Ransomware Extortion Attacks Continue to Rise in Frequency as Ransom Payments Decrease by 40%

Ransomware is having a very odd second quarter of the year as new variants enter the game governments finally take notice and insurers tighten their underwriting requirements.

Every quarter I make certain to cover their Quarterly Ransomware Report articles, as they provide great insight into the current state of attacks, ransoms, variants, and more. But in Coveware’s latest report covering Q2 2021, we see a bit of a different tone.

In the report, we saw a massive downturn in the average ransom payment – just a little over $136K, down 38% from Q1 of this year. And, yet the percentage of ransomware attacks threatening to leak exfiltrated data increased by 5% this quarter, to 81%.

This is a bit counterintuitive; why would payments go down, but threats (that should yield higher payments) increase?

It may have something to do with some of the other points covered in the Coveware article:

  • 4 new ransomware variants slip into the top 10 list, pushing out old players. (When you think of ransomware as a “business”, sometimes the new players on the market will undercut their competition to establish themselves. Could that be it?)
  • REvil ransomware – which has been behind some of the most high profile attacks last quarter – seems to have disappeared. (This could be due to the increasing involvement of governments – including our own – taking notice of the implications and are beginning to put pressure on foreign governments to put a stop to these cybercriminal gangs.)
  • The attacks on critical infrastructure have woken up CEOs who are now paying attention to the realities of modern ransomware attacks and their impact, and are willing to spend whatever it take to keep from becoming a victim.

Whatever the reason for the lowered ransom payments, the Coveware data still suggests that businesses of every size continue to be under attack and should take measures to protect themselves from the three primary initial attack vectors – vulnerabilities (hint: time to get vulnerability management in high gear), remote access via RDP (shut it down and get a real remote solution), and phishing (educate your users with Security Awareness Training so they don’t fall prey to malicious email content).


Tax Organizations Need to Focus on Cybersecurity

Tax preparation companies and tax agencies are increasingly facing scams, fraud, and other attacks, according to Robert Capps, Vice President of Marketplace Innovation at NuData Security. On the CyberWire’s Hacking Humans podcast, Capps explained that the digitization of taxes has increased the need for tax organizations to focus on cybersecurity.

“If you’re dealing with an agency, a physical organization that is processing your taxes, you drop off the packet, they hand you your taxes, and then you sign, and they get mailed in or even electronically delivered on your behalf – those organizations really need to be taking security into account,” Capps said. “Where taxes, you know, more than a decade ago were all on paper, tax return fraud was the result of breaking into someone’s office and stealing boxes of paperwork. Now that’s all digital. And so whoever’s preparing your taxes or assisting with your taxes really needs to take computer network security into account, and that isn’t always the case, right? Some folks are not as computer-literate as we might want them or expect them to be, given their position.”

Capps noted that attackers also use social engineering and malware to go after corporations as well as individuals.

“On the other side of the coin, corporate tax fraud is an issue, and getting information from an employee through social engineering or getting malware onto their computers in the office can create all kinds of havoc not just at tax time, but also attacking bank balances,” Capps said. “And you see unrequested international wire transfers out of corporate accounts to third-party accounts in another country that can’t be recovered. Those things are all problems when we talk about the corporate side of the fraud, when companies are defrauded by these same individuals.”

New-school security awareness training can give your organization an essential layer of defense by enabling your employees to avoid falling for scams and other social engineering attacks.


Ragnar Locker Ransomware Finds Its Next Victim in Taiwan Computer Memory Manufacturer ADATA

The ransomware attack occurring in late-May required the maker of consumer and industrial memory products to take systems offline, causing them to recover and upgrade affected systems.

Ragnar Locker hasn’t been in the news much since they became a part of the Maze extortion cartel in the middle of last year. But their latest attack on ADATA signals they aren’t going anywhere and are succeeding in infiltrating and encrypting victim environments.

In an email statement to Bleeping Computer, ADATA confirmed the attack on May 23rd which disrupted business operations. And while no details were released, it appears from the email communications, ADATA was successful in implementing a response plan:

“The company successfully suspended the affected systems as soon as the attack was detected, and all following necessary efforts have been made to recover and upgrade the related IT security systems.”

The bad guys at Ragnar have claimed responsibility for the attack, alleging they have stolen 1.5TB of data – which can include intellectual property, source code, legal documents, confidential files, and more.

