According to multinational cybersecurity and anti-virus provider Kaspersky, 2020 was the year of “Ransomware 2.0” in the Asia Pacific (APAC) region as two (02) notorious ransomware families — REvil and JSWorm — set their eyes on victims from within the area.
Ransomware 2.0 refers to the groups who moved from hostaging data to exfiltrating data, coupled with blackmailing. The aftermaths of a successful attack include significant monetary loss and damaging reputation loss.
“2020 was the most productive year for ransomware families who moved from hostaging data to exfiltrating data, coupled with blackmailing. In APAC, we noticed an interesting re-emergence of two highly active groups, REvil and JSWorm. Both resurfaced as the pandemic rages in the region last year and we see no signs of them stopping anytime soon,” according to Alexey Shulmin, Lead Malware Analyst at Kaspersky.
REvil (aka Sodinokibi, Sodin)
It was July 2019 when Kaspersky first wrote about REvil ransomware. Also known as Sodinokibi and Sodin, this group initially distributed itself through an Oracle Weblogic vulnerability and carried out attacks on MSP providers.
While the activities of REvil peaked in August of 2019 with 289 potential victims, Kaspersky telemetry monitored lesser detections until July 2020. From targeting only 44 Kaspersky users globally last June 2020, the ransomware group accelerated its attacks. As a result, Kaspersky solutions protected 877 users in July from this threat, logging an 1893% increase in a span of just one month.
In addition, expert monitoring also showed how the group has actively spread its malicious arms from the Asia Pacific (APAC) to the world.
“Back in 2019, most of their victims were only from APAC — particularly in Taiwan, Hong Kong, and South Korea. But last year, Kaspersky detected their presence in almost all countries and territories. It is safe to say that during their ‘silent months,’ REvil creators took their time to improve their arsenal, their method of targeting victims, and their network’s reach,” adds Shulmin.
One thing was unchanged, though. APAC remained one of the top targets for REvil. Out of 1,764 Kaspersky users targeted by the group in 2020, 635 (36%) of these companies were from the region. Brazil, however, logged the most number of users almost infected with this threat followed by Vietnam, South Africa, China, and India.
Based on the data published by the threat actors on their data leak site, Kaspersky experts were also able to categorize the group’s targets into several general industry classes. The biggest chunk of their targets in terms of the industry falls under Engineering and Manufacturing (30%). This is followed by Finance (14%) and Professional and Consumer Services (9%). Legal, IT and Telecommunications, and Food and Beverage industries received equal attention at 7%.
JSWorm (aka Nemty, Nefilim, Offwhite, Fusion, Milihpen, etc.)
Like REvil, JSWorm also entered the ransomware landscape in 2019. However, the geographical distribution of its initial victims was more varied. During its first months, it was detected across the globe — in North and South America (Brazil, Argentina, USA), in the Middle East and Africa (South Africa, Turkey, Iran), in Europe (Italy, France, Germany), and in APAC (Vietnam).
The number of JSWorm victims is relatively lower compared with REvil but it is clear that this ransomware family is gaining ground. Overall, Kaspersky solutions have blocked attempts against 230 users globally, still, a 752% increase compared with 2019’s only 27 users almost infected with this type of threat.
Most notably, experts from Kaspersky noticed a shift in the group’s attention towards the APAC region. China emerged as the country with the most number of KSN users almost infected by JSWorm globally, followed by the USA, Vietnam, Mexico, and Russia. More than one-third (39%) of all the enterprises and individuals this group has targeted last year were also located in APAC.
When it comes to target industries, it is clear that this ransomware family eyes critical infrastructure and major sectors across the world. Nearly half (41%) of JSWorm attacks were targeted against companies in the Engineering and Manufacturing industry. Energy and Utilities (10%), Finance (10%), Professional and Consumer Services (10%), Transportation (7%), and Healthcare (7%) were also at the top of their list. This is based on the data published by the threat actors on their data leak site.
To remain protected against Ransomware 2.0, Kaspersky experts suggest enterprises and organizations to:
- Keep your OS and software patched and up to date.
- Train all employees on cybersecurity best practices while they work remotely.
- Only use secure technologies for remote connection.
- Carry out a security assessment on your network.
- Use endpoint security with behavior detection and automatic file rollback, such as Kaspersky Endpoint Security for Business.
- Never follow the demands of the criminals. Do not fight alone – contact Law Enforcement, CERT, security vendors like Kaspersky.
- Follow the latest trends via premium threat intelligence subscriptions, like Kaspersky APT Intelligence Service.
- Know your enemy: identify new undetected malware on-premises with Kaspersky Threat Attribution Engine.
To nnow more about Ransomware 2.0, you may visit Securelist.com.