Site icon IT World Canada

This week in Ransomware – Friday May 6, 2022

ransomware, blackmail

Image by Kaptnali from Thinkstock.com

Ransomware continues to grow at an incredible rate because it is a profitable business. The perpetrators are well financed, extremely creative and very resilient. A report from Telus illustrates this:

“Attackers are strategic adversaries who perform detailed reconnaissance before launching attacks. They gather information about financials and insurance coverages to gauge the ability of a victim to pay a certain amount.”

Sourced from the study, which can be downloaded from www.telus.com/RansomwareStudy. (Registration required)

This week we saw examples of how creative and resilient these cyber criminals are.

First one is free?

Fake Windows updates are being used to distribute ransomware. This is not the first time that Windows updates have been used as a vehicle for ransomware distribution. This time, it’s Magniber ransomware that was detected, disguised as a Windows 10 cumulative or security update. While it’s not certain where the downloads come from, they are not from authentic Microsoft sites, but they have been seen on so-called “fake warez” and crack sites.

The gang appears to be, at least initially, targeting students as opposed to enterprises, and its average ransom demand is US$2,500, which is a fraction of corporate ransomware demands but expensive for most students and individuals.

As an added incentive, the Magniber ransom site, called ‘My Decryptor’, will allow the victim to decrypt one file for free to prove that it works. After that, it refers the victim to ‘support’ to make payment arrangements. Those without a restorable backup will probably have few options, as Magniber is one of the ransomware gangs that does not have weaknesses that can be exploited to break its encryption.

Sourced from an article in Bleeping Computer

Conti gang does its market research 

A recent blog post by Check Point Software revealed that it was able to examine some leaked texts to look at the Conti ransomware gang’s pricing and negotiating strategy. The gang’s research and strategy are impressive and mirror what many good marketing organizations would do in pricing and promotion.

The average ransom demand recently has been about 2.8 per cent of a victim organization’s annual revenue, indicating that the group has a formula they work with. In addition, there are discounts offered as incentives for speedy payment. Further, like any corporate sales group, the gang will negotiate prices in the right circumstances. A recent ransom demanded of one victim was $2 million. The victim organization, a government transport agency, offered $500,000. An agreement was reached for just over $1.1 million.

Sourced from an episode of the podcast CyberSecurity Today featured on itworldcanada

REvil is back

In October of 2021, the REvil ransomware gang was shut down when an international operation of national police forces hijacked their Tor servers. A number of gang members were arrested by Russian law enforcement.

But REvil has resurfaced. Perhaps the Ukraine situation has had some impact, as it was the Russian police that initially arrested the gang members. But however it happened, they appear to be free and back at work.

The gang’s old servers are now redirecting to a new set of servers which appear with web pages and even source code, which researchers have found to be almost identical to that used by the gang members prior to their arrest. The gang has made some changes to their code, but these appear to be updates and improvements.

Sourced from an article in Bleeping Computer

 

Exit mobile version