ADATA leak page










Source: Bleeping Computer

The upside to this story is ADATA signifies that it’s possible to have proper response plans in place when you’re hit with ransomware to minimize operational disruptions. The downside is ADTAT – and any other organization in their same situation – now has to content with what to do about the stolen data. Remember, ransomware gangs aren’t just arbitrarily taking whatever data they find; they are inspecting all the data they have access to and selectively choosing what data to exfiltrate.

Ragnar has historically gained access via phishing attacks, which are largely preventable with Security Awareness Training that enables users to elevate their attentiveness when interacting with suspicious email and web content.


Phishing Trends Show X-Rated Themes Have Skyrocketed 974%

Phishing lures with X-rated themes have spiked over the past year, according to researchers at GreatHorn. The researchers explain that these emails are effective at getting people to click, and will also make victims reluctant to report the attack once they realize they’ve been scammed.

“Between May 2020 and April 2021, the number of such attacks increased 974%,” the researchers write. “These attacks reach across a broad spectrum of industries and appear to target based on male-sounding usernames in company email addresses.”

The researchers note that in addition to stealing information, the attackers can also return to blackmail victims.

“Attackers use phishing attacks as an initial vector to gather information about the target,” GreatHorn says. “Because of the x-rated content, attackers set up victims with compromising material to be used for blackmail. In these attacks, cybercriminals are tracking the identity of victims who click on their sites by using a technique called an email pass-through. The same technology enables legitimate email senders to auto-populate an unsubscribe field with a user email address. Once a user clicks on a link in the email, their email address is automatically passed to the linked site. In these attacks, the cybercriminal leverages the information they gleaned in order to set up a second stage. Individuals who clicked on links to compromising material could be targeted in the second attack to extort the individual.”

GreatHorn shares a representative example in which a phishing email claimed to come from a woman staying in the same hotel as the recipient.

“The link at the top of this email points to a destination page which is classified as Malicious by Google Safe Browsing,” the researchers write. “Clicking on (https://sites[.]google[.]com/view/interestedyou would bring you to a site with photos. There, a further link points to hungrygrizzly[.]com, which has the appearance of a dating site. It is likely a fake site designed to hook users into providing payment information. User data gleaned in this way will be transmitted to cybercriminals, who will use it for various malicious purposes, such as money withdrawal, blackmailing, or committing further frauds.”

New-school security awareness training can give your employees a healthy sense of suspicion so they can avoid falling for phishing attacks. (And seriously, people–control yourselves online.)


Insights Into Credential Phishing

Cybercriminals are quick to put hacked accounts to use, according to Agari by Help Systems. The researchers found that 91% of compromised accounts are accessed by attackers within one week, and half of these accounts are accessed within the first twelve hours. Additionally, 23% of phishing sites are using automation to test the authenticity of stolen credentials. Agari explains that criminals are efficient at escalating their attack once they gain access to a network.

“[O]nce attackers gained access to the compromised accounts, it became apparent that they wanted to identify high-value targets who have access to a company’s financial information or payment system so that they could send vendor email compromise scams more effectively,” the researchers write. “The accounts were also used for other purposes, including sending malicious emails and using the accounts to register for additional software from which to run their scams.”

Agari notes that once the attackers compromise a single account at an organization, they can use that account to send more convincing phishing emails to other employees. It’s particularly effective in staging business email compromise (BEC) campaigns.

“In another example, cybercriminals targeted employees at real estate or title companies in the U.S. with an email that appeared to come from a U.S.-based financial services company that offers title insurance for real estate transactions,” Agari says. “When targets opened the email, they were encouraged to view a secure message, which sent them to a webpage mimicking the company’s actual homepage. From there, they were encouraged to view additional documents and enter their account information—leading to the compromise. This shows the self-fulfilling growth cycle where credential phishing attacks lead to compromised accounts, which lead to more credential phishing attacks and more compromised accounts, and so on.”

Agari founder Patrick Peterson emphasized that the best way to defend against these attacks is by preventing attackers from gaining a foothold in the first place.

“Without measures in place to protect against BEC and account takeover-based attacks, the problem will only continue,” Peterson said. “The insight uncovered by the [Agari Cyber Intelligence Division (ACID)] team is a sobering reminder of the scale of the issue—compromised accounts lead to more compromised accounts, and only by preventing the first compromise can we suppress BEC at an early stage.”

