Geekzone: technology news, blogs, forums
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
SecureWorks research indicates top ransomware making their way through APAC
Posted on 27-Aug-2016 09:33 | Tags Filed under: News

SecureWorks Counter Threat Unit (CTU) researchers have tracked the spread of several notorious ransomware families to the Asia-Pacific region, underscoring efforts by some attackers to localise their tools to target multiple geographies.


According to the CTU, the current top four ransomware families - Locky, Cerber, CryptXXX and TorrentLocker – are targeting computer users in APAC and have created localised versions of their threats for Japan. Additionally, CryptXXX has developed a localised version for South Korea


The top four ransomware families of August 2016 are:


  • Locky: It is run by one single group who in turn utilises two main affiliate groups to seed out the ransomware.
  • Cerber: The CTU saw Cerber emerge in February 2016, and the hackers who were using CryptoWall switched over to using Cerber.
  • CryptXXX: TeslaCrypt ransomware developers ceased operations and voluntarily released its decryption keys, but threat actors migrated to CryptXXX (also known as UltraCrypter) and Cerber.
  • TorrentLocker: It is the elder statesman of the ransomware ecosystem and is run by a single hacker group. 

“Unlike other types of malware that are mostly designed to compromise the system covertly, ransomware requires end-user interaction to achieve its goal – collecting ransom,” explained Alex Tilley, Senior Security Researcher, SecureWorks Counter Threat Unit. “This makes localising the threat particularly useful to attackers.”


The most prolific families can each be responsible for millions of spam emails, hundreds of thousands of infected systems, and millions of dollars in ransom payments. “Generally, 0.25% to 3.0% of victims elect to pay a ransom to the attackers holding their data hostage. We ascertain the largest operations are making several million dollars per year and the annual losses from all ransomware families combined exceed AU$10 million annually. The cost of business disruption, lost data, and infection remediation due to ransomware likely extends into the hundreds of millions of dollars annually,” said Tilly.


This means that attackers need to destroy data on anywhere from 30 to 400 computers for every victim who relents and pays the ransom. The top ransomware families are being spread via malicious spam and exploit kits


Additional data collected by the CTU about CryptXXX (from June 6 to July 7, 2016), indicate an increase in commodity ransomware during June, 2016. CTU researchers observed ransom demands of 0.7, 1.2, or 2.4 BTC, with most victims receiving a demand for 1.2 BTC. CTU analysis revealed at least 69 victims who paid ransoms totaling more than 85.6 BTC (approximately $53,500) from June 6 to July 7, 2016.


Localisation of tools can take one or all of the following forms: attackers can write ransomware messages in the local language; strategically compromise local websites; deliver the ransomware via spam campaigns in the local language; or provide payment instruments using local bitcoin wallet and exchange market lists.


The effort by cyber attackers to localise their weapons highlights the importance of information sharing and situational awareness, as a threat in one geographical region can soon become a threat in another.


CTU researchers discovered that the Locky ransomware was being used by threat actors to target computer users in Asia-Pacific during Q12016, the very same time the ransomware was being used to infect victims in North America and EMEA, indicating that the threat actors were targeting multiple countries during the same timeframe.


Localisation can happen at different paces. For example, despite the English version of CryptXXX being reported in the region in April 2016, a localised version of the ransomware was not reported in Japan and South Korea until May 2016.


In contrast, the CTU team noted that it took nearly a year and a half for a localised version of CryptoLocker to be identified in South Korea after the English version was reported in Hong Kong. This localised version is believed to be the work of a different group. However, in the case of CryptXXX, the CTU suspects that the localised variant that appeared in May is the work of the same threat actors using CryptXXX elsewhere in the region.


Any time gap between the discovery of threats in different regions offers an opportunity for other areas to proactively protect themselves against attacks. While “local” malware variants may use different infrastructures and network indicators, such as IPs and domains, countermeasures designed to detect/filter ransomware command and control (C2) packets will be still effective unless significant change in C2 protocol occurs.




comments powered by Disqus

Trending now »

Hot discussions in our forums right now:

Bombing at Manchester concert, 19 dead
Created by Rikkitic, last reply by Wiggum on 26-May-2017 12:13 (128 replies)
Pages... 7 8 9

Tipping? Please no!
Created by BlueShift, last reply by Wiggum on 26-May-2017 09:56 (98 replies)
Pages... 5 6 7

Father banned from watching daughter's netball game: what you think of this?
Created by Rikkitic, last reply by frankv on 25-May-2017 16:29 (136 replies)
Pages... 8 9 10

Created by Linuxluver, last reply by reg52nz on 25-May-2017 16:29 (113 replies)
Pages... 6 7 8

The President Of The USA: Donald Trump
Created by TimA, last reply by kingdragonfly on 23-May-2017 07:44 (4357 replies)
Pages... 289 290 291

Tax Cuts
Created by tdgeek, last reply by Paul1977 on 26-May-2017 11:28 (35 replies)
Pages... 2 3

Chorus Exchange Locations
Created by stubbed, last reply by DarthKermit on 22-May-2017 12:27 (44 replies)
Pages... 2 3

Variable speeds on Fibre Max
Created by kapitikarl, last reply by sbiddle on 26-May-2017 07:22 (39 replies)
Pages... 2 3