In recent years, large-scale ransomware attacks – in which criminals use malware to encrypt victim data and use it for ransom – have been replaced by more precise attacks against certain companies and industries.
In these campaigns with direct and clear targets, the attackers not only threaten to encrypt the data, but also to publish confidential information online. This trend was observed by Kaspersky researchers in a recent analysis of two important ransomware families: Ragnar Locker and Egregor.
Ransomware attacks are generally considered one of the most serious types of cyber threats that companies face. Not only can they disrupt critical business operations, but they can also lead to massive financial losses and, in some cases, even bankruptcy, due to fines and lawsuits resulting from violations of laws and regulations. For example, WannaCry attacks are estimated to have caused financial losses of more than $ 4 billion. However, newer ransomware campaigns are changing the way they operate: they threaten to make public information stolen from companies.
Ragnar Locker and Egregor are two well-known ransomware families that practice this new method of extortion.
Ragnar Locker was first discovered in 2019, but did not become known until the first half of 2020, when it was spotted attacking large organizations. The attacks are very precise, with each sample specially adapted to the victim in sight, and those who refuse to pay are given confidential data in the “Wall of Shame” section of the site with stolen data. If the victim talks to the attackers and then refuses to pay, these discussions are also published. The main targets are US companies in various industries. In July, Ragnar Locker said he had joined the Maze ransomware cartel, meaning the two sides would share the stolen information and cooperate. Maze has become one of the most notorious ransomware families in 2020.
Egregor is much newer than Ragnar Locker – it was first discovered in September. However, it uses many of the same tactics and has code-level similarities to Maze. The malware is usually uploaded through a network breach after the target data has been obtained, giving the victim 72 hours to pay the ransom before the stolen information becomes public. If the victims refuse to pay, the attackers publish the victims’ names and links to download the company’s confidential data on their website.
Egregor’s range is much wider than that of Ragnar Locker. Companies from North America, Europe and parts of the APAC region were observed on its target list.
” What we see now is the rise of ransomware 2.0. By this I mean that attacks become extremely precise, and the emphasis is not just on encryption; more recently, the extortion process is based on the publication of confidential data online. This not only jeopardizes the reputation of companies, but also opens certain processes if the published data violates regulations such as HIPAA or GDPR. Things are much more important than financial losses, ”said Dmitry Bestuzhev, head of the Latin American Global Research and Analysis Team (GReAT).
” This means that organizations need to think of the threat of ransomware as something much more dangerous than a type of malware. In fact, many times, ransomware is just the final stage of network infiltration. By the time the ransomware is effectively implemented, the attacker has already performed a network reconnaissance, identified confidential data and leaked it. It is important for organizations to implement the full range of good cyber security practices. Identifying the attack at an early stage, before the attackers reach the final goal, can save a lot of money “, adds Fedor Sinitsyn, security expert at Kaspersky.
To keep your company safe from these types of ransomware attacks, Kaspersky experts recommend the following:
- Do not expose remote desktop services (such as RDP) to public networks unless absolutely necessary, and always use strong passwords for them.
- Always keep the software up to date on all the devices you use. To prevent ransomware from using vulnerabilities, use tools that can automatically detect vulnerabilities and download and install patches.
- Quickly install available patches for commercial VPN solutions that provide remote employee access and act as gateways to your network.
- Handle email attachments or messages from people you don’t know. If in doubt, do not open them.
- Use solutions such as Kaspersky Endpoint Detection and Response and Kaspersky Managed Detection and Response to identify and stop the attack at an early stage, before the attackers reach their target.
- Focus your security strategy on detecting lateral movements and data leakage on the Internet. Pay special attention to outgoing data traffic to detect cybercriminals’ connections. Back up your data regularly. Make sure you can access it quickly in case of an emergency, when absolutely necessary.
- To protect the corporate environment, educate your employees about cybersecurity issues. Dedicated training sessions can help, such as those provided by Kaspersky Automated Security Awareness Platform. A free course on how to protect yourself from ransomware attacks is available here.
- For personal devices, use a reliable security solution, such as Kaspersky Security Cloud, that protects you against file encryption malware and prevents changes made by malicious applications.
- If you own a business, improve your security with Kaspersky’s free Anti-Ransomware for Business tool. The recently updated version contains a data mining prevention feature to prevent ransomware and other cyber threats against vulnerabilities in software and other applications. It is also useful for customers using Windows 7: Once Windows 7 support is complete, new vulnerabilities in this system will not be fixed by the developer.
- For superior protection, use an endpoint security solution, such as Integrated Endpoint Security, that prevents data mining, detects dangerous situations, and creates a fix engine that is able to counter malicious actions.