New-school security awareness training can help your employees avoid falling for social engineering attacks, stopping the attackers before they’re able to establish a beachhead in your organization.


Ransomware Attacks Run Rampant as Fujifilm Becomes the Next Victim

We just covered a recent story today that there was a ransomware attack on Steamship Authority. And like clockwork, another company becomes the next victim.

Fujifilm, a huge Japanese company known for digital imaging products, has been hit with ransomware at their Tokyo headquarters. In a statement from the company, “We want to state what we understand as of now and the measures that the company has taken. In the late evening of June 1, 2021, we became aware of the possibility of a ransomware attack. As a result, we have taken measures to suspend all affected systems in coordination with our various global entities.”

As a result of the attack, Fujifilm USA posted on the website that they are experiencing difficulties. These difficulties include a halt on processing orders and no lines of communication available for use.

According to Bleeping Computer, it is suspected that the company’s servers have been infected with Qbot. Qbot has a history of being utilized by multiple ransomware gangs. It is now being linked to the REvil ransomware group, who most recently hacked the world’s largest meat producing company.

With several companies now becoming a victim of ransomware, it’s important for your organization to put cybersecurity first. Additional security layers such new-school security awareness training can ensure your users will know how to report any suspicious activity.


Paying the Ransom Is Not Just About Decryption

I just read that a well-known pipeline company paid $5M to the ransomware hacker group. And despite that, they are still having to use their backups because the decryption process is too slow. This does not surprise me. I also recently read that only 8% of ransomware victims who pay the ransom get all their data back.

But paying the ransom likely means they will be back up sooner than otherwise and it negates a whole lot of other issues. I am not saying every victim should pay the ransom. Obviously, if we keep doing that ransomware will never stop. But if you think paying the ransom is mostly about getting a decryption key then you’re not thinking about ransomware correctly. It’s changed. And paying the ransom is often still the best choice even if you have great backups. Here’s why:

You Still Get More Usable Data

First, the victims that do pay the ransom have an overall better data recovery rate. The same report above that said only 8% of victims that pay the ransom get their all their data back also concluded this, “The researchers found that, on average, victims who pay the ransom recover about 65% of their data, while 29% of respondents said they recovered less than 50% of their data.” So, if you want a better chance of recovering more of your data without recreating it or doing without it, pay the ransom.

Faster Recovery Time

I know many victims who philosophically and ethically refused to pay the ransom. I applaud them. However, many of them were still down or not fully operational far longer than the victims that paid the ransom, on average. I know of many victims who did not pay the ransom who were down months and were still not fully operational nearly a year later. I haven’t heard that from victims who paid the ransom.

Data Exfiltration Is a Huge Worry Now

Over 70% of ransomware now exfiltrates a victim’s confidential data, files, logon credentials, and email before launching the encryption process. Most ransomware gangs spend weeks to months surveilling the victim, reading C-Level emails, and trying to figure out the “crown jewels” of the organization. Then they steal the confidential information and threaten to release it publicly, or to hackers, if they are not paid. A backup is not going to save you.

An organization’s vital, confidential data is released all the time. It happened to DC Metro police recently. The ransomware group got mad because the victim’s initial negotiation amounts were too low. The ransomware group released the vital information on recent police recruits (including their personal identifying information) and internal reports with confidential information I am sure the police would not want released.

Ransomware gangs just want to get paid. They will do whatever they can to the victim…encrypt files, denial-of-service attack them, steal and post information, attack their employees, attack their customers, attack their partners…whatever it takes…to get the victim to pay. Every ransomware group would be glad to not to have do any of these things if meant they would be paid. They are also just as willing to cause as much pain and embarrassment as possible to get paid. And if you don’t pay, they will make it as painful as possible as a lesson to the current and other victims.

And when they attack your employees, customers, and partners, they let them know that the only reason they are attacking them is because the original victim didn’t pay. They say the original victim didn’t care about them and their data enough to stop the ransomware attack and didn’t care about their personal information enough to pay the original ransom. It must cause some reputational issues with the original victim.

