In recent years, ransomware has become one of the cyber threats that have really got people’s attention. It has disrupted many organisations and also put people’s lives in danger. Ondrej Kubovic, Security Awareness Specialist at ESET, opened up his session of the ESET World 2021 event talking about the ransomware “gold rush” and how it has become the worst ever cybercriminal wave.
He mentioned how cybercrime is “mutating into a beast” that has an impact on everyone, no matter the region, no matter the industry.
Back in November 2019, Maze ransomware started utilising a new technique that does not rely on encrypting victim’s data, called doxing or double extortion. Doxing means that the attacker hacks or forces their way into an organisation’s systems, finds and extracts data of value and threatens to leak or sell it online.
Since then, ransomware gangs have also become much more focused and much more targeted, finding their victims in almost every industry, including military, public administration, hospitals and emergency services. “And if the initial intrusion was successful, the cybercriminals make the most of it. They stole, encrypted and aggressively fought their way into the organisation’s environment and beyond,” said Ondrej.
To ensure that their demands are met, they’d apply intensive pressure and force the victims to make the payment. Ondrej mentioned that there are multiple methods that cybercriminals use to intensify attacks and place increased pressure on their victims, including:
Website DDoS: The ransomware gangs would hack the organisation’s website, making it difficult for them to communicate with their clients or partners.
Print bombing: Ransomware gangs also look for printers in the network. They would leverage the printers to print ransom demands.
Cold calling: Cybercriminals now have their own “call centres”, which they would use to cold call victims and force them to cooperate.
According to Ondrej, there’s also a new “sheriff” in town, and it’s called “bombarding victims’ clients”. This is where the attackers would hassle victims’ customers with emails – “warning” them about a possible leak of their sensitive data and asking them to convince the victim to pay the demanded ransom.
As the COVID-19 pandemic struck us, organisations worldwide have started implementing Work From Home (WFH) protocols. Although this helps flattens the curve of the COVID cases, Ondrej said it doesn’t help much in the cyber world, as cybercriminals started taking advantage of those working remotely. And one of Microsoft services, called Remote Desktop Protocol (RDP), became the biggest target for cybercriminals in 2020.
RDP is a utility that is built into the Windows operating system allowing users to access their machines with just their username and password remotely. Once thousands of wholly protected environments and sensitive systems were publicly accessible and could be accessed with just the username and password, cybercriminals didn’t hold back and decided to brute force their way in.
“Since the beginning of 2020, over 960,000 unique clients reported at least one brute force attack attempt against their RDP connection. All in all, ESET has blocked more than 56 billion malicious RDP password guesses worldwide since the beginning of the pandemic,” he explained.
Apart from the devastating increase of ransomware attacks that the ESET research team has found, they have been analysing multiple campaigns since mid-2020 and were able to track down the earliest version of the main malware of Gelsemium (cyberespionage group), called Gelsevirine, a backdoor that is both complex and modular. We have covered it in this press release here.