Geekzone: technology news, blogs, forums
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
SecureWorks research indicates top ransomware making their way through APAC
Posted on 27-Aug-2016 09:33 | Tags Filed under: News

SecureWorks Counter Threat Unit (CTU) researchers have tracked the spread of several notorious ransomware families to the Asia-Pacific region, underscoring efforts by some attackers to localise their tools to target multiple geographies.


According to the CTU, the current top four ransomware families - Locky, Cerber, CryptXXX and TorrentLocker – are targeting computer users in APAC and have created localised versions of their threats for Japan. Additionally, CryptXXX has developed a localised version for South Korea


The top four ransomware families of August 2016 are:


  • Locky: It is run by one single group who in turn utilises two main affiliate groups to seed out the ransomware.
  • Cerber: The CTU saw Cerber emerge in February 2016, and the hackers who were using CryptoWall switched over to using Cerber.
  • CryptXXX: TeslaCrypt ransomware developers ceased operations and voluntarily released its decryption keys, but threat actors migrated to CryptXXX (also known as UltraCrypter) and Cerber.
  • TorrentLocker: It is the elder statesman of the ransomware ecosystem and is run by a single hacker group. 

“Unlike other types of malware that are mostly designed to compromise the system covertly, ransomware requires end-user interaction to achieve its goal – collecting ransom,” explained Alex Tilley, Senior Security Researcher, SecureWorks Counter Threat Unit. “This makes localising the threat particularly useful to attackers.”


The most prolific families can each be responsible for millions of spam emails, hundreds of thousands of infected systems, and millions of dollars in ransom payments. “Generally, 0.25% to 3.0% of victims elect to pay a ransom to the attackers holding their data hostage. We ascertain the largest operations are making several million dollars per year and the annual losses from all ransomware families combined exceed AU$10 million annually. The cost of business disruption, lost data, and infection remediation due to ransomware likely extends into the hundreds of millions of dollars annually,” said Tilly.


This means that attackers need to destroy data on anywhere from 30 to 400 computers for every victim who relents and pays the ransom. The top ransomware families are being spread via malicious spam and exploit kits


Additional data collected by the CTU about CryptXXX (from June 6 to July 7, 2016), indicate an increase in commodity ransomware during June, 2016. CTU researchers observed ransom demands of 0.7, 1.2, or 2.4 BTC, with most victims receiving a demand for 1.2 BTC. CTU analysis revealed at least 69 victims who paid ransoms totaling more than 85.6 BTC (approximately $53,500) from June 6 to July 7, 2016.


Localisation of tools can take one or all of the following forms: attackers can write ransomware messages in the local language; strategically compromise local websites; deliver the ransomware via spam campaigns in the local language; or provide payment instruments using local bitcoin wallet and exchange market lists.


The effort by cyber attackers to localise their weapons highlights the importance of information sharing and situational awareness, as a threat in one geographical region can soon become a threat in another.


CTU researchers discovered that the Locky ransomware was being used by threat actors to target computer users in Asia-Pacific during Q12016, the very same time the ransomware was being used to infect victims in North America and EMEA, indicating that the threat actors were targeting multiple countries during the same timeframe.


Localisation can happen at different paces. For example, despite the English version of CryptXXX being reported in the region in April 2016, a localised version of the ransomware was not reported in Japan and South Korea until May 2016.


In contrast, the CTU team noted that it took nearly a year and a half for a localised version of CryptoLocker to be identified in South Korea after the English version was reported in Hong Kong. This localised version is believed to be the work of a different group. However, in the case of CryptXXX, the CTU suspects that the localised variant that appeared in May is the work of the same threat actors using CryptXXX elsewhere in the region.


Any time gap between the discovery of threats in different regions offers an opportunity for other areas to proactively protect themselves against attacks. While “local” malware variants may use different infrastructures and network indicators, such as IPs and domains, countermeasures designed to detect/filter ransomware command and control (C2) packets will be still effective unless significant change in C2 protocol occurs.




comments powered by Disqus

Trending now »

Hot discussions in our forums right now:

The President Of The USA: Donald Trump
Created by TimA, last reply by tdgeek on 27-Feb-2017 06:26 (3343 replies)
Pages... 221 222 223

"Parents' lawsuit claims FaceTime caused daughter's death"
Created by kingdragonfly, last reply by richms on 23-Feb-2017 11:03 (23 replies)
Pages... 2

Vodafone / SKY merger
Created by wingbat45, last reply by tdgeek on 25-Feb-2017 07:34 (136 replies)
Pages... 8 9 10

What is this green cabinet for?
Created by DarthKermit, last reply by MadEngineer on 24-Feb-2017 21:13 (20 replies)
Pages... 2

SureSignal missed calls
Created by hairy1, last reply by froob on 23-Feb-2017 20:23 (19 replies)
Pages... 2

Best way to network my computers
Created by Rikkitic, last reply by Rikkitic on 24-Feb-2017 11:24 (75 replies)
Pages... 3 4 5

Did Chorus Increase its Layer 2 speed ?
Created by Mikek, last reply by darylblake on 24-Feb-2017 22:46 (14 replies)

Unlimited Data On It's Way
Created by Prplppleater, last reply by PhantomNVD on 24-Feb-2017 22:44 (29 replies)
Pages... 2