What ransomware is doing beyond just encrypting files isn’t new. The new class of ransomware, which I dubbed Ransomware 2.0, started showing up in November 2019. I first wrote about these issues back in January 7, 2020. The only thing that has changed is the percentage of ransomware that started to deploy these additional tactics. Today, it’s over 70% of all ransomware, and it’s likely far higher than that. Heck, if all ransomware does is encrypt your files when it goes off, consider yourself “lucky”.

If you want to learn more about what ransomware is doing today beyond just encrypting files you can watch my webinars here.

Less Likely to Be Hacked by the Same Group Again

One of the biggest questions I get about ransomware is if the ransomware group will hack the victim again even after they pay the ransom? After all, they are criminals, who can trust them? Well, if ransomware criminals re-attacked the victims that paid them, no one would pay them. It’s in the ransomware group’s own best interests to not re-attack the same victims after a ransom has been paid. In fact, most ransomware groups keep track of who has paid the ransom and purposefully avoid them. I’ve heard of victims being re-hit by the same group, complaining to the group that they already paid the ransom, and the ransomware group helping to quickly unlock their files.

Conversely, I’ve heard of a lot of victims who didn’t pay the ransom who were hit again by the same group, but the second time is always much worse – more servers encrypted, more damage, more pain, higher ransom request.

And this is not to say that some victims that paid the ransom don’t get hit again by the same ransomware family. There are unscrupulous ransomware gangs who have no “thief’s honor code”. But it happens more often because the ransomware is being used by multiple “affiliates” and another affiliate accidentally hits the same victim again because they entered through another IP address or business unit of the same company that wasn’t on the ransomware groups “do not target again” list. Mistakes happen. And once the group has successfully hit a victim, again or not, some don’t back down. But it’s clear that the victims that do pay the ransom are usually not hit again by the same group.

What happens far more often is that a victim pays the ransom to one ransomware group and is then, weeks or months later, hit by a completely different ransomware group because they did not get secure enough to keep other groups out. You must close all your vulnerabilities if you want to stay secure. Paying the ransom is not a “Get out of Jail Free” card that all the other ransomware groups will respect. Paying the ransom only gives you that “right” within the same ransomware group. Most victims who pay the ransom will not be hit again by the same ransomware group. That’s the best we can say.

Paying the Ransom Is a Business Decision

Paying the ransom or not is usually a business decision. It even involves figuring out if it is legal to pay the ransom to the group requesting it based on your country’s laws. It is not to be taken lightly. But paying the ransom is about far more than getting a decryption key. You should have already decided ahead of time, before you are hit by ransomware, if you will pay the ransom. That’s senior management and legal decision. But make sure they understand all the facts and ramifications so they can make the best decision for the organization.

Your Only Defense Is Prevention

It is clear that a good backup and even paying the ransom will not protect you if you get hit by ransomware. Your only defense is to prevent it from happening in the first place. It can be done. Organizations do prevent ransomware from getting a foothold in their organization. How do they do it?

First, they focus on the key methods that hackers and malware use to get into most organizations. That means fighting social engineering, better patching, and good password policies. Fighting these three things will do more to prevent ransomware attacks than everything else. Heck, just concentrating on fighting social engineering, far better, will reduce the most cybersecurity risk to your organization of anything you can do. Social engineering and phishing is the number one way that most organizations get compromised by cybercriminals, but most organizations do not focus their mitigations as if that key fact were true.

You need to use your best combination of layered defenses, including policies, technical defenses, and controls, to prevent your organization from being compromised by social engineering and phishing. How can you do that? Glad you asked. You can download KnowBe4’s Comprehensive Anti-Phishing Guide here.

You can download KnowBe4’s Ransomware Hostage Rescue Manual Guide here.

The password policy you should be using is here.

We are in a terrible era where hackers, malware, and especially ransomware, is running amok. It is going to be many years before it starts to get under control. It’s going to take not only better defenses, but a very tough-to-surmount geopolitical agreement. Ransomware will not get under control until the countries that give cyber safe havens to these types of criminals are forced to crack down on them. That is not happening anytime soon.

Till then, your best defenses are to fight with renewed vigor social engineering, better patch, and have a good password policy. Doing far better at these three things will do more to significantly reduce your exposure to ransomware than anything else you can do. Prevention, not backups, are the keys. Make sure management is aware of the changes in ransomware and how data encryption is not the only threat. Management needs to be aware of what paying or not paying the ransom means so they can make their best decision.

As always, fight the good fight!

