Site icon IT World Canada

This week in Ransomware – Friday, May 27th 2022

Image by Vchal via GettyImages.ca

Just when you thought you’d seen it all…

A recent report from Telus on the state of ransomware in Canada contains this quote: “Ransomware has evolved in sophistication at a dizzying pace. Ransomware malware is becoming more advanced, distribution is becoming more targeted, and tactics are continuously evolving to extort the greatest ransom from victims.”

Sourced from the study which can be downloaded from www.telus.com/RansomwareStudy. (Registration required)

We didn’t have to look far to find examples of the way ransomware continues to creatively evolve at a dizzying pace. Here’s a couple of the things we found this week.

Diversification increases risk? Or “where’s the beef?”

We’ve talked about how ransomware gangs are businesses and although we cannot admire what they do, you must at least respect how they do it. Many of these groups, as we’ve pointed out previously, exhibit real business acumen. This example could have been found in Business Strategy 101 – vertical integration.

It started with a marketplace called Industrial Spy. It is a marketplace that sells data that was stolen by ransomware gangs and then released when ransoms are not paid.

It’s already an innovative strategy to get more revenue from a market. Instead of just posting the data where anyone can get it for free, why not show some entrepreneurial skill and charge others for the data you were going to release to punish someone who didn’t pay the ransom? Business competitors, for example, might want to pay to get this data.

The Industrial Spy marketplace sells that data. Some of it is sold cheaply for a few dollars. Other “premium” data could fetch thousands or even millions. The group promoted their marketplace with a readme file distributed much the same as ransomware – only they didn’t encrypt your data, they simply made you aware of their marketplace.

Now, instead of just servicing other ransomware gangs, the group has decided to branch out and have its own ransomware. For these attacks, they have replaced their promotion with a ransom note that says they’ve encrypted your data. Since they already had a distribution method and a marketplace, they can now ‘eliminate the middleman’ and have their own ransomware service.

While the business strategy of these groups is unquestioned, whoever does their naming doesn’t exhibit the same skill. The new ransomware strain uses a file marker of oxFEEDBEEF which should NOT be confused with oxDEADBEEF, which is a well-known magic debug value used in programming.

The lesson in this that we need to constantly keep up with new developments in ransomware. What seemed relatively harmless a week ago could be weaponized today.

Sources include an article in Bleeping Computer

Ransomware as a force for good?

As one writer said, “just when you think you’ve seen it all…”

A new ransomware group has sprung into existence with a novel twist. The group encrypts your data, but they don’t want money. They want your company to perform and document – three acts of kindness.

It’s called GoodWill ransomware and the three acts it demands are:

  1. Doing something for the homeless – donating clothes and bringing them blankets.
  2. Taking poor children out for a favourite meal
  3. Paying for someone’s medical expenses

Victims are sent detailed instructions including how to prove they have performed these three acts of kindness. Selfies must be taken and posted to social media in a ‘photo frame’ that is provided. We may find out soon if victims indeed “pay”, if we see posts with this photo frame.

This Week in Ransomware recommends that you do these good deeds anyway, without being forced to. But before that, you should consider some good deeds for your company, namely:

  1. Map and understand your data. Know what is critical and sensitive. This awareness will help you understand why good cybersecurity practices are so critical, e.g., backups and encrypting sensitive data in storage and in transit so that if it’s stolen, it can’t be used to blackmail you.
  2. Have good backups, regularly taken and tested. Store them with an “air gap” so they cannot be encrypted.
  3. Train your employees in cyber-security hygiene to help prevent attacks, including such things as being constantly on guard for suspicious activity, and the use of strong passwords and multi-factor authentication.

One good deed deserves another 🙂

Sources include a blog by Graham Cluley

Exit mobile version