2020: how will the attackers on cryptologia?Natalia Solovieva | 10.06.2020
At the end of 2019 the number of attacks, which made the program kriptologii increased by 40%, the average size of the required repurchase increased by more than an order of magnitude. In 2020 hackers as
expected to set a “record” as the number of attacks and the size of the damage caused by. These are the findings of the study “ransomware: the latest attack methods cryptographers”, prepared by experts of Group-IB.
According to experts of the laboratory of computer forensics, Group-IB, 2018 in terms of malware attacks that encrypt user files on the computer and require for the decryption of money (in light of
recent events – usually in bitcoins) was relatively quiet. But in 2019, the hackers decided to catch up – the number of resulting attacks using viruses, ransomware
increased by 40%. As their victims, the attackers chose a large computer network, in the possession or control of major corporations, municipalities and medical institutions.
The average size of ransom, which the viruses required for unlocking access to the files and their transcripts has grown substantially. If in 2018 it amounted to the sum of $8 thousand, in 2019 it
rose more than 10 times, and reached a figure of $84 thousand Experts of Group-IB also called the virus–coders, which showed itself at the end of last year the most aggressive and the most demanding
large amounts of redemption, the amount of which reached, at times, $800 thousand of the TOP leaders of this “anti-rating” was included malware families Ryuk, DoppelPaymer and REvil.
News from the life of cryptographers
For 2019, the attackers have reached a new level, ceasing to confine its work only encrypted files: they began to promote ransomware as a service RaaS
(Ransomware-as-a-Service) and pass the virus programs “rent” for a portion of the resulting foreclosures.
In the past year, the operators of a number of viruses, ransomware has begun to use a range of tactics, techniques and procedures (TTPs), which are characteristic for the target of cyber attacks (advanced persistent threat,
APT groups). Among them, for example – unloading data before encryption, which are assumed to be important for the potential victims. So acted, for example, operators of viruses of the families
REvil, Maze and DoppelPaymer. But if the organizers targeted cyber attacks the tactics of espionage, the organizers of attacks use “encoders” to achieve thus
increase the likelihood of receiving a ransom. If the victim does not agree with the requirements of the latter and does not pay the money, received when attacking critical information is being sold on the darknet.
Another innovation last year – the frequent use of campaigns cryptographers a large number of banking Trojans, such as Dridex Emotet, SDBBot and Trickbot on stage
the primary compromise of the network.
Phishing distribution, infection through external remote access services, primarily through Remote Desktop Protocol (RDP), and attacks drive-by topped the list of the primary vectors for compromising network
which began the attack.
In phishing emails, who headed the rating, often have hidden viruses-coders Shade and Ryuk. Campaign of the hacker group TA505, which spread ransomware
Clop, often begins with a phishing e-mail. The infected attachment contained in the letter was uploaded, including one of the Trojans – FlawedAmmyy RAT or SDBBot.
Most of the available servers, open port 3389, which in 2019 have exceeded 3 million, was located in Brazil, Germany, China, Russia and the United States. This direction of compromise the most
often used operators are viruses Dharma and Scarab.
Quite often to deliver ransomware attackers used infected web sites. The user enters this site, redirected to page which was trying to discredit him
gadget, what is most often used exploit kits EK RIG, Fallout Spelevo EK and EK. Thus, the operators of the malware Shade (Troldesh) and STOP encrypted data on the original compromised
devices, and the operators Ryuk, REvil, DoppelPaymer, Maze and Dharma gathering information of entire network infrastructures.
In addition, most operators of such programs-extortionists, as Ryuk, Revil, Maze and DoppelPaymer, began to operate with tools that gave the opportunity not only to conduct reconnaissance
in the compromised network, but to gain a foothold in it, to obtain privileged credentials and full control of your Windows domains. These tools by the specialists in the field
cybersecurity used during the tests – Cobalt Strike, CrackMapExec, PowerShell Empire, PoshC2, Metasploit and Koadic.
Who will save us from the blackmailer?
In General, summarize the results of the study “ransomware: the latest attack methods codebreakers”, the authors, in 2019, the operators of the malware-coders significantly strengthened their positions, chose to attack the larger
goals mainly from the corporate sector and increased their income. They use tactics and tools have evolved over the past year, to sophisticated techniques that were previously featured
the target of hacker attacks. Given these circumstances, experts predict, the coming 2020 may set some kind of record for number of attacks and size caused by them
losses.
Despite the increased scale campaigns coders, they still can be effectively countered, if you follow the necessary precautions, I’m sure Oleg Sulkin, leading specialist
The laboratory of computer forensics, Group-IB. For example, to connect to servers via RDP, you must exclusively use of VPN for accounts used to access via RDP
passwords must be complex and must be changed regularly. The list of IP addresses that can be triggered by an external RDP connection, you should limit.
Virus-extortionist
Journal: Journal IT-News, Subscription to magazines
