




Trending now »

Hot discussions in our forums right now:

NZ Prime Minister John Key Resigns
Created by ajobbins, last reply by MikeB4 on 6-Dec-2016 20:48 (156 replies)
Pages... 9 10 11


The President Of The USA - Who do you think?
Created by TimA, last reply by Fred99 on 6-Dec-2016 14:57 (899 replies)
Pages... 58 59 60


Dishwasher not Working Properly
Created by tdgeek, last reply by mdav056 on 5-Dec-2016 20:18 (28 replies)
Pages... 2


'Quality' NZ news on the way?
Created by Rikkitic, last reply by alasta on 4-Dec-2016 09:49 (91 replies)
Pages... 5 6 7


Japan - what to do, where to go etc
Created by nzkiwiman, last reply by Camden on 6-Dec-2016 19:55 (15 replies)

Does anyone have experience with an EVGA RMA?
Created by Kol12, last reply by Kol12 on 5-Dec-2016 21:14 (47 replies)
Pages... 2 3 4


Mazda Atenza/6 or a Suzuki Swift 1.6 for four people one off trip?
Created by TeaLeaf, last reply by alasta on 5-Dec-2016 20:18 (15 replies)

Gigabit cable now available
Created by sub, last reply by Skillie on 6-Dec-2016 16:07 (714 replies)
Pages... 46 47 48