Group-IB named the most greedy ransomware viruses

US, WASHINGTON (ORDO NEWS) — The number of cryptographic virus attacks in 2019 compared with the previous year increased by 40%, while the size of the average ransom required soared several times, according to a published study by Group-IB.

Among the victims – municipalities, corporations, medical institutions. The average size of the required redemption has also increased – from $ 8 thousand in 2018 to $ 84 thousand last year. According to Group-IB, the most aggressive and greedy cryptographers last year were the Ryuk, DoppelPaymer, and REvil families – their one-time ransom claims reached $ 800,000.

Last year, cyber fraudsters adopted some of the tactics, techniques, and procedures specific to APT groups. So, one of the borrowed tricks was the unloading of important data for the victim before encrypting it. APT groups use this technique for espionage, but ransomware operators uploaded information to increase their chances of getting money. If their requirements were not met, they reserved the opportunity to earn by selling confidential information on the dark.

Attackers often began to use banking trojans at the stage of the initial compromise of the network, as well as tools that are used by cybersecurity experts during penetration tests. For example, cryptographic operators Ryuk, Revil, Maze and DoppelPaymer actively resorted to such tools as Cobalt Strike, CrackMapExec, PowerShell Empire, PoshC2, Metasploit and Koadic, which allowed them not only to conduct reconnaissance on a compromised network, but also to gain a foothold in it, to get privileged authentication data and even full control over Windows domains.

In general, experts say that last year ransomware operators reached a new level – their actions were no longer limited only to file encryption. Virus writers began promoting ransomware as a RaaS (Ransomware-as-a-Service) service and leasing viruses in exchange for a portion of the ransom.

Phishing emails remained one of the most common vectors of primary compromise; most often, Shade and Ryuk ransomware hid in such emails. The campaigns of the financially motivated group TA505 that distributed Clop ransomware often started with a phishing email containing an infected attachment that, among other things, downloaded one of the Trojans (FlawedAmmyy RAT or SDBBot).

Last year, the number of available servers with an open port of 3389 exceeded 3 million, most of them were located in Brazil, Germany, China, Russia and the United States. The interest in this compromising vector, which is most often used by the Dharma and Scarab operators, fueled the discovery of five new vulnerabilities in the remote access service, none of which, however, were successfully exploited in cryptographic attacks.

In 2019, attackers also often used infected sites to deliver ransomware. After the user was on such a site, he was redirected to pages that tried to compromise the user’s device, using, for example, vulnerabilities in the browser. The exploit kits most commonly used in such attacks are RIG EK, Fallout EK, and Spelevo EK.

Some attackers immediately encrypted the data on the initially compromised devices, while many others did not limit themselves to this and collected information about the compromised network, moving deeper and compromising entire network infrastructures.

Despite the increased scale of encryption campaigns, they can be resisted by implementing the necessary precautions. Among other things, they include connecting to servers via RDP using only VPNs, creating complex passwords for the accounts used to access via RDP, and changing them regularly, limiting the list of IP addresses from which external RDP connections can be initiated, etc.


Contact us: [email protected]

Our Standards, Terms of Use: Standard Terms And Conditions.