Credit given to Roger Grimes and The KnowBe4 team


Student’s Attempt to Pirate Software Leads to Ryuk Ransomware Attack

Bleeping Computer recently reported that a student attempted to pirate an expensive data visualization software, which resulted in a Ryuk ransomware attack.

We’ve seen ransomware distributed in the past with STOP and the Exorcist ransomware, crypto hacks, and information stealing trojans. But this type of attack takes ransomware attacks to a whole other level.

A student’s laptop was gained access, and the student had searched for data visualization software that they wanted to install at home. Instead of buying a legit license, the student proceeded to search for a cracked version and downloaded it. This resulted in an infection with an information-stealing trojan. This included the same credentials that were used by Ryuk cybercriminals to log into the institute.

Ryuk ransomware is not to be messed with. We recently covered a story from a few months ago that a Ryuk strain has a worm-like feature in your Window LAN devices, and the ransomware-as-a-service gang has only gotten more tactical in their schemes.

Unfortunately, this will not be the last time a user tries to purchase cracked software. Continual user education is essential to ensure phishing and ransomware attacks do not occur for your organization in the future. New-school security awareness training can ensure your users are up-to-date on the latest attacks.


Ransomware Operators Threaten to Short Victims’ Stocks

The Darkside ransomware operators are now offering to tip off unscrupulous stock traders before they post the names of publicly traded victim companies, the Record reports. The criminals believe this will put more pressure on the victims to pay up. Recorded Future’s Dmitry Smilyanets told the Record that this is the first time a ransomware crew has explicitly made this part of their strategy.

“While other ransomware families previously discussed how to leverage the effect of a publicly disclosed cyber attack on the stock market, they have never made it their official attack vector,” Smilyanets said. “DarkSide becomes the first ransomware variant to make it formal.”

Allan Liska, also from Recorded Future, said that criminals are adapting to victims being less willing to pay ransom. A similar phenomenon occurred over the past two years when ransomware operators began stealing data and threatening to release it if the ransom wasn’t paid.

“We have anecdotal evidence that fewer people are paying ransom, which means ransomware actors have to find new ways to extort money from victims,” Liska said. “We saw that with threats of DDoS attacks last year but those didn’t really seem to work so they are looking for other ways.”

Liska is skeptical that this new technique will be effective, tweeting that “most companies don’t take a noticeable hit in their stock price after a ransomware attack – at least not long term.”

The Record also notes that “any large short bets are most likely to be picked up and investigated by the Securities and Exchange Commission or other regulatory bodies, and not many traders are likely to take up Darkside’s offer for such minimal gains and maximum regulatory risks.”

Cybercriminals are constantly changing their techniques to increase the success of their attacks. New-school security awareness training can give your employees an essential layer of defense against ransomware attacks by teaching your employees how to recognize social engineering attacks.


The Darkside Ransomware Group Is the Dangerous Poster Child for Today’s Ransomware-as-a-Service

Looking beyond the “older” RaaS threat groups like Ryuk, DoppelPaymer, and Revil, today’s modern ransomware-as-a-service operator is far more business-like and specific in execution.

This now nearly 5-year old cyberthreat model empowers just about anyone wanting to be a would-be cyber-thug to jump in and use some very powerful and sophisticated tools to accomplish what only those with extensive development backgrounds could achieve. Most news stories focus on the more “successful” ransomware families, but a new article from cybersecurity vendor Avast showcases Darkside (a spinoff of Revil from back in 2020) – and it’s worth a read.

The newest trend in ransomware attacks is specificity; industry verticals, business sizes, victim titles and roles, social engineering themes and TTPs – and Darkside as them all.

According to Avast, Darkside is a great representation of the modern ransomware threat group:

  • They refine their victim target list, looking for the greatest ability to pay large ransoms
  • They do a ton of diligence on who to target and customize delivery for each attack
  • Their approach to operations is far more corporate-like than a bunch of developers that built some affiliate-friendly ransomware and posted it to the dark web

The fact that a cybercriminal organization like this exists is troubling; the more organized the bad guys get, the more likely their chances of successfully attacking your organization. And with the added “as a service” factor, this concern should be multiplied ten-fold.

Remember, one of the most effective ways to thwart ransomware attacks using phishing as the initial attack vector is through Security Awareness Training which empowers users to identify suspicious email content before interacting with it, stopping the attack in its tracks.