Geekzone: technology news, blogs, forums
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
SecureWorks research indicates top ransomware making their way through APAC
Posted on 27-Aug-2016 09:33 | Tags Filed under: News

SecureWorks Counter Threat Unit (CTU) researchers have tracked the spread of several notorious ransomware families to the Asia-Pacific region, underscoring efforts by some attackers to localise their tools to target multiple geographies.


According to the CTU, the current top four ransomware families - Locky, Cerber, CryptXXX and TorrentLocker – are targeting computer users in APAC and have created localised versions of their threats for Japan. Additionally, CryptXXX has developed a localised version for South Korea


The top four ransomware families of August 2016 are:


  • Locky: It is run by one single group who in turn utilises two main affiliate groups to seed out the ransomware.
  • Cerber: The CTU saw Cerber emerge in February 2016, and the hackers who were using CryptoWall switched over to using Cerber.
  • CryptXXX: TeslaCrypt ransomware developers ceased operations and voluntarily released its decryption keys, but threat actors migrated to CryptXXX (also known as UltraCrypter) and Cerber.
  • TorrentLocker: It is the elder statesman of the ransomware ecosystem and is run by a single hacker group. 

“Unlike other types of malware that are mostly designed to compromise the system covertly, ransomware requires end-user interaction to achieve its goal – collecting ransom,” explained Alex Tilley, Senior Security Researcher, SecureWorks Counter Threat Unit. “This makes localising the threat particularly useful to attackers.”


The most prolific families can each be responsible for millions of spam emails, hundreds of thousands of infected systems, and millions of dollars in ransom payments. “Generally, 0.25% to 3.0% of victims elect to pay a ransom to the attackers holding their data hostage. We ascertain the largest operations are making several million dollars per year and the annual losses from all ransomware families combined exceed AU$10 million annually. The cost of business disruption, lost data, and infection remediation due to ransomware likely extends into the hundreds of millions of dollars annually,” said Tilly.


This means that attackers need to destroy data on anywhere from 30 to 400 computers for every victim who relents and pays the ransom. The top ransomware families are being spread via malicious spam and exploit kits


Additional data collected by the CTU about CryptXXX (from June 6 to July 7, 2016), indicate an increase in commodity ransomware during June, 2016. CTU researchers observed ransom demands of 0.7, 1.2, or 2.4 BTC, with most victims receiving a demand for 1.2 BTC. CTU analysis revealed at least 69 victims who paid ransoms totaling more than 85.6 BTC (approximately $53,500) from June 6 to July 7, 2016.


Localisation of tools can take one or all of the following forms: attackers can write ransomware messages in the local language; strategically compromise local websites; deliver the ransomware via spam campaigns in the local language; or provide payment instruments using local bitcoin wallet and exchange market lists.


The effort by cyber attackers to localise their weapons highlights the importance of information sharing and situational awareness, as a threat in one geographical region can soon become a threat in another.


CTU researchers discovered that the Locky ransomware was being used by threat actors to target computer users in Asia-Pacific during Q12016, the very same time the ransomware was being used to infect victims in North America and EMEA, indicating that the threat actors were targeting multiple countries during the same timeframe.


Localisation can happen at different paces. For example, despite the English version of CryptXXX being reported in the region in April 2016, a localised version of the ransomware was not reported in Japan and South Korea until May 2016.


In contrast, the CTU team noted that it took nearly a year and a half for a localised version of CryptoLocker to be identified in South Korea after the English version was reported in Hong Kong. This localised version is believed to be the work of a different group. However, in the case of CryptXXX, the CTU suspects that the localised variant that appeared in May is the work of the same threat actors using CryptXXX elsewhere in the region.


Any time gap between the discovery of threats in different regions offers an opportunity for other areas to proactively protect themselves against attacks. While “local” malware variants may use different infrastructures and network indicators, such as IPs and domains, countermeasures designed to detect/filter ransomware command and control (C2) packets will be still effective unless significant change in C2 protocol occurs.




comments powered by Disqus

Trending now »

Hot discussions in our forums right now:

iPhone 8/iPhone X, impressions?
Created by surfisup1000, last reply by danza on 23-Sep-2017 11:06 (405 replies)
Pages... 25 26 27

Driving an automatic - do you use one foot or both?
Created by geekIT, last reply by Batman on 23-Sep-2017 05:28 (135 replies)
Pages... 7 8 9

Auckland Airport fuel supply obliterated by digger
Created by Batman, last reply by k1wi on 23-Sep-2017 03:12 (220 replies)
Pages... 13 14 15

How to backup/copy an iphone app?
Created by Batman, last reply by scuwp on 19-Sep-2017 19:37 (24 replies)
Pages... 2

Mighty Ape Birthday hunt 2017
Created by ThePlague, last reply by joshhill96 on 21-Sep-2017 23:11 (22 replies)
Pages... 2

IOS 11 email client and Office 365 - heads up people
Created by gjm, last reply by mattwnz on 20-Sep-2017 17:15 (18 replies)
Pages... 2

When did we become America
Created by BTR, last reply by Fred99 on 22-Sep-2017 12:12 (66 replies)
Pages... 3 4 5

Sky blames piracy for lost customers. Sky: it's time to wake up and smell the coffee.
Created by kingdragonfly, last reply by Rikkitic on 21-Sep-2017 11:10 (482 replies)
Pages... 31 32 33