Ransomware 2.0: Cybercriminals Have Moved From Encrypting Data to Posting Confidential Information


 In recent years, attacks targeted at specific companies have replaced widespread ransomware attacks, in which criminals pre-encrypt data and release the key against payment of a ransom.


Kaspersky Tribune - In these new targeted campaigns, attackers no longer just encrypt data, but also threaten to publish all or part of confidential information. Kaspersky researchers observed this development by analyzing, in particular, two families of ransomware: Ragnar Locker and Egregor.


Ransomware or ransomware attacks are considered one of the most pernicious threats to businesses. Not only can they interfere with business operations, but also cause considerable financial loss, sometimes leading to bankruptcy due to fines and lawsuits incurred for violation of laws and regulations. As an example, it is estimated that the WannaCry attacks caused more than $ 4 billion in financial losses. However, the new ransomware campaigns use a new modus operandi: cybercriminals threaten to publish the stolen information.



Ragnar Locker and Egregor are two known ransomware groups that practice this new method of extortion.


Ragnar Locker, first identified in 2019, really rose to prominence in the first half of 2020, when he was suspected of attacking large organizations. Its attacks are targeted, each sample being specifically tailored to the intended victim, and those who refuse to pay see their confidential data posted in the “Wall of Shame” section of the attackers' site. 


Likewise, if the victim argues with the abusers and then refuses to pay, that discussion is published. The main targets are American companies from different industries. Last July, Ragnar Locker officially declared that he joined the group of cybercriminals behind the Maze ransomware, which means the two groups of cybercriminals are now sharing stolen information and will collaborate very soon. Maze is one of the cybercriminals behind the most significant ransomware attacks of 2020.


Egregor is much newer than Ragnar Locker: it was first detected last September. However, he more or less uses similar tactics, and his code shares similarities with Maze's. The malware is usually deactivated by entering the network, after the target's data has been exfiltrated, giving the victim 72 hours to pay the ransom before the stolen information is made public. If the victims refuse to pay, the attackers post their names and links to download the company's confidential data on their site.


Egregor's attack perimeter is much larger than that of Ragnar Locker. It has been observed targeting victims across North America, Europe and parts of the APAC region.


“ WE ARE CURRENTLY SEEING AN INCREASE IN RANSOMWARE 2.0, THAT IS, TARGETED ATTACKS THAT DO NOT SEEK TO EXTORT MONEY BY ENCRYPTING DATA BUT BY THREATENING TO PUBLISH IT. BY DOING SO, NOT ONLY IS THE REPUTATION OF COMPANIES AT RISK, BUT THEY ARE ALSO EXPOSED TO PROSECUTION IF THE PUBLISHED DATA VIOLATES REGULATIONS LIKE HIPAA OR GDPR. THE STAKES ARE THEREFORE NOT LIMITED TO FINANCIAL LOSSES, ”COMMENTS DMITRY BESTUZHEV, HEAD OF THE GLOBAL RESEARCH AND ANALYSIS TEAM FOR LATIN AMERICA (GREAT) AT KASPERSKY.


“ BUSINESSES NEED TO REALIZE THAT RANSOMWARE IS MORE THAN JUST MALWARE. IN FACT, IT'S NOT UNCOMMON FOR RANSOMWARE TO BE THE LAST STEP IN A NETWORK BREACH. BY THE TIME THE RANSOMWARE IS DEPLOYED, THE ATTACKER HAS ALREADY SCANNED THE NETWORK, IDENTIFIED THE CONFIDENTIAL DATA AND EXFILTRATED IT. IT IS IMPORTANT TO HAVE GOOD PRACTICES IN PLACE: IDENTIFYING THE ATTACK AT AN EARLY STAGE, BEFORE THE ATTACKERS REACH THEIR FINAL GOAL, CAN SAVE A LOT OF MONEY ”ADDS FEDOR SINITSYN, SECURITY EXPERT AT KASPERSKY.


To learn more about Ransomware 2.0, see the Securelist page.


Recommendations from Kaspersky experts to protect businesses from ransomware:


  • Do not connect remote desktop services (such as RDP) to public networks unless absolutely necessary, and use strong passwords for these services.
  • Keep software up to date on all devices. To prevent ransomware from exploiting vulnerabilities, use tools that can automatically detect vulnerabilities and download and install patches.
  • Install patches for VPN solutions that provide access to remote employees and act as a gateway in your network as they become available.
  • Treat e-mail attachments or messages from unknown people with caution, or even not open them if in doubt.
  • Use solutions to identify and stop an attack as early as possible.
  • Focus the defence strategy on lateral movement detection and data exfiltration to the Internet with particular attention to outgoing traffic to detect cybercriminal connections. Back up data regularly, ensuring that it can be accessed quickly in an emergency, if necessary.
  • To protect the corporate environment, educate employees with specific training, such as those offered on Kaspersky's security awareness platform.
  • For personal devices, use a security solution that protects against malware and undoes changes made by malicious applications.
  • For businesses, protection can be improved with the free Anti-Ransomware Tool for Business from Kaspersky. The updated version contains a prevention feature to prevent ransomware and other threats from exploiting vulnerabilities in software and applications. It is also useful for customers who use Windows 7: with the end of support for Windows 7, new vulnerabilities in this system will no longer be patched by the developer.
  • For better protection, use an access point security solution, which works through exploit prevention, behaviour detection and a remediation engine. 

Previous Post Next Post

Found this article interesting? Follow Hackers Review on Facebook, Twitter  and Telegram to read more exclusive